[PKG-Openstack-devel] Bug#751454: Bug#751454: keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Thomas Goirand zigo at debian.org
Fri Jun 13 10:51:27 UTC 2014

On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
> Hi Thomas,
> As you might know, the following vulnerability was published for
> keystone.
> CVE-2014-3476[0]:
> privilege escalation through trust chained delegation
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
> [0] https://security-tracker.debian.org/tracker/CVE-2014-3476
> [1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html
> Please adjust the affected versions in the BTS as needed. From the
> advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
> are affected.
> Regards and thanks for your work,
> Salvatore

Hi Salvatore,

Thanks for the update. I received the pre-OSSA, but didn't find the time
to address it before now.

I just uploaded the fix for Sid with urgency=high.

As much as I can tell, the Wheezy version isn't affected. None of the
source code patched is present in the Essex version of Keystone. This is
also what the OSSA tells.

I have updated the BTS, I believe I don't have the credentials for the
security-tracker. Please mark Wheezy as unaffected, and sid as fixed in
version 2014.1.1-2.


Thomas Goirand (zigo)

More information about the Openstack-devel mailing list