lp:~yolanda.robla/keystone/precise-security

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:ubuntu/precise-security/keystone

James Page: Needs Information on 2013-04-24

Diff: 38152 lines (+30394/-5988)

45 files modified

.pc/CVE-2013-0247.patch/keystone/config.py (+0/-182)
.pc/CVE-2013-0247.patch/keystone/exception.py (+0/-123)
.pc/CVE-2013-0247.patch/keystone/service.py (+0/-599)
.pc/CVE-2013-0282.patch/keystone/contrib/ec2/core.py (+0/-350)
.pc/CVE-2013-1664+1665.patch/keystone/common/serializer.py (+0/-213)
.pc/applied-patches (+0/-8)
.pc/fix-ubuntu-tests.patch/tests/test_keystoneclient.py (+0/-977)
.pc/keystone-CVE-2012-3542.patch/keystone/identity/core.py (+0/-625)
.pc/keystone-CVE-2012-4413.patch/keystone/identity/core.py (+0/-626)
.pc/keystone-CVE-2012-4413.patch/keystone/token/core.py (+0/-107)
.pc/keystone-CVE-2012-4413.patch/tests/test_keystoneclient.py (+0/-970)
.pc/keystone-CVE-2012-5571.patch/keystone/contrib/ec2/core.py (+0/-347)
.pc/sql_connection.patch/etc/keystone.conf (+0/-105)
AUTHORS (+2/-0)
ChangeLog (+29958/-0)
PKG-INFO (+10/-0)
debian/changelog (+35/-0)
debian/patches/CVE-2013-0247.patch (+0/-218)
debian/patches/CVE-2013-0282.patch (+0/-93)
debian/patches/CVE-2013-1664+1665.patch (+0/-55)
debian/patches/fix-ubuntu-tests.patch (+7/-7)
debian/patches/keystone-CVE-2012-3542.patch (+0/-18)
debian/patches/keystone-CVE-2012-4413.patch (+0/-147)
debian/patches/keystone-CVE-2012-5571.patch (+0/-62)
debian/patches/series (+0/-5)
debian/patches/sql_connection.patch (+6/-8)
doc/keystone_compat_flows.sdx (+0/-99)
keystone.egg-info/PKG-INFO (+10/-0)
keystone.egg-info/SOURCES.txt (+177/-0)
keystone.egg-info/dependency_links.txt (+1/-0)
keystone.egg-info/not-zip-safe (+1/-0)
keystone.egg-info/requires.txt (+11/-0)
keystone.egg-info/top_level.txt (+1/-0)
keystone/exception.py (+13/-0)
keystone/identity/core.py (+4/-4)
keystone/token/backends/kvs.py (+13/-8)
keystone/token/backends/memcache.py (+31/-1)
keystone/token/backends/sql.py (+6/-1)
keystone/token/core.py (+11/-5)
setup.cfg (+8/-11)
setup.py (+1/-1)
tests/test_backend.py (+56/-5)
tests/test_backend_memcache.py (+29/-6)
tools/pip-requires (+2/-2)
tools/test-requires (+1/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

34. By Yolanda Robla on 2013-04-24

Refreshed patches

33. By Yolanda Robla on 2013-04-24

refreshing patches

32. By Yolanda Robla on 2013-04-24

* Resynchronize with stable/essex (LP: #1089488):
  - [7402f5e] EC2 authentication does not ensure user or tenant is enabled
    LP: 1121494
  - [8945567] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
  - [7b5b72f] Add size validations for /tokens.
  - [ef1e682] docutils 0.10 incompatible with sphinx 1.1.3 LP: 1091333
  - [8735009] Removing user from a tenant isn't invalidating user access to
    tenant (LP: #1064914)
  - [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
  - [ddb4019] Open 2012.1.4 development
  - [0e1f05e] memcache driver needs protection against unicode user keys
    (LP: #1056373)
  - [176ee9b] Token invalidation in case of role grant/revoke should be
    limited to affected tenant (LP: #1050025)
  - [58ac669] Token validation includes revoked roles (CVE-2012-4413)
    (LP: #1041396)
  - [cd1e48a] Memcached Token Backend does not support list tokens
    (LP: #1046905)
  - [5438d3b] Update user's default tenant partially succeeds without authz
    (LP: #1040626)
* Dropped patches, superseeded by new snapshot:
  - debian/patches/CVE-2013-0282.patch [7402f5e]
  - debian/patches/CVE-2013-1664+1665.patch [8945567]
  - debian/patches/keystone-CVE-2012-5571.patch [8735009]
  - debian/patches/keystone-CVE-2012-4413.patch [58ac669]
  - debian/patches/keystone-CVE-2012-3542.patch [5438d3b]
* Dropped patches, no longer needed:
  - debian/patches/CVE-2013-0247.patch
* Refreshed patches:
  - debian/patches/fix-ubuntu-tests.patch

31. By Yolanda Robla on 2013-04-24

New upstream release.

30. By Jamie Strandboge on 2013-02-19

* SECURITY UPDATE: fix EC2-style authentication for disabled users
  - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
    to ensure user and tenant are enabled in EC2
  - CVE-2013-0282
  - LP: #1121494
* SECURITY UPDATE: fix denial of service
  - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
  - CVE-2013-1664
  - CVE-2013-1665
  - LP: #1100279

29. By Jamie Strandboge on 2013-01-31

* SECURITY UPDATE: fix token creation error handling
  - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
    password, tenant_name, tenant_id and token size to help guard against a
    denial of service via large log files filling the disk
  - CVE-2013-0247

28. By Jamie Strandboge on 2012-11-26

* SECURITY UPDATE: fix for EC2-style credentials invalidation
  - debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
    that the user is in at least one valid role for the tenant
  - CVE-2012-5571
  - LP: #1064914

27. By Steve Beattie on 2012-09-12

* SECURITY UPDATE: Pre-existing tokens continue to be valid after
  granting or revoking a user's access (LP: #1041396)
  - debian/patches/keystone-CVE-2012-4413.patch: invalidate all user
    tokens upon role grant/revoke
  - CVE-2012-4413

26. By Steve Beattie on 2012-08-30

* SECURITY UPDATE: tenants are able to be added to users without
  authorization (LP: #1040626)
  - debian/patches/keystone-CVE-2012-3542: require authz to update a
    user's tenant.
  - CVE-2012-3542

25. By Chuck Short on 2012-04-05

* New upstream version.
* debian/man/keystone.8: Mention that there is a lack of ssl support.