-
keystone (2012.2.4-0ubuntu3.3) quantal-security; urgency=low
* SECURITY UPDATE: don't add role when attempting to remove a non-existent
role
- debian/patches/CVE-2013-4477.patch: raise RoleNotFound with exception
ldap.NO_SUCH_OBJECT
- CVE-2013-4477
- LP: #1242855
-- Jamie Strandboge <email address hidden> Tue, 05 Nov 2013 09:43:11 -0600
-
keystone (2012.2.4-0ubuntu3.2) quantal-security; urgency=low
* SECURITY UPDATE: revoke user tokens when disabling/delete a project
- debian/patches/CVE-2013-4222.patch: add _delete_tokens_for_project() to
common/controller.py and use it in identity/controllers.py
(LP: #1179955)
- CVE-2013-4222
* SECURITY UPDATE: fix and test token revocation list API
- debian/patches/CVE-2013-4294.patch: fix token matching for memcache
backend token revocation (LP: #1202952)
- CVE-2013-4294
-- Jamie Strandboge <email address hidden> Tue, 22 Oct 2013 10:09:33 -0500
-
keystone (2012.2.4-0ubuntu3.1) quantal-security; urgency=low
* SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
signed token when using PKI
- debian/patches/CVE-2013-2104.patch: explicitly check the expiry on the
tokens, and reject tokens that have expired. Also update test data
- CVE-2013-2104
- LP: #1179615
* debian/patches/fix-testsuite-for-2038-problem.patch: Adjust json example
cert data to use 2037 instead of 2112 and regenerate the certs. Also
adjust token expiry data to use 2037 instead of 2999.
* SECURITY UPDATE: fix authentication bypass when using LDAP backend
- debian/patches/CVE-2013-2157.patch: identity/backends/ldap/core.py is
adjusted to raise an assertion for invalid password when using LDAP and
an empty password is submitted
- CVE-2013-2157
- LP: #1187305
-- Jamie Strandboge <email address hidden> Thu, 13 Jun 2013 13:42:44 -0500
-
keystone (2012.2.4-0ubuntu3) quantal-proposed; urgency=low
* debian/patches/update_certs.patch: Fix FTBFS. Original SSL certs
for test suite expired May 18 2013. Cherry-picked regenerated certs
from stable/folsom commit c14f2789.
keystone (2012.2.4-0ubuntu2) quantal-proposed; urgency=low
* Rebase on latest security fixes.
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/identity/core.py to call
token_api.delete_token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670
keystone (2012.2.4-0ubuntu1) quantal-proposed; urgency=low
* Dropped patches, applied upstream:
- debian/patches/CVE-2013-1865.patch: [255b1d4]
- debian/patches/CVE-2013-0282.patch: [f0b4d30]
- debian/patches/CVE-2013-1664+1665.patch: [8a22745]
* Resynchronize with stable/folsom (09f28020) (LP: #1179707):
- [5ea4fcf] V2 API reported at Beta LP: 1135230
- [1889299] PKI-signed token hash saved as token ID for SQL backend only
LP: 1073272
- [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
LP: 1073343
- [b3ce6a7] Use the right subprocess based on os monkeypatch
- [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
- [9e0a97d] Temporary network outage results in connection refused and
invalid token LP: 1150299
- [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
- [8690166] PKI tokens are broken after 24 hours LP: 1074172
- [790c87e] PKI tokens are broken after 24 hours LP: 1074172
- [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
-- James Page <email address hidden> Wed, 29 May 2013 20:59:34 +0100
-
keystone (2012.2.4-0ubuntu2) quantal-proposed; urgency=low
* Rebase on latest security fixes.
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/identity/core.py to call
token_api.delete_token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670
keystone (2012.2.4-0ubuntu1) quantal-proposed; urgency=low
* Dropped patches, applied upstream:
- debian/patches/CVE-2013-1865.patch: [255b1d4]
- debian/patches/CVE-2013-0282.patch: [f0b4d30]
- debian/patches/CVE-2013-1664+1665.patch: [8a22745]
* Resynchronize with stable/folsom (09f28020) (LP: #1179707):
- [5ea4fcf] V2 API reported at Beta LP: 1135230
- [1889299] PKI-signed token hash saved as token ID for SQL backend only
LP: 1073272
- [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
LP: 1073343
- [b3ce6a7] Use the right subprocess based on os monkeypatch
- [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
- [9e0a97d] Temporary network outage results in connection refused and
invalid token LP: 1150299
- [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
- [8690166] PKI tokens are broken after 24 hours LP: 1074172
- [790c87e] PKI tokens are broken after 24 hours LP: 1074172
- [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
-- James Page <email address hidden> Fri, 17 May 2013 11:26:24 +0100
-
keystone (2012.2.4-0ubuntu1) quantal-proposed; urgency=low
* Dropped patches, applied upstream:
- debian/patches/CVE-2013-1865.patch: [255b1d4]
- debian/patches/CVE-2013-0282.patch: [f0b4d30]
- debian/patches/CVE-2013-1664+1665.patch: [8a22745]
* Resynchronize with stable/folsom (09f28020) (LP: #1179707):
- [5ea4fcf] V2 API reported at Beta LP: 1135230
- [1889299] PKI-signed token hash saved as token ID for SQL backend only
LP: 1073272
- [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
LP: 1073343
- [b3ce6a7] Use the right subprocess based on os monkeypatch
- [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
- [9e0a97d] Temporary network outage results in connection refused and
invalid token LP: 1150299
- [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
- [8690166] PKI tokens are broken after 24 hours LP: 1074172
- [790c87e] PKI tokens are broken after 24 hours LP: 1074172
- [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
-- Adam Gandelman <email address hidden> Thu, 25 Apr 2013 17:51:09 -0400
-
keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu2.1) quantal-security; urgency=low
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/identity/core.py to call
token_api.delete_token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670
-- Jamie Strandboge <email address hidden> Tue, 07 May 2013 14:05:48 -0500
-
keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu2) quantal-proposed; urgency=low
* Resync with latest security updates.
* SECURITY UPDATE: fix PKI revocation bypass
- debian/patches/CVE-2013-1865.patch: validate tokens from the backend
- CVE-2013-1865
* SECURITY UPDATE: fix EC2-style authentication for disabled users
- debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
to ensure user and tenant are enabled in EC2
- CVE-2013-0282
* SECURITY UPDATE: fix denial of service
- debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
- CVE-2013-1664
- CVE-2013-1665
-- James Page <email address hidden> Fri, 22 Mar 2013 12:02:56 +0000
-
keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu1) quantal-proposed; urgency=low
[ Adam Gandelman ]
* Dropped patches, applied upstream:
- debian/patches/CVE-2013-0247.patch: [bb2226f]
* Resynchronize with stable/folsom (82c87e56) (LP: #1116671):
- [bb2226f] Add size validations for /tokens.
- [ec7b94d] Non-API specific 404 exposes traceback LP: 1089987
- [70e55f9] SQL backend fails if not all URL are defined in an endpoint
LP: 1061736
- [6c95b73] Unparseable endpoint URL's should raise a user friendly error
LP: 1058494
- [9e300b7] Test 0.2.0 keystoneclient to avoid new deps
- [ec06625] serviceCatalog is dict in the case of no endpoints LP: 1087405
[ Chuck Short ]
* debian/patches/fix-ubuntu-tests.patch: Refreshed.
-- Adam Gandelman <email address hidden> Wed, 06 Feb 2013 11:13:12 -0400
-
keystone (2012.2.1-0ubuntu1.3) quantal-security; urgency=low
* SECURITY UPDATE: fix PKI revocation bypass
- debian/patches/CVE-2013-1865.patch: validate tokens from the backend
- CVE-2013-1865
- LP: #1129713
-- Jamie Strandboge <email address hidden> Wed, 20 Mar 2013 08:45:09 -0500
-
keystone (2012.2.1-0ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: fix EC2-style authentication for disabled users
- debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
to ensure user and tenant are enabled in EC2
- CVE-2013-0282
- LP: #1121494
* SECURITY UPDATE: fix denial of service
- debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
- CVE-2013-1664
- CVE-2013-1665
- LP: #1100279
- LP: #1100282
-- Jamie Strandboge <email address hidden> Tue, 19 Feb 2013 11:48:27 -0600
-
keystone (2012.2.1-0ubuntu1.1) quantal-security; urgency=low
* SECURITY UPDATE: fix token creation error handling
- debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
password, tenant_name, tenant_id and old_token size to help guard
against a denial of service via large log files filling the disk
- CVE-2013-0247
-- Jamie Strandboge <email address hidden> Thu, 31 Jan 2013 12:14:43 -0600
-
keystone (2012.2.1-0ubuntu1) quantal-proposed; urgency=low
* Ubuntu updates:
- debian/control: Ensure keystoneclient is upgraded with keystone,
require python-keystoneclient >= 1:0.1.3. (LP: #1073273)
- Dropped patches, applied upsteram:
- debian/patches/CVE-2012-5563.patch
- debian/patches/CVE-2012-5571.patch
- debian/patches/fix-ssl-tests-lp1068851.patch
* Resynchronize with stable/folsom (7869c3ec) (LP: #1085255):
- [f9d4766] token expires time incorrect for auth by one token
(LP: #1079216)
- [80d63c8] keystone throws error when removing user from tenant.
(LP: #1078497)
- [37308dd] Removing user from a tenant isn't invalidating user access to
tenant (LP: #1064914)
- [bec9b68] Redo part of bp/sql-identiy-pam undone by bug 968519
(LP: #1068674)
- [ee645e6] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [094c494] Non PKI Tokens longer than 32 characters can never be valid
(LP: #1060389)
- [3cd343b] Openssl tests rely on expired certificate (LP: #1068851)
- [2f9807e] Set defaultbranch in .gitreview to stable/folsom
-- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:41 -0800
-
keystone (2012.2-0ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: fix for EC2-style credentials invalidation
- debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
that the user is in at least one valid role for the tenant
- CVE-2012-5571
- LP: #1064914
* debian/patches/fix-ssl-tests-lp1068851.patch: update certificates for
SSL tests
* SECURITY UPDATE: fix for token expiration
- debian/patches/CVE-2012-5563.patch: ensure token expiration is
maintained
- CVE-2012-5563
- LP: #1079216
-- Jamie Strandboge <email address hidden> Wed, 28 Nov 2012 11:29:47 -0600
-
keystone (2012.2-0ubuntu1) quantal; urgency=low
* New upstream release.
-- Chuck Short <email address hidden> Thu, 27 Sep 2012 12:22:07 -0500
-
keystone (2012.2~rc2-0ubuntu1) quantal; urgency=low
* New upstream release.
-- Chuck Short <email address hidden> Wed, 26 Sep 2012 13:15:29 -0500
-
keystone (2012.2~rc1-0ubuntu1) quantal; urgency=low
* New upstream version.
* debian/keystone.logrotate: Compress log file when rotated. (LP: #1049309)
-- Chuck Short <email address hidden> Mon, 17 Sep 2012 09:15:51 -0500
-
keystone (2012.2~rc1~20120906.2517-0ubuntu2) quantal; urgency=low
[ Adam Gandelman ]
* Refreshed patches.
[ Soren Hansen ]
* Update debian/watch to account for symbolically named tarballs and
use newer URL.
* Fix Launchpad URLs in debian/watch.
[ Logan Rosen ]
* Fix control file to suggest python-memcache instead of python-memcached
(LP: #998991).
[ Chuck Short ]
* New upstream version.
* Dont FTBFS if the testsuite fails.
-- Chuck Short <email address hidden> Fri, 07 Sep 2012 13:04:01 -0500
-
keystone (2012.2~f3-0ubuntu1) quantal; urgency=low
[ Adam Gandelman ]
* debian/{keystone.conf, rules, keytone.install}: Install patched
keystone.conf.sample configured for SQL backends to /etc/keystone,
no longer maintain our own version in packaging. (LP: #1031012)
* debian/patches/sql_connection.patch: Refreshed against current
keystone.conf.sample.
* debian/rules: Use debian/tests as HOME to avoid test suite FTFBS.
[ Sam Morrison ]
* debian/keystone.logrotate: Sent output of keystone restart in logrotate
to /dev/null. (LP: #1029766)
[Chuck Short]
* New upstream version.
-- Chuck Short <email address hidden> Thu, 16 Aug 2012 13:59:29 -0500
-
keystone (2012.2~f2-0ubuntu1) quantal; urgency=low
* New upstream version.
-- Chuck Short <email address hidden> Fri, 06 Jul 2012 10:37:01 -0400
-
keystone (2012.2~f2~20120622.2353-0ubuntu1) quantal; urgency=low
* New upstream release.
-- Chuck Short <email address hidden> Fri, 22 Jun 2012 12:27:50 -0400
-
keystone (2012.2~f2~20120529.2315-0ubuntu1) quantal; urgency=low
* New usptream release.
* debian/patches/sql_connection.patch: Refreshed
-- Chuck Short <email address hidden> Fri, 01 Jun 2012 11:01:01 -0400
-
keystone (2012.2~f1-0ubuntu1) quantal; urgency=low
* New ustpream release.
* Prepare for quantal:
- debian/patches/fix-ubuntu-tests.patch: Refreshed.
- debian/patches/sql_connection.patch: Refreshed.
* debian/keystone.install: Install the right configuration files.
-- Chuck Short <email address hidden> Thu, 24 May 2012 14:04:20 -0400
-
keystone (2012.1-0ubuntu1) precise; urgency=low
* New upstream version.
* debian/man/keystone.8: Mention that there is a lack of ssl support.
-- Chuck Short <email address hidden> Thu, 05 Apr 2012 10:42:24 -0400