Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package keystone. This fixes CVE-2012-3542 (which was embargoed until yesterday), adds a Chinese Debconf translation, and fixes the nl one: * CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265) * Added Chinese debconf translation thanks to ben <duyujie....@gmail.com>. * Really adds the nl debconf translation this time (Closes: #685671). Diff file attached. Please unblock keystone/2012.1.1-5. Cheers, Thomas Goirand (zigo)
diff --git a/debian/changelog b/debian/changelog index 8cff360..f9d3d3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +keystone (2012.1.1-5) unstable; urgency=low + + * CVE-2012-3542: Fixes lack of authorization for adding users to tenants + (Closes: #686265) + * Added Chinese debconf translation thanks to ben <duyujie....@gmail.com>. + * Really adds the nl debconf translation this time (Closes: #685671). + + -- Thomas Goirand <z...@debian.org> Mon, 27 Aug 2012 11:45:44 +0000 + keystone (2012.1.1-4) unstable; urgency=low * Updated debian/keystone.templates, debian/control after review from diff --git a/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch new file mode 100644 index 0000000..1634e1e --- /dev/null +++ b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch @@ -0,0 +1,22 @@ +Description: Lack of authorization for adding users to tenants + Dolph Mathews reported a vulnerability in Keystone. When attempting to + update a user's default tenant, Keystone will only partially deny the + request when a user is not authorized to complete this action. The API + responds with 401 Not Authorized and the user's default tenant is not + changed. However, the user is still granted membership to this new + tenant. The result is that any client that can reach the + administrative API (deployed on port 35357, by default) can add any + user to any tenant. +Origin: https://review.openstack.org/#/c/11869/ +Bug-Debian: http://bugs.debian.org/686265 + +--- keystone-2012.1.1.orig/keystone/identity/core.py ++++ keystone-2012.1.1/keystone/identity/core.py +@@ -436,6 +436,7 @@ class UserController(wsgi.Application): + + def update_user_tenant(self, context, user_id, user): + """Update the default tenant.""" ++ self.assert_admin(context) + # ensure that we're a member of that tenant + tenant_id = user.get('tenantId') + self.identity_api.add_user_to_tenant(context, tenant_id, user_id) diff --git a/debian/patches/series b/debian/patches/series index 1e2e5fa..6fbf616 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ logging.conf.patch pip-require_versions default_catalog.patch sql_conn.patch +CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch diff --git a/debian/po/nl.po b/debian/po/nl.po index 7a9060b..59988ec 100644 --- a/debian/po/nl.po +++ b/debian/po/nl.po @@ -1,14 +1,14 @@ -# Dutch translation of nova debconf templates. +# Dutch translation of keystone debconf templates. # Copyright (C) 2012 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the nova package. # Jeroen Schot <sc...@a-eskwadraat.nl>, 2012. # msgid "" msgstr "" -"Project-Id-Version: nova 2012.1-6\n" +"Project-Id-Version: keystone 2012.1.1-4\n" "Report-Msgid-Bugs-To: keyst...@packages.debian.org\n" "POT-Creation-Date: 2012-08-11 08:37+0200\n" -"PO-Revision-Date: 2012-06-13 13:30+0200\n" +"PO-Revision-Date: 2012-08-22 12:24+0200\n" "Last-Translator: Jeroen Schot <sc...@a-eskwadraat.nl>\n" "Language-Team: Debian l10n Dutch <debian-l10n-du...@lists.debian.org>\n" "Language: nl\n" @@ -67,16 +67,16 @@ msgid "" "keystone\"." msgstr "" "U kunt deze instelling later wijzigen door het uitvoeren van \"dpkg-" -"reconfigure keystone\". " +"reconfigure -plow keystone\". " #. Type: string #. Description #: ../keystone.templates:3001 msgid "Authentication server administration token:" -msgstr "" +msgstr "Beheer-token van authenticatieserver:" #. Type: string #. Description #: ../keystone.templates:3001 msgid "Please enter the token to use with the authentication server." -msgstr "" +msgstr "Welke token moet er met de authenticatieserver worden gebruikt?" diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po new file mode 100644 index 0000000..4be1534 --- /dev/null +++ b/debian/po/zh_CN.po @@ -0,0 +1,55 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: keystone\n" +"Report-Msgid-Bugs-To: keyst...@packages.debian.org\n" +"POT-Creation-Date: 2012-06-27 19:39+0200\n" +"PO-Revision-Date: 2012-08-27 16:22+0800\n" +"Last-Translator: ben <duyujie....@gmail.com>\n" +"Language-Team: LANGUAGE <l...@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../keystone.templates:1001 +msgid "Set up a database for Keystone?" +msgstr "为Keystone设置数据库" + +#. Type: boolean +#. Description +#: ../keystone.templates:1001 +msgid "No database has been set up for Keystone to use. If you want to set one up now, please make sure you have all needed information:" +msgstr "未曾为Keystone设置数据库。如果你想现在设置,请确定你有以下信息:" + +#. Type: boolean +#. Description +#: ../keystone.templates:1001 +msgid "" +" * the host name of the database server (which must allow TCP\n" +" connections from this machine);\n" +" * a username and password to access the database;\n" +" * the type of database management software you want to use." +msgstr "" +" * 数据库服务器的主机名 (需要这台主机的TCP链接);\n" +" * 访问这个数据库的用户名及密码;\n" +" * 你希望使用的数据库管理软件的类型。" + +#. Type: boolean +#. Description +#: ../keystone.templates:1001 +msgid "If you don't choose this option, no database will be set up and Keystone will use regular SQLite support." +msgstr "如果你没有选择该项,不会设置数据库并且Keystone将会使用SQLite。" + +#. Type: boolean +#. Description +#: ../keystone.templates:1001 +msgid "You can change this setting later on by running \"dpkg-reconfigure -plow keystone\"." +msgstr "您可以通过运行\"dpkg-reconfigure-plow keystone\" 命令来修改配置。" +