Hi Thomas, On 14/05/2020 19:08, Thomas Goirand wrote: > I released an update of Keystone for a quite serious problem related to > ec2 credentials where a user can become admin. I was able to fix the > last 4 releases of OpenStack. Though I don't have the energy to > investigate these CVEs in Stretch and Jessie. Probably Keystone over > there isn't even affected, I don't know. > > Is anyone interested to do the work? If so, best would be to look at the > 4 patches I added to the security release of Keystone in Buster.
Thanks for the info. OpenStack was recently marked EOL in Jessie, citing a 2015 message from you actually: https://salsa.debian.org/debian/debian-security-support/commit/486197770133ba3c2f3a827802539661a06bc592 https://lists.debian.org/debian-lts/2015/11/msg00024.html Does that sound OK? Stretch is still maintained by Debian Security team (though LTS will take over within a couple months), adding them in Cc: to discuss what to do in Stretch. Cheers! Sylvain Beucler Debian LTS Team
