[Openstack-devel] Bug#707598: Bug#707598: CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]

Thomas Goirand thomas at goirand.fr
Thu May 9 18:10:36 UTC 2013


On 05/10/2013 12:38 AM, Luciano Bello wrote:
> Package: keystone
> Severity: important
> Tags: security patch
> Justification: user security hole
> 
> Please see: http://lists.openstack.org/pipermail/openstack-announce/2013-
> May/000099.html
> 
> Cheers, luciano

Thanks Luciano,

I'm attaching the patches for both the Wheezy and Experimental versions
of Keystone (Essex and Grizzly, respectively).

I worked on fixing the Spice console for Grizzly tonight, and it's a bit
too late to do some security uploads without mistakes. So I'm delaying
it for tomorrow. If anyone in the team has time to do them though (like
Ghe, for example???), I'd appreciate it.

Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2013-2059_essex_Deleted_user_can_still_create_instances.patch
Type: text/x-diff
Size: 2641 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20130510/7007af77/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2013-2059_grizzly_Deleted_user_can_still_create_instances.patch
Type: text/x-diff
Size: 1900 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20130510/7007af77/attachment-0001.patch>


More information about the Openstack-devel mailing list