On 5/15/20 3:12 PM, Sylvain Beucler wrote: > Hi Thomas, > > On 14/05/2020 19:08, Thomas Goirand wrote: >> I released an update of Keystone for a quite serious problem related to >> ec2 credentials where a user can become admin. I was able to fix the >> last 4 releases of OpenStack. Though I don't have the energy to >> investigate these CVEs in Stretch and Jessie. Probably Keystone over >> there isn't even affected, I don't know. >> >> Is anyone interested to do the work? If so, best would be to look at the >> 4 patches I added to the security release of Keystone in Buster. > > Thanks for the info. > > OpenStack was recently marked EOL in Jessie, citing a 2015 message from > you actually: > https://salsa.debian.org/debian/debian-security-support/commit/486197770133ba3c2f3a827802539661a06bc592 > https://lists.debian.org/debian-lts/2015/11/msg00024.html > Does that sound OK?
Right. That feels ok to me. I don't think we'd get any help from upstream for things more than 2 years old, so it feels unsustainable. > Stretch is still maintained by Debian Security team (though LTS will > take over within a couple months), adding them in Cc: to discuss what to > do in Stretch. Thanks. If anyone from the LTS team feel like working on Keystone, I can grand write access on the Git on Salsa. We have the full history of all OpenStack releases in Git since more far than I can even remember (probably since 8 years ago). IMO, the first thing that should be done is investigate if these CVEs are relevant to Stretch. Probably they aren't because I don't think Keystone 10.x.x has support for scopes (and this is what the CVEs were about). Cheers, Thomas Goirand (zigo)