diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2013-05-10 16:14:06 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2013-05-10 16:14:06 +0000 |
| commit | 5d46700627e5188eed0635a2676e441ba64c549e (patch) | |
| tree | a068f1996b79f08a5eb06c01a9534bdc90e67c33 /sys-auth | |
| parent | remove old ebuild and fix libpcap[netlink] for libpcap-1.4.0 (diff) | |
| download | gentoo-2-5d46700627e5188eed0635a2676e441ba64c549e.tar.gz gentoo-2-5d46700627e5188eed0635a2676e441ba64c549e.tar.bz2 gentoo-2-5d46700627e5188eed0635a2676e441ba64c549e.zip | |
fix for CVE-2013-2059 for openstack keystone
(Portage version: 2.1.11.55/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-auth')
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2059.patch | 54 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2012.2.4-r2.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4-r1.ebuild) | 3 |
3 files changed, 64 insertions, 2 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index f94a340e1440..529317ee263b 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.16 2013/05/10 04:00:42 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.17 2013/05/10 16:14:06 prometheanfire Exp $ + +*keystone-2012.2.4-r2 (10 May 2013) + + 10 May 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-folsom-4-CVE-2013-2059.patch, +keystone-2012.2.4-r2.ebuild, + -keystone-2012.2.4-r1.ebuild: + fix for CVE-2013-2059 for openstack keystone *keystone-2012.2.4-r1 (10 May 2013) diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2059.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2059.patch new file mode 100644 index 000000000000..3943f26cf976 --- /dev/null +++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2059.patch @@ -0,0 +1,54 @@ +diff --git a/keystone/identity/core.py b/keystone/identity/core.py +index e029743..e6f63aa 100644 +--- a/keystone/identity/core.py ++++ b/keystone/identity/core.py +@@ -508,6 +508,14 @@ class UserController(wsgi.Application): + def delete_user(self, context, user_id): + self.assert_admin(context) + self.identity_api.delete_user(context, user_id) ++ try: ++ for token_id in self.token_api.list_tokens(context, user_id): ++ self.token_api.delete_token(context, token_id) ++ except exception.NotImplemented: ++ # The users status has been changed but tokens remain valid for ++ # backends that can't list tokens for users ++ LOG.warning('User %s status has changed, but existing tokens ' ++ 'remain valid' % user_id) + + def set_user_enabled(self, context, user_id, user): + return self.update_user(context, user_id, user) +diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py +index a45e27b..e65c7ef 100644 +--- a/tests/test_keystoneclient.py ++++ b/tests/test_keystoneclient.py +@@ -385,6 +385,30 @@ class KeystoneClientTests(object): + self.get_client, + self.user_foo) + ++ def test_delete_user_invalidates_token(self): ++ from keystoneclient import exceptions as client_exceptions ++ ++ admin_client = self.get_client(admin=True) ++ client = self.get_client(admin=False) ++ ++ username = uuid.uuid4().hex ++ password = uuid.uuid4().hex ++ user_id = admin_client.users.create( ++ name=username, password=password, email=uuid.uuid4().hex).id ++ ++ token_id = client.tokens.authenticate( ++ username=username, password=password).id ++ ++ # token should be usable before the user is deleted ++ client.tokens.authenticate(token=token_id) ++ ++ admin_client.users.delete(user=user_id) ++ ++ # authenticate with a token should not work after the user is deleted ++ self.assertRaises(client_exceptions.Unauthorized, ++ client.tokens.authenticate, ++ token=token_id) ++ + def test_token_expiry_maintained(self): + foo_client = self.get_client(self.user_foo) + orig_token = foo_client.service_catalog.catalog['token'] diff --git a/sys-auth/keystone/keystone-2012.2.4-r1.ebuild b/sys-auth/keystone/keystone-2012.2.4-r2.ebuild index b138eb805c28..c17b197b8cbc 100644 --- a/sys-auth/keystone/keystone-2012.2.4-r1.ebuild +++ b/sys-auth/keystone/keystone-2012.2.4-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r1.ebuild,v 1.1 2013/05/10 04:00:42 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r2.ebuild,v 1.1 2013/05/10 16:14:06 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -71,6 +71,7 @@ RDEPEND="${DEPEND} PATCHES=( "${FILESDIR}/keystone-folsom-4-CVE-2013-2030.patch" + "${FILESDIR}/keystone-folsom-4-CVE-2013-2059.patch" ) python_install() { |