[Openstack-devel] Bug#731981: keystone: CVE-2013-6391: Keystone trust circumvention through EC2-style tokens

Salvatore Bonaccorso carnil at debian.org
Thu Dec 19 05:58:48 UTC 2013


Hi Thomas,

On Wed, Dec 18, 2013 at 11:49:41PM +0800, Thomas Goirand wrote:
> On 12/12/2013 02:35 PM, Salvatore Bonaccorso wrote:
> > Yes thanks for working on this. I'm aware there are other's CVE
> > assigned also for the other components, I simply had not yet the
> > chance to look at it and reporting it to the BTS. They are at least
> > already in the security-tracker marked as TODO: check.
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> My last uploads are fixing the following in Sid:
> Heat: CVE-2013-6428, CVE-2013-6426.
> Nova: CVE-2013-7048, CVE-2013-6419.
> Neutron: CVE-2013-6419.
> Keystone: CVE-2013-6391.

Thanks! Really appreciated to get the notification. All of these
already updated in the tracker.

> I haven't had time to check what's going on with Wheezy / OpenStack
> Essex, and I don't think I'll have the time to do so in the foreseeable
> future (I'll be busy with personal stuff soon).

Ok! What we really would need (see previous mails) is to have written
up in a /usr/share/doc/$pkg/README.Debian.security what is supported
security wise, and what not.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20131219/71d10275/attachment.sig>


More information about the Openstack-devel mailing list