lp://qastaging/ubuntu/quantal-updates/keystone
- Get this branch:
- bzr branch lp://qastaging/ubuntu/quantal-updates/keystone
Branch merges
Branch information
Recent revisions
- 43. By Jamie Strandboge
-
* SECURITY UPDATE: revoke user tokens when disabling/delete a project
- debian/patches/ CVE-2013- 4222.patch: add _delete_ tokens_ for_project( ) to
common/controller. py and use it in identity/ controllers. py
(LP: #1179955)
- CVE-2013-4222
* SECURITY UPDATE: fix and test token revocation list API
- debian/patches/ CVE-2013- 4294.patch: fix token matching for memcache
backend token revocation (LP: #1202952)
- CVE-2013-4294 - 42. By Jamie Strandboge
-
* SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
signed token when using PKI
- debian/patches/ CVE-2013- 2104.patch: explicitly check the expiry on the
tokens, and reject tokens that have expired. Also update test data
- CVE-2013-2104
- LP: #1179615
* debian/patches/ fix-testsuite- for-2038- problem. patch: Adjust json example
cert data to use 2037 instead of 2112 and regenerate the certs. Also
adjust token expiry data to use 2037 instead of 2999.
* SECURITY UPDATE: fix authentication bypass when using LDAP backend
- debian/patches/ CVE-2013- 2157.patch: identity/ backends/ ldap/core. py is
adjusted to raise an assertion for invalid password when using LDAP and
an empty password is submitted
- CVE-2013-2157
- LP: #1187305 - 41. By James Page
-
debian/
patches/ update_ certs.patch: Fix FTBFS. Original SSL certs
for test suite expired May 18 2013. Cherry-picked regenerated certs
from stable/folsom commit c14f2789. - 40. By Jamie Strandboge
-
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/ identity/ core.py to call
token_api.delete_ token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670 - 39. By James Page
-
* Resync with latest security updates.
* SECURITY UPDATE: fix PKI revocation bypass
- debian/patches/ CVE-2013- 1865.patch: validate tokens from the backend
- CVE-2013-1865
* SECURITY UPDATE: fix EC2-style authentication for disabled users
- debian/patches/ CVE-2013- 0282.patch: adjust keystone/ contrib/ ec2/core. py
to ensure user and tenant are enabled in EC2
- CVE-2013-0282
* SECURITY UPDATE: fix denial of service
- debian/patches/ CVE-2013- 1664+1665. patch: disable XML entity parsing
- CVE-2013-1664
- CVE-2013-1665 - 38. By Jamie Strandboge
-
* SECURITY UPDATE: fix PKI revocation bypass
- debian/patches/ CVE-2013- 1865.patch: validate tokens from the backend
- CVE-2013-1865
- LP: #1129713 - 37. By Jamie Strandboge
-
* SECURITY UPDATE: fix EC2-style authentication for disabled users
- debian/patches/ CVE-2013- 0282.patch: adjust keystone/ contrib/ ec2/core. py
to ensure user and tenant are enabled in EC2
- CVE-2013-0282
- LP: #1121494
* SECURITY UPDATE: fix denial of service
- debian/patches/ CVE-2013- 1664+1665. patch: disable XML entity parsing
- CVE-2013-1664
- CVE-2013-1665
- LP: #1100279
- LP: #1100282 - 36. By Jamie Strandboge
-
* SECURITY UPDATE: fix token creation error handling
- debian/patches/ CVE-2013- 0247.patch: validate size of user_id, username,
password, tenant_name, tenant_id and old_token size to help guard
against a denial of service via large log files filling the disk
- CVE-2013-0247 - 35. By Jamie Strandboge
-
* SECURITY UPDATE: fix for EC2-style credentials invalidation
- debian/patches/ CVE-2012- 5571.patch: adjust contrib/ec2/core.py to verify
that the user is in at least one valid role for the tenant
- CVE-2012-5571
- LP: #1064914
* debian/patches/ fix-ssl- tests-lp1068851 .patch: update certificates for
SSL tests
* SECURITY UPDATE: fix for token expiration
- debian/patches/ CVE-2012- 5563.patch: ensure token expiration is
maintained
- CVE-2012-5563
- LP: #1079216
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://qastaging/ubuntu/raring/keystone