Package "keystone"
Name: |
keystone
|
Description: |
OpenStack identity service - Daemons
|
Latest version: |
2:13.0.4-0ubuntu1 |
Release: |
bionic (18.04) |
Level: |
security |
Repository: |
main |
Homepage: |
http://launchpad.net/keystone |
Links
Download "keystone"
Other versions of "keystone" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
keystone (2:13.0.4-0ubuntu1) bionic-security; urgency=medium
[ Chris MacNaughton ]
* d/watch: Update to point at opendev.org.
* New stable point release for OpenStack Queens (LP: #1893234).
- d/p/0001-fixing-dn-to-id.patch: Dropped. Fixed in upstream
release.
[ Corey Bryant ]
* SECURITY UPDATE: EC2 and/or credential endpoints are not protected
from a scoped context. Keystone V3 /credentials endpoint policy
logic allows to change credentials owner or target project ID.
- debian/patches/CVE-2020-12689-CVE-2020-12691.patch: Fix security
issues with EC2 credentials, addressing several issues in the
creation and use of EC2/S3 credentials with keystone tokens.
- CVE-2020-12689, CVE-2020-12691
* SECURITY UPDATE: OAuth1 request token authorize silently ignores
roles parameter.
- debian/patches/CVE-2020-12690.patch: Ensure OAuth1 authorized
roles are respected.
- CVE-2020-12691
* SECURITY UPDATE: Keystone doesn't check signature TTL of the EC2
credential auth method.
- debian/patches/CVE-2020-12692.patch: Check timestamp of signed
EC2 token request.
- CVE-2020-12692
-- Corey Bryant <email address hidden> Fri, 28 Aug 2020 09:29:34 -0400
|
CVE-2020-12689 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application crede |
CVE-2020-12691 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a pro |
CVE-2020-12690 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. T |
CVE-2020-12692 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An atta |
|
About
-
Send Feedback to @ubuntu_updates