ubuntu/+source/keystone:ubuntu/quantal-security

Last commit made on 2013-11-25
Get this branch:
git clone -b ubuntu/quantal-security https://git.launchpad.net/ubuntu/+source/keystone
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/quantal-security
Repository:
lp:ubuntu/+source/keystone

Recent commits

a065e65... by Jamie Strandboge on 2013-11-05

Import patches-unapplied version 2012.2.4-0ubuntu3.3 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 28f20aaeb55e1359bc517e90f9dc67cb6042c862

New changelog entries:
  * SECURITY UPDATE: don't add role when attempting to remove a non-existent
    role
    - debian/patches/CVE-2013-4477.patch: raise RoleNotFound with exception
      ldap.NO_SUCH_OBJECT
    - CVE-2013-4477
    - LP: #1242855

28f20aa... by Jamie Strandboge on 2013-10-22

Import patches-unapplied version 2012.2.4-0ubuntu3.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 5ebe065bda194c0aee894f9a77e6c58f88d3ab2e

New changelog entries:
  * SECURITY UPDATE: revoke user tokens when disabling/delete a project
    - debian/patches/CVE-2013-4222.patch: add _delete_tokens_for_project() to
      common/controller.py and use it in identity/controllers.py
      (LP: #1179955)
    - CVE-2013-4222
  * SECURITY UPDATE: fix and test token revocation list API
    - debian/patches/CVE-2013-4294.patch: fix token matching for memcache
      backend token revocation (LP: #1202952)
    - CVE-2013-4294

5ebe065... by Jamie Strandboge on 2013-06-13

Import patches-unapplied version 2012.2.4-0ubuntu3.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 4c79dcb114d55888d5a9c4979db50b60faacccc8

New changelog entries:
  * SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
    signed token when using PKI
    - debian/patches/CVE-2013-2104.patch: explicitly check the expiry on the
      tokens, and reject tokens that have expired. Also update test data
    - CVE-2013-2104
    - LP: #1179615
  * debian/patches/fix-testsuite-for-2038-problem.patch: Adjust json example
    cert data to use 2037 instead of 2112 and regenerate the certs. Also
    adjust token expiry data to use 2037 instead of 2999.
  * SECURITY UPDATE: fix authentication bypass when using LDAP backend
    - debian/patches/CVE-2013-2157.patch: identity/backends/ldap/core.py is
      adjusted to raise an assertion for invalid password when using LDAP and
      an empty password is submitted
    - CVE-2013-2157
    - LP: #1187305

4c79dcb... by James Page on 2013-05-29

Import patches-unapplied version 2012.2.4-0ubuntu3 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: 3ea2eaab9cd818cee47fd9caa8e3f4294bb1a5ee

New changelog entries:
  * debian/patches/update_certs.patch: Fix FTBFS. Original SSL certs
    for test suite expired May 18 2013. Cherry-picked regenerated certs
    from stable/folsom commit c14f2789.

3ea2eaa... by James Page on 2013-05-17

Import patches-unapplied version 2012.2.4-0ubuntu2 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: d95e13684dea715f798f9eec5dbf856f164a6cb7

New changelog entries:
  * Rebase on latest security fixes.
  * SECURITY UPDATE: delete user token immediately upon delete when using v2
    API
    - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
      token_api.delete_token() during delete. Also update test suite.
    - CVE-2013-2059
    - LP: #1166670

d95e136... by Adam Gandelman on 2013-04-25

Import patches-unapplied version 2012.2.4-0ubuntu1 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: f82feb75e25afcfb9b4ebc5a5ffb814b0f6abb11

New changelog entries:
  * Dropped patches, applied upstream:
    - debian/patches/CVE-2013-1865.patch: [255b1d4]
    - debian/patches/CVE-2013-0282.patch: [f0b4d30]
    - debian/patches/CVE-2013-1664+1665.patch: [8a22745]
  * Resynchronize with stable/folsom (09f28020) (LP: #1179707):
    - [5ea4fcf] V2 API reported at Beta LP: 1135230
    - [1889299] PKI-signed token hash saved as token ID for SQL backend only
      LP: 1073272
    - [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
      LP: 1073343
    - [b3ce6a7] Use the right subprocess based on os monkeypatch
    - [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
    - [9e0a97d] Temporary network outage results in connection refused and
      invalid token LP: 1150299
    - [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
    - [8690166] PKI tokens are broken after 24 hours LP: 1074172
    - [790c87e] PKI tokens are broken after 24 hours LP: 1074172
    - [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
      LP: 1121494
    - [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282

f82feb7... by James Page on 2013-03-22

Import patches-unapplied version 2012.2.3+stable-20130206-82c87e56-0ubuntu2 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: d6819c3b1e6e9437375a75a22c4bfd5fbda2993d

New changelog entries:
  * Resync with latest security updates.
  * SECURITY UPDATE: fix PKI revocation bypass
    - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
    - CVE-2013-1865
  * SECURITY UPDATE: fix EC2-style authentication for disabled users
    - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
      to ensure user and tenant are enabled in EC2
    - CVE-2013-0282
  * SECURITY UPDATE: fix denial of service
    - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
    - CVE-2013-1664
    - CVE-2013-1665

d6819c3... by Adam Gandelman on 2013-02-06

Import patches-unapplied version 2012.2.3+stable-20130206-82c87e56-0ubuntu1 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: 14d49dc7df1bab2d05fe7ea6fec51a98826626d2

New changelog entries:
  [ Adam Gandelman ]
  * Dropped patches, applied upstream:
    - debian/patches/CVE-2013-0247.patch: [bb2226f]
  * Resynchronize with stable/folsom (82c87e56) (LP: #1116671):
    - [bb2226f] Add size validations for /tokens.
    - [ec7b94d] Non-API specific 404 exposes traceback LP: 1089987
    - [70e55f9] SQL backend fails if not all URL are defined in an endpoint
      LP: 1061736
    - [6c95b73] Unparseable endpoint URL's should raise a user friendly error
      LP: 1058494
    - [9e300b7] Test 0.2.0 keystoneclient to avoid new deps
    - [ec06625] serviceCatalog is dict in the case of no endpoints LP: 1087405
  [ Chuck Short ]
  * debian/patches/fix-ubuntu-tests.patch: Refreshed.

14d49dc... by Jamie Strandboge on 2013-01-31

Import patches-unapplied version 2012.2.1-0ubuntu1.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 0631f62f6307166eaa847b8454ce5329ca668201

New changelog entries:
  * SECURITY UPDATE: fix token creation error handling
    - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
      password, tenant_name, tenant_id and old_token size to help guard
      against a denial of service via large log files filling the disk
    - CVE-2013-0247

0631f62... by Adam Gandelman on 2012-12-04

Import patches-unapplied version 2012.2.1-0ubuntu1 to ubuntu/quantal-proposed

Imported using git-ubuntu import.

Changelog parent: c2df7726d8d0c733ec2725f127f74b69424251bf

New changelog entries:
  * Ubuntu updates:
    - debian/control: Ensure keystoneclient is upgraded with keystone,
      require python-keystoneclient >= 1:0.1.3. (LP: #1073273)
    - Dropped patches, applied upsteram:
      - debian/patches/CVE-2012-5563.patch
      - debian/patches/CVE-2012-5571.patch
      - debian/patches/fix-ssl-tests-lp1068851.patch
  * Resynchronize with stable/folsom (7869c3ec) (LP: #1085255):
    - [f9d4766] token expires time incorrect for auth by one token
      (LP: #1079216)
    - [80d63c8] keystone throws error when removing user from tenant.
      (LP: #1078497)
    - [37308dd] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [bec9b68] Redo part of bp/sql-identiy-pam undone by bug 968519
      (LP: #1068674)
    - [ee645e6] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [094c494] Non PKI Tokens longer than 32 characters can never be valid
      (LP: #1060389)
    - [3cd343b] Openssl tests rely on expired certificate (LP: #1068851)
    - [2f9807e] Set defaultbranch in .gitreview to stable/folsom