Bug 10429

Summary:	python-keystoneclient new security issues CVE-2013-2104, CVE-2013-2013, CVE-2013-2166, CVE-2013-2167
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Nicolas Lécureuil <mageia>
Status:	RESOLVED WONTFIX	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal
Version:	3
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/552877/
Whiteboard:
Source RPM:	python-keystoneclient-0.1.3.27-2.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2013-06-04 18:58:07 CEST

Ubuntu has issued an advisory on June 3:
http://www.ubuntu.com/usn/usn-1851-1/

Mageia 3 is also affected, as this package wasn't deleted with the rest of the openstack stuff before the release was branched.

Reproducible: 

Steps to Reproduce:

David Walser 2013-06-04 18:58:15 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Sandro CAZZANIGA 2013-06-07 14:22:23 CEST

I think I've got the patch, can you confirm?

https://review.openstack.org/#/c/30742/

Comment 2 David Walser 2013-06-07 15:56:56 CEST

(In reply to Sandro Cazzaniga from comment #1)
> I think I've got the patch, can you confirm?
> 
> https://review.openstack.org/#/c/30742/

If I try to view the diff on that page, it just seems to go into an infinite loop opening new tabs in my browser O_O.

Ubuntu has a link to the upstream patch at the bottom of this page:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2104.html

Comment 3 Sandro CAZZANIGA 2013-06-08 00:09:11 CEST

Got it: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=8d23da1302dde9d38bbc227d9aba30da919b60c8

I apply and test ASAP.

Comment 4 David Walser 2013-06-28 18:41:03 CEST

OpenSuSE has issued an advisory on June 27:
http://lists.opensuse.org/opensuse-updates/2013-06/msg00199.html

from http://lwn.net/Vulnerabilities/556766/

This adds an additional CVE, CVE-2013-2013.

Summary: python-keystoneclient new security issue CVE-2013-2104 => python-keystoneclient new security issues CVE-2013-2104 and CVE-2013-2013

Comment 5 David Walser 2013-06-28 18:42:54 CEST

RedHat has issued an advisory on June 27:
https://rhn.redhat.com/errata/RHSA-2013-0992.html

from http://lwn.net/Vulnerabilities/556768/

This adds two additional CVEs, CVE-2013-2166 and CVE-2013-2167.

Summary: python-keystoneclient new security issues CVE-2013-2104 and CVE-2013-2013 => python-keystoneclient new security issues CVE-2013-2104, CVE-2013-2013, CVE-2013-2166, CVE-2013-2167

David Walser 2013-08-01 02:42:25 CEST

Assignee: cazzaniga.sandro => nicolas.lecureuil

Comment 6 Nicolas Lécureuil 2013-08-01 09:37:49 CEST

this is for cauldron ?

Comment 7 David Walser 2013-08-01 12:59:52 CEST

Well, the package had been removed from Cauldron, but unfortunately it looks like you're bringing it back.  Anyway, this package was *supposed* to have been removed from Mageia 3 before release, but was missed, so a version of this package with all of these security vulnerabilities exists in Mageia 3.

Comment 8 Nicolas Lécureuil 2013-08-01 18:59:13 CEST

i will look w/o pb

Comment 9 David Walser 2014-01-28 17:05:50 CET

Package is no longer in Cauldron.  This package is not supported in Mageia 3 and slipped in by accident.  Closing as WONTFIX.

Status: NEW => RESOLVED
Version: Cauldron => 3
Resolution: (none) => WONTFIX
Whiteboard: MGA3TOO => (none)