[PKG-Openstack-devel] Bug#751454: Bug#751454: keystone: CVE-2014-3476: privilege escalation through trust chained delegation
Thomas Goirand
zigo at debian.org
Fri Jun 13 10:51:27 UTC 2014
On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
>
> Hi Thomas,
>
> As you might know, the following vulnerability was published for
> keystone.
>
> CVE-2014-3476[0]:
> privilege escalation through trust chained delegation
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-3476
> [1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html
>
> Please adjust the affected versions in the BTS as needed. From the
> advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
> are affected.
>
> Regards and thanks for your work,
> Salvatore
Hi Salvatore,
Thanks for the update. I received the pre-OSSA, but didn't find the time
to address it before now.
I just uploaded the fix for Sid with urgency=high.
As much as I can tell, the Wheezy version isn't affected. None of the
source code patched is present in the Essex version of Keystone. This is
also what the OSSA tells.
I have updated the BTS, I believe I don't have the credentials for the
security-tracker. Please mark Wheezy as unaffected, and sid as fixed in
version 2014.1.1-2.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list