-
Committer:
Yolanda Robla
-
Date:
2012-12-17 10:49:43 UTC
-
Revision ID:
yolanda.robla@canonical.com-20121217104943-ob6oigmaqeu7abq9
[ Yolanda Robla Mota ]
* Resynchronize with stable/essex (c17a9992):
- [8735009] Removing user from a tenant isn't invalidating user access to
tenant (CVE-2012-5571)
- [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [ddb4019] Open 2012.1.4 development
- [0e1f05e] memcache driver needs protection against unicode user keys
(LP: #1056373)
- [176ee9b] Token invalidation in case of role grant/revoke should be
limited to affected tenant (LP: #1050025)
- [58ac669] Token validation includes revoked roles (CVE-2012-4413)
- [cd1e48a] Memcached Token Backend does not support list tokens
(LP: #1046905)
- [5438d3b] Update user's default tenant partially succeeds without authz
(CVE-2012-3542)
* Dropped, superseeded by new snapshot:
- debian/patches/CVE-2012-4413.patch [58ac669]
- debian/patches/CVE-2012-5571.patch [8735009]
- debian/patches/CVE-2012-3542.patch [5438d3b]
* SECURITY UPDATE: fix for EC2-style credentials invalidation
- debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
that the user is in at least one valid role for the tenant
- CVE-2012-5571
- LP: #1064914
* SECURITY UPDATE: Pre-existing tokens continue to be valid after
granting or revoking a user's access (LP: #1041396)
- debian/patches/keystone-CVE-2012-4413.patch: invalidate all user
tokens upon role grant/revoke
- CVE-2012-4413
* SECURITY UPDATE: tenants are able to be added to users without
authorization (LP: #1040626)
- debian/patches/keystone-CVE-2012-3542: require authz to update a
user's tenant.
- CVE-2012-3542