Your message dated Sat, 20 Jun 2015 11:02:11 +0000 with message-id <e1z6gxl-0000jq...@franck.debian.org> and subject line Bug#783164: fixed in python-keystoneclient 1:0.10.1-2+deb8u1 has caused the Debian Bug report #783164, regarding CVE-2015-1852: S3token incorrect condition expression for ssl_insecure. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783164: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783164 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-keystoneclient Version: 1:0.10.1-2 Severity: grave Tags: security patch Note from maintainer: upload fixing Sid & Jessie is comming in a few minutes. Affects ~~~~~~~ - python-keystoneclient: versions through 1.3.0 - keystonemiddleware: versions through 1.5.0 Description ~~~~~~~~~~~ Brant Knudson from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' option is set in a S3Token paste configuration file its value is effectively ignored and instead assumed to be true. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. Note that it's unusual to explicitly add this option and then set it to false, so the impact of this bug is thought to be limited. All versions of s3_token middleware with TLS settings configured are affected by this flaw. Patches ~~~~~~~ - https://review.openstack.org/173378 (python-keystoneclient) (Icehouse) - https://review.openstack.org/173376 (keystonemiddleware) (Juno) - https://review.openstack.org/173377 (python-keystoneclient) (Juno) - https://review.openstack.org/173365 (keystonemiddleware) (Kilo) - https://review.openstack.org/173370 (python-keystoneclient) (Kilo) Credits ~~~~~~~ - Brant Knudson from IBM (CVE-2015-1852) References ~~~~~~~~~~ - https://launchpad.net/bugs/1411063 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1852 Notes ~~~~~ - This fix will be included in keystonemiddleware 1.6.0 release and python-keystoneclient 1.4.0 release.
--- End Message ---
--- Begin Message ---Source: python-keystoneclient Source-Version: 1:0.10.1-2+deb8u1 We believe that the bug you reported is fixed in the latest version of python-keystoneclient, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated python-keystoneclient package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 23 Apr 2015 10:18:50 +0200 Source: python-keystoneclient Binary: python-keystoneclient Architecture: source all Version: 1:0.10.1-2+deb8u1 Distribution: jessie-proposed-updates Urgency: high Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: python-keystoneclient - client library for the OpenStack Keystone API Closes: 783164 Changes: python-keystoneclient (1:0.10.1-2+deb8u1) jessie-proposed-updates; urgency=high . * CVE-2015-1852: S3token incorrect condition expression for ssl_insecure. Applied upstream patch: Fix s3_token middleware parsing insecure option. (Closes: #783164) * Added python-oslo.utils (build-)depends introduce by this patch. Checksums-Sha1: d5abcfe276edf7ccc1fa43b9aec480ca66225763 2946 python-keystoneclient_0.10.1-2+deb8u1.dsc 85d30ec8af8c4f8debf5c0baf02782a0f6ee732b 29176 python-keystoneclient_0.10.1-2+deb8u1.debian.tar.xz 3c621d5911abc2e1e45ece2f7f37c75175687a1f 410744 python-keystoneclient_0.10.1-2+deb8u1_all.deb Checksums-Sha256: 5775e4a9e4af0d8dbf47ebd5b6f65a518f5708f952fe1da7255428a5db132049 2946 python-keystoneclient_0.10.1-2+deb8u1.dsc 24ea11f71e18fc6e0d3502bc097ff49267b0e22a5ab00a87e208ec2f79be52f1 29176 python-keystoneclient_0.10.1-2+deb8u1.debian.tar.xz c0d765e7fa479c50e90127927043857b715a7417fbf61415d0822ed0030a3bb8 410744 python-keystoneclient_0.10.1-2+deb8u1_all.deb Files: 0dd0d44f2729eb9c148e24eac0651bec 2946 python extra python-keystoneclient_0.10.1-2+deb8u1.dsc b5d6bea0aeea4819620168350a87910f 29176 python extra python-keystoneclient_0.10.1-2+deb8u1.debian.tar.xz 287eac13e1ee8761392be6a26a9ad515 410744 python extra python-keystoneclient_0.10.1-2+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVW8+eAAoJENQWrRWsa0P+1lgQAI/uzlcck95PMyhnbngSQsdP od80Da8lnD1XQd1OOqtBHnIBedytN1QXDUn0YsJGPIT6xDE4Q9klrDnlml5aM10f 34JyW9mW9n3zGVyKvInYi3QLf2DzeBjqK2CSyganhJBcvnkMRw7W9SXXNFU9Tzfg nRJOZS/3gPrneP7IALl7YhH0/Ghdx1H91Dwnj2Qy0tT2Ps2E3XCkJQoOBSC5ReyG gviPvfS3Pivz2YA1/PYKEkKJ3vdKiFO7PY7tf2kqKHP3HajFrL/NOx7iJhVHQFP6 gujSRCmDEt4G1iXaiELs2/c9mEshZZKTCsEHhR1g9EJffsy+sjKkfLBXQu0SOziv xhTbglbYgvM0CMfqK428PGzyTtpY2+ttPL5YSRSvkkkFM2+BbLoKgR+JMhvLL0Xw N60uvBz9ogq3PDZTK/3Qntbf2XazBTZuD4uVOTBNE7ny8wbJV/BiDCX/Sq+25SCq EUsuR4xrGNGE1YV3m4lLR4Y5nbvaHpzJmvAileU0jqlJxDbSDBpAYL49K/ATVBZW bG2SUSHrmK6RKlc/5S7dz9wjHZbIFyDwgsEWtb9rMux8feHKZGOYNnZY9/IlEY2m g0FSVipj0MNLXg1+VKK/LUeuc+EBJWVODnRRrlpU8d7y/jNd9RPC+jqx9lLnDVFd OccB6n4dwhl7C6ecXSWd =gGBV -----END PGP SIGNATURE-----
--- End Message ---
