keystone (2:14.2.0-0+deb10u2) buster-security; urgency=medium * Non maintainer upload by the LTS team * Add salsa CI * Fix CVE-2021-38155: keystone allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. * Fix CVE-2021-3563: Only the first 72 characters of an application secret were verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. -- Bastien Roucariès Thu, 04 Jan 2024 23:48:53 +0000 keystone (2:14.2.0-0+deb10u1) buster-security; urgency=medium * New upstream point release. * Removed patch applied upstream: - PY3_switch_to_using_unicode_text_values.patch * Removed debian/keystone.cron.hourly: UUID tokens are removed in favor of Fernet tokens, therefore, this cron job is useless. * Add upstream patches to fix grave security bug: EC2 and credential endpoints are not protected from a scoped context (Closes: #959900). - 0001-Add-cadf-auditing-to-credentials.patch - CVE_Check_timestamp_of_signed_EC2_token_request.patch - Ensure_OAuth1_authorized_roles_are_respected.patch - CVE_Fix_security_issues_with_EC2_credentials.patch -- Thomas Goirand Mon, 25 Mar 2019 15:04:48 +0100 keystone (2:14.0.1-2) unstable; urgency=medium * Add PY3_switch_to_using_unicode_text_values.patch and requires python3-ldappool >= 2.3.1, which fixes using ldap with Keystone under Python 3 (Closes: #923949). -- Thomas Goirand Fri, 08 Mar 2019 12:19:47 +0100 keystone (2:14.0.1-1) unstable; urgency=medium [ Michal Arbet ] * New upstream version * d/control: Add me to uploaders field * d/copyright: Add me to copyright file [ Thomas Goirand ] * Update German debconf translation thanks to Chris Leick (Closes: #910622). -- Thomas Goirand Tue, 08 Jan 2019 09:38:02 +0100 keystone (2:14.0.0-2) unstable; urgency=medium * Do not run keystone.tests.unit.test_sql_upgrade tests, as it looks like broken if using SQLite (Closes: #909989). * Install correctly the examples folder into keystone-doc (ie: no nested examples folder). -- Thomas Goirand Mon, 01 Oct 2018 08:50:53 +0200 keystone (2:14.0.0-1) unstable; urgency=medium * New upstream release. * Updated debconf translations, with thanks to: - fr.po, Julien Patriarca (Closes: #901433). - nl.po, Frans Spiesschaert (Closes: #898866). * Uploading to unstable. -- Thomas Goirand Wed, 05 Sep 2018 13:04:10 +0200 keystone (2:14.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Removed patches applied upstream: - remove_at_expression_from_tags.patch - CVE-2018-14432_Reduce_duplication_in_federated_auth_APIs.patch * Fixed (build-)depends for this release. -- Thomas Goirand Mon, 20 Aug 2018 14:28:30 +0200 keystone (2:13.0.0-7) unstable; urgency=high [ Michal Arbet ] * Remove auth-token stuff [ Thomas Goirand ] * Removed using twice --bootstrap-region-id ${REGION_NAME} when doing the keystone bootstraping. * CVE-2018-14432: authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Applie upstream patch for Ocata rebased to Newton: "Reduce duplication in federated auth APIs (Closes: #904616). [ Ondřej Nový ] * d/control: Use team+openstack@tracker.debian.org as maintainer -- Thomas Goirand Fri, 06 Apr 2018 11:08:58 +0000 keystone (2:13.0.0-6) unstable; urgency=medium * Do not create role admin, created during bootstrap. * Added selection of endpoint protocol (ie: http / https). -- Thomas Goirand Thu, 22 Mar 2018 12:12:14 +0000 keystone (2:13.0.0-5) unstable; urgency=medium * Switch back to Apache instead of uwsgi. -- Thomas Goirand Thu, 08 Mar 2018 20:30:01 +0100 keystone (2:13.0.0-4) unstable; urgency=medium * Calls systemctl enable keystone-admin / keystone-public before starting. -- Thomas Goirand Thu, 08 Mar 2018 16:26:30 +0100 keystone (2:13.0.0-3) unstable; urgency=medium * Switch back to using invoke-rc.d instead of service. * Remove option --no-orphans for uwsgi: this creates some 104 errors (ie: TCP connection reset by peer). -- Thomas Goirand Thu, 08 Mar 2018 15:56:50 +0100 keystone (2:13.0.0-2) unstable; urgency=medium * Switch to using service start instead of invoke-rc.d to start keystone from postinst. -- Thomas Goirand Thu, 08 Mar 2018 09:03:24 +0000 keystone (2:13.0.0-1) unstable; urgency=medium * New upstream release. * Switch to uwsgi instead of Apache. * Explicitely use python3 versions of config file generators. * Allow setting-up endpoints with IPv6 or FQDN when using debconf. * Handle policy.json correctly. -- Thomas Goirand Tue, 06 Mar 2018 09:55:14 +0000 keystone (2:13.0.0~rc2-1) unstable; urgency=medium * New upstream rc release. * Uploading to unstable. * Add remove_at_expression_from_tags.patch. -- Thomas Goirand Tue, 27 Feb 2018 10:31:50 +0000 keystone (2:13.0.0~rc1-2) unstable; urgency=medium * Uploading to unstable. -- Thomas Goirand Tue, 27 Feb 2018 10:26:17 +0000 keystone (2:13.0.0~rc1-1) experimental; urgency=medium [ Thomas Goirand ] * Add new role, rating, needed for cloudkitty. [ Ondřej Nový ] * d/control: Set Vcs-* to salsa.debian.org * Running wrap-and-sort -bast [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Standards-Version is now 4.1.3. * Fixed tests to use pkgos-dh_auto_test and stestr. * Remove init-system-helpers from depends, as it's essential. * Also package examples. * Remove dh-systemd. * Switched to Python 3: - Blacklist broken test: SAMLGenerationTests.test_sign_assertion_exc. -- Thomas Goirand Wed, 14 Feb 2018 13:26:44 +0000 keystone (2:12.0.0-2) unstable; urgency=medium * Testing if a2dissite is available in postrm (Closes: #844448). * Uploading to unstable. -- Thomas Goirand Wed, 01 Nov 2017 11:51:03 +0000 keystone (2:12.0.0-1) experimental; urgency=medium [ Daniel Baumann ] * Updating vcs fields. * Updating copyright format url. * Updating maintainer field. * Running wrap-and-sort -bast. * Updating standards version to 4.0.0. * Removing gbp.conf, not used anymore or should be specified in the developers dotfiles. * Correcting permissions in debian packaging files. * Updating standards version to 4.0.1. * Deprecating priority extra as per policy 4.0.1. * Updating standards version to 4.1.0. [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Removed obsolete patches. * Allow Babel 2.4.0 (patch requirements.txt). * Do not install policy.json and keystone.py/wsgi.py. * Do not use --noverbose when doing db_sync. * Fixed generating keystone.conf and now generating keystone.policy.yaml. * Create a MANIFEST.in to install missing migration files. * Also setup fernet tokens at install time. * More parameters when doing the bootstrap. -- Thomas Goirand Wed, 04 Oct 2017 23:44:59 +0200 keystone (2:10.0.0-9) unstable; urgency=high * CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated Keystone. Applied upstream patch: Do not fetch group assignments without groups (Closes: #861189). -- Thomas Goirand Tue, 25 Apr 2017 22:29:13 +0200 keystone (2:10.0.0-8) unstable; urgency=medium * Do not use /sbin/route at all, and use ip only if it is available. The previous "fix" was in fact wrong, as net-tools and iproute2 aren't essential packages and adding it as depends wont fix. -- Thomas Goirand Fri, 31 Mar 2017 14:26:30 +0200 keystone (2:10.0.0-7) unstable; urgency=medium * Team upload. * Dependency added: net-tools (Closes: #858215) -- David Rabel Sun, 19 Mar 2017 22:31:50 +0100 keystone (2:10.0.0-6) unstable; urgency=medium * Team upload. * Require newer python-routes (Closes: #851152) -- Ondřej Nový Tue, 24 Jan 2017 10:52:37 +0100 keystone (2:10.0.0-5) unstable; urgency=medium * Check if /var/log/keystone exists in cron job (Closes: #847692). -- Thomas Goirand Sun, 18 Dec 2016 11:52:15 +0100 keystone (2:10.0.0-4) unstable; urgency=medium * Fix passlib call of encrypt() which is replaced by hash() upstream (Closes: #846729). -- Thomas Goirand Mon, 05 Dec 2016 12:33:54 +0100 keystone (2:10.0.0-3) unstable; urgency=medium * Team upload. [ Ondřej Nový ] * Bumped debhelper compat version to 10 [ Ondřej Kobližek ] * Add upstream patch Remove_trailing_d_from_-days_param_of_OpenSSL_command.patch (Closes: #843865) * Patch-out upper constraints of SQLAlchemy -- Ondřej Kobližek Mon, 28 Nov 2016 13:04:02 +0100 keystone (2:10.0.0-2) unstable; urgency=medium * Fixed unix right of /var/log/keystone (Closes: #840221). -- Thomas Goirand Mon, 10 Oct 2016 11:53:43 +0200 keystone (2:10.0.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 06 Oct 2016 17:25:06 +0200 keystone (2:10.0.0~rc2-1) unstable; urgency=medium [ Ondřej Nový ] * d/s/options: extend-diff-ignore of .gitreview * d/control: Use correct branch in Vcs-* fields [ Thomas Goirand ] * New upstream release. * Uploading to unstable. * Build-Depends on openstack-pkg-tools >= 53~. * Fixed oslotest EPOCH. -- Thomas Goirand Tue, 04 Oct 2016 09:49:06 +0200 keystone (2:10.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Add --parallel when running unit tests. * Add python-pep8 as build-depends-indep. -- Thomas Goirand Thu, 22 Sep 2016 09:50:50 +0200 keystone (2:10.0.0~b3-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Using OpenStack's Gerrit as VCS URL. [ Thomas Goirand ] * Always reconfigure apache to include keystone's vhost. * Also redo the keystone_bootstrap_admin in case of upgrades, and do a db_unregister of keystone/register-endpoint and keystone/create-admin-tenant to make sure we don't make it twice. [ Ondřej Nový ] * Added python-pep8 to build depends (Closes: #834617) -- Thomas Goirand Thu, 15 Sep 2016 14:58:20 +0200 keystone (2:10.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Added missing build-depends: python-testresources. * Added missing runtime depends: apache2. * Make the cron.hourly work also with a commented provider= directive. * Also setup apache if not setting-up db. -- Thomas Goirand Thu, 14 Jul 2016 21:34:02 +0000 keystone (2:10.0.0~b1-1) experimental; urgency=medium [ Ondřej Nový ] * d/copyright: Changed source URL to https protocol [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Drop now useless patches. * Remove files from $(CURDIR)/debian/tmp/usr/etc to avoid dh_install --fail-missing to fail. * Install tempest plugin correctly. * Patch requirements.txt to trash lines than breaks deps calculation. * Using oslo-config-generator to build keystone.conf. * Move all binaries to python-keystone, preparing Py3 transition. * keystone-all is gone, using uwsgi instead. -- Thomas Goirand Mon, 06 Jun 2016 15:30:58 +0000 keystone (2:9.0.0-2) unstable; urgency=high [ Ondřej Nový ] * Use /bin/sh as su shell in postinst script explicitly * Standards-Version is 3.9.8 now (no change) * Use /bin/sh instead of /bin/bash as default shell for "keystone" user [ Thomas Goirand ] * Fix the cron job to not run if we're not using UUID tokens, as it otherwise fail and fill-up the log file (LP: #1520321). * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0". (Closes: #824683). -- Thomas Goirand Thu, 19 May 2016 07:22:58 +0000 keystone (2:9.0.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 07 Apr 2016 17:53:48 +0200 keystone (2:9.0.0~rc2-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. -- Thomas Goirand Mon, 04 Apr 2016 22:56:57 +0200 keystone (2:9.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Require version >= 0.10.0 of python-migrate to make sure we have the python-decorator package installed. * Fixed (build-)depends for this release. -- Thomas Goirand Mon, 21 Mar 2016 16:12:36 +0100 keystone (2:9.0.0~b3-2) experimental; urgency=medium * Using "keystone-manage bootstrap" to create the initial admin, and then using it to further create users and endpoints. Note that through using environment variables, no passwords are leaking in /proc. -- Thomas Goirand Wed, 09 Mar 2016 21:31:44 +0000 keystone (2:9.0.0~b3-1) experimental; urgency=medium [ Ondřej Nový ] * Fixed VCS URLs (https). [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Standards-Version: 3.9.7 (no change). * Rebased / refresh all patches. -- Thomas Goirand Thu, 03 Mar 2016 20:00:57 +0800 keystone (2:9.0.0~b2-3) experimental; urgency=medium * Added auto-creation of the Member and ResellerAdmin roles as this is needed for Swift auto-account-creation to work. -- Thomas Goirand Mon, 08 Feb 2016 08:11:14 +0000 keystone (2:9.0.0~b2-2) experimental; urgency=medium * Added git as build-depends. * Bump EPOCH to align with Ubuntu. * Remove version of init-system-helpers in keystone depends, as 1.18 is not available in Trusty. * By default, add a heat_stack_owner role. -- Thomas Goirand Mon, 25 Jan 2016 16:09:28 +0800 keystone (1:9.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Fixed debian/copyright ordering. * Standards-Version is now 3.9.6 (no change). * Fix syntax error on an old debian/changelog entry. -- Thomas Goirand Mon, 07 Dec 2015 12:32:48 +0100 keystone (1:8.0.0-4) unstable; urgency=medium * If the debconf prompt for creating Keystone endpoint was yes, check first if there's no service already registered. * Also create a service project when creating users and tenants. * Setting-up /v2.0 as endpoint URL for Keystone to avoid compatibility issues with some services, even though we're using API v3. -- Thomas Goirand Wed, 04 Nov 2015 09:06:22 +0000 keystone (1:8.0.0-3) unstable; urgency=medium * Switching Keystone to use and configure API v3 by default. -- Thomas Goirand Mon, 02 Nov 2015 13:04:02 +0000 keystone (1:8.0.0-2) unstable; urgency=medium * Uploading to unstable. -- Thomas Goirand Fri, 16 Oct 2015 13:11:24 +0000 keystone (1:8.0.0-1) experimental; urgency=medium * New upstream release. * Now depends on pymysql. * Added a /etc/apache2/sites-available/wsgi-keystone.conf. -- Thomas Goirand Tue, 13 Oct 2015 14:56:01 +0200 keystone (1:8.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Rebased fixes-jsonschema-requirements.txt.patch. -- Thomas Goirand Wed, 23 Sep 2015 14:11:47 +0200 keystone (1:8.0.0~b3-4) experimental; urgency=medium * Doing the db_sync using the --noverbose option. -- Thomas Goirand Mon, 21 Sep 2015 12:40:13 +0000 keystone (1:8.0.0~b3-3) experimental; urgency=medium * Re-enabled KeystoneAdmin and KeystoneServiceAdmin roles, and using openstackclient instead of keystoneclient which is deprecated. * Stop doing pki_setup (it's not recommended upstream anymore). -- Thomas Goirand Mon, 21 Sep 2015 09:36:02 +0000 keystone (1:8.0.0~b3-2) experimental; urgency=medium * Fixed some (build-)depends versions. * Added patch to fix requiremnts.txt regarding python-jsonschema version. * Fixed admin user, role and tenant creation. * Back to /v2.0/ endpoints. -- Thomas Goirand Fri, 11 Sep 2015 08:45:50 +0000 keystone (1:8.0.0~b3-1) experimental; urgency=medium * New upstream release. * Now setting-up /v3 endpoint, not /v2.0. * Added AppArmor confinement for keystone-all. * Upstream removed run_tests.sh, now using testr directly. -- Thomas Goirand Tue, 11 Aug 2015 14:36:02 +0200 keystone (1:8.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. -- Thomas Goirand Wed, 01 Jul 2015 12:29:17 +0200 keystone (2015.1.0-2) unstable; urgency=medium * Accepting SQLA 1.0.6. -- Thomas Goirand Wed, 01 Jul 2015 02:47:07 +0000 keystone (2015.1.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 30 Apr 2015 20:55:28 +0000 keystone (2015.1~rc2-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. * Review (build-)depends. -- Thomas Goirand Mon, 22 Dec 2014 12:18:01 +0800 keystone (2014.2.1-1) experimental; urgency=medium * New upstream release. * Added oslo.serialization as (build-)depends. * Added depends: init-system-helpers (>= 1.18~), and deb-systemd-helper manual calls to activate the keystone.service. -- Thomas Goirand Fri, 12 Dec 2014 17:29:27 +0800 keystone (2014.2-1) experimental; urgency=medium * New upstream release. -- Thomas Goirand Thu, 16 Oct 2014 15:33:30 +0000 keystone (2014.2~rc2-1) experimental; urgency=medium * New upstream release. * Mangling upstream rc and beta versions in watch file. * Updated nl.po thanks to Frans Spiesschaert (Closes: #764205). * Using templated init script from openstack-pkg-tools >= 13. * Removed silly python-support build-depends. -- Thomas Goirand Mon, 13 Oct 2014 00:47:25 +0800 keystone (2014.2~rc1-1) experimental; urgency=medium * New upstream release. * Updated (build-)depends for this release. -- Thomas Goirand Tue, 30 Sep 2014 22:21:49 +0800 keystone (2014.2~b3-2) experimental; urgency=medium * Adds patch to avoid "git clone" when running the unit tests keystone.tests.test_keystoneclient.KcMasterTestCase.*. See https://review.openstack.org/122768/ for details. -- Thomas Goirand Fri, 19 Sep 2014 14:36:23 +0800 keystone (2014.2~b3-1) experimental; urgency=medium * New upstream release. * New (build-)depends for this release. * Ship a systemd service file using dh-systemd. [ gustavo panizzo] * Support to run keystone as user keystone. * Support to run keystone under systemd. -- Thomas Goirand Mon, 30 Jun 2014 23:07:59 +0800 keystone (2014.1.1-2) unstable; urgency=medium * CVE-2014-3476: privilege escalation through trust chained delegation. Applied upstream patch. (Closes: #751454). -- Thomas Goirand Fri, 13 Jun 2014 17:30:08 +0800 keystone (2014.1.1-1) unstable; urgency=medium * New upstream release. * Remove cve-2014-0204-stable-icehouse.patch applied upstream. * Removed sql_migration_ensure_using_innodb_utf8_for_assignment_table.patch applied upstream. -- Thomas Goirand Mon, 09 Jun 2014 23:22:20 +0800 keystone (2014.1-6) unstable; urgency=medium * Now build-depends on openstack-pkg-tools >= 12~. -- Thomas Goirand Thu, 05 Jun 2014 09:09:54 +0000 keystone (2014.1-5) unstable; urgency=medium * Updates cve-2014-0204-stable-icehouse.patch with latest version from upstream (Closes: #749026). -- Thomas Goirand Fri, 30 May 2014 23:09:45 +0800 keystone (2014.1-4) unstable; urgency=medium * Switched from restarting keystone to copytruncate in logrotate. -- Thomas Goirand Thu, 29 May 2014 14:19:42 +0800 keystone (2014.1-3) unstable; urgency=medium * Added sql migration: ensure using innodb utf8 for assignment table which fixes upgrade path from Havana. * Fixed cs.po. * Added cve-2014-0204-stable-icehouse.patch. * Standards-Version: is now 3.9.5 -- Thomas Goirand Tue, 20 May 2014 23:26:00 +0800 keystone (2014.1-2) unstable; urgency=medium * Fixed debian/watch to use github tags. * Now using "service X restart" to restart keystone after logrotate, and stop using dpkg-dev (Closes: #747890). -- Thomas Goirand Sat, 17 May 2014 01:54:29 +0800 keystone (2014.1-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. * Fixed config file handling (DEFAULT/connection vs database/connection). (Closes: #744761). -- Thomas Goirand Tue, 15 Apr 2014 15:30:07 +0800 keystone (2014.1~rc2-1) experimental; urgency=low * New upstream pre-release. * Removed broken patch: defines-gettext-function-to-avoid-ftbfs.patch -- Thomas Goirand Wed, 09 Apr 2014 23:17:06 +0800 keystone (2014.1~rc1-1) experimental; urgency=low * New upstream release. * Fixed new upsteram (build-)dependencies. * Drops now useless fix-sqla-version-in-requirements patch. -- Thomas Goirand Fri, 28 Mar 2014 14:39:11 +0800 keystone (2014.1~b3-1) experimental; urgency=low * New upstream release (Icehouse beta 3). * Refresh patches. * Reviewed (build-)dependencies. * Fixed sphinx build for docs and man pages. -- Thomas Goirand Mon, 17 Feb 2014 15:27:56 +0800 keystone (2013.2.2-1) unstable; urgency=medium * New upstream point release. * Refreshed patches. * Remove patches applied upstream: Limit_calls_to_memcache_backend_as_user_token_index_increases_in_size.patch -- Thomas Goirand Fri, 14 Feb 2014 09:57:43 +0800 keystone (2013.2.1-2) unstable; urgency=medium * Adds a cut -d" " -f1 when detecting the local interface connected to the default gateway, so that it works with more than one default gateway. * Updated es.po debconf translation thanks to Matias A. Bellone (Closes: #732538). * Backported patch to replace oauth2 by oauthlib. * Changed dependency from oauth2 to oauthlib. [gustavo panizzo] * Patch to improve performance (lp: #1251123). -- Thomas Goirand Fri, 20 Dec 2013 22:00:34 +0800 keystone (2013.2.1-1) unstable; urgency=high * New upstream release (Closes: #731981) This fixes CVE-2013-6391. * Refreshed sql_conn.patch. * Removed CVE-2013-4477-havana.patch now applied upstream. * (build-)depends on python-iso8601 >= 0.1.8 instead of 0.1.4. -- Thomas Goirand Mon, 16 Dec 2013 16:46:48 +0800 keystone (2013.2-4) unstable; urgency=low * Fixes restart of keystone in logrotate script. (Closes: #731495). -- Thomas Goirand Fri, 06 Dec 2013 15:18:07 +0800 keystone (2013.2-3) unstable; urgency=medium * Updated German debconf templates, thanks: Chris Leick (Closes: #730454). -- Thomas Goirand Wed, 04 Dec 2013 16:32:51 +0800 keystone (2013.2-2) unstable; urgency=low * Moved python-memcache to Depends: instead of Recommends:. * Added missing python-babel depends. * Fixes a failed install if the target computer doesn't have a default route (lp: #1247342). * CVE-2013-4477: remove role assignment adds role using LDAP assignment (Closes: #728233). -- Thomas Goirand Sun, 03 Nov 2013 16:02:42 +0800 keystone (2013.2-1) unstable; urgency=low * New upstream release. * Uploading to unstable. -- Thomas Goirand Fri, 18 Oct 2013 00:18:57 +0800 keystone (2013.2~rc3-1) experimental; urgency=low * New upstream release. -- Thomas Goirand Sat, 29 Jun 2013 22:31:32 +0800 keystone (2013.1.2-1) unstable; urgency=low [ Thomas Goirand ] * Ran wrap-and-sort. * New upstream release. [ gustavo panizzo ] * Add support for TLS when using LDAP. * CVE-2013-2157: Authentication bypass when using LDAP backend. [OSSA 2013-015] -- Thomas Goirand Thu, 30 May 2013 11:25:11 +0800 keystone (2013.1.1-2) unstable; urgency=low * Uploading to unstable. * New upstream release: - Fixes CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011] (Closes: #707598). * Also installs httpd/keystone.py. -- Thomas Goirand Fri, 10 May 2013 10:22:18 +0800 keystone (2013.1-1) experimental; urgency=low * New upstream release. -- Thomas Goirand Wed, 30 Jan 2013 20:12:55 +0800 keystone (2012.2.3-2) experimental; urgency=low * CVE-2013-1865: Online validation of Keystone PKI tokens bypasses revocation check. -- Thomas Goirand Thu, 21 Mar 2013 00:52:02 +0800 keystone (2012.2.3-1) experimental; urgency=low * New upstream release. * CVE-2013-0247: Keystone denial of service through invalid token requests. * CVE-2013-0282 Keystone EC2-style authentication accepts disabled user/tenants (Closes: #700947). * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using XML entities (Closes: #700948) -- Thomas Goirand Sun, 03 Feb 2013 11:05:36 +0800 keystone (2012.2.1-1) experimental; urgency=low * New upstream version. * Rewrite of the maintainer scripts using the pkgos scripts. * Fixes etc/default_catalog.templates to include Quantum config and to use regionOne and not RegionOne by default. * Increased compat level to 9 (and debhelper build-dep). * Fixes build-dep git-core -> git. -- Thomas Goirand Sun, 02 Dec 2012 13:08:38 +0000 keystone (2012.2~rc1-1) experimental; urgency=low * New snapshot release * Refresh patches * Remove CVE-2012-3542 incorporated upstream -- Mehdi Abaakouk Mon, 24 Sep 2012 10:37:31 +0200 keystone (2012.2~e3-1) experimental; urgency=low [ Mehdi Abaakouk ] * New upstream version. [ Thomas Goirand ] * Fixed build-dependencies correctly. * Made the package compatible with Ubuntu. * Now using xz level 9 compression. -- Mehdi Abaakouk Mon, 10 Sep 2012 17:56:09 +0200 keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low * CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up from Launchpad. Thanks to the Canonical security team (Closes: #707598). -- Thomas Goirand Fri, 10 May 2013 10:09:14 +0800 keystone (2012.1.1-13) unstable; urgency=high * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947). * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using XML entities (Closes: #700948). -- Thomas Goirand Tue, 19 Feb 2013 12:56:42 +0800 keystone (2012.1.1-12) unstable; urgency=low * CVE-2013-0247: Keystone denial of service through invalid token requests (Closes: #699835). -- Thomas Goirand Wed, 06 Feb 2013 09:52:07 +0800 keystone (2012.1.1-11) unstable; urgency=high * Applies security patch from upstream: Ensures User is member of tenant in ec2 validation (Closes: #694433). * Added Japanese debconf template translation, thanks to victory (Closes: #693056). -- Thomas Goirand Mon, 26 Nov 2012 14:05:33 +0000 keystone (2012.1.1-10) unstable; urgency=low * Fixes keystone.config which wasn't starting dbconfig-common at first setup. * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in the postinst using "install -m" instead of cp -auxf. * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's what we run with Folsom, and that it might cause problems as "keystone.sqlite" isn't a valid MySQL db name. Changed debian/keystone.config accordingly. -- Thomas Goirand Wed, 10 Oct 2012 15:46:14 +0000 keystone (2012.1.1-9) unstable; urgency=high * Fixes sometimes failing keystone.postrm (db_get in some conditions can return false), and fixed non-consistant indenting. * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone /keystone.conf.sample for temporary storing the conf file (this was a policy violation, as the doc folder should never be required). * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled, CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210). -- Thomas Goirand Mon, 01 Oct 2012 05:52:23 +0000 keystone (2012.1.1-8) unstable; urgency=low * Fixes parsing of the SQL connection in keystone.config. -- Thomas Goirand Sun, 30 Sep 2012 01:48:50 +0000 keystone (2012.1.1-7) unstable; urgency=low * Fixes band handling (eg: policy violation) of keystone.conf which was conffiles, but changed in the posinst (Closes: #687311). -- Thomas Goirand Wed, 12 Sep 2012 17:09:47 +0000 keystone (2012.1.1-6) unstable; urgency=high * CVE-2012-4413: Revoking a role does not affect existing tokens (Closes: #687428). -- Thomas Goirand Sun, 09 Sep 2012 02:21:11 +0000 keystone (2012.1.1-5) unstable; urgency=low * CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265) * Added Chinese debconf translation thanks to ben . * Really adds the nl debconf translation this time (Closes: #685671). -- Thomas Goirand Mon, 27 Aug 2012 11:45:44 +0000 keystone (2012.1.1-4) unstable; urgency=low * Updated debian/keystone.templates, debian/control after review from the internationalization team (Closes: #683414, #679295). * Updated debconf translations with thanks to: - de: Pfannenstein Erik (Closes: #684877) - cs: Michal Šimůnek (Closes: #685434) - pl: Michał Kułach (Closes: #685431) - fr: David Prévot (Closes: #685325) - sv: Martin Bagge (Closes: #684942) - sk: helix84 (Closes: #684606) - ru: Yuri Kozlov (Closes: #684590) - da: Joe Dalton (Closes: #684565) - pt: Pedro Ribeiro (Closes: #682438) - es: SM Baby Siabef (Closes: #685435) - it: Beatrice Torracca (Closes: #685623) * Added debconf translations with thanks to: - pt_BR: Adriano Rafael Gomes (Closes: #685405) - nl: Jeroen Schot (Closes: #685671) -- Thomas Goirand Tue, 21 Aug 2012 08:06:07 +0000 keystone (2012.1.1-3) unstable; urgency=low * Re-added Debconf template which has been removed by the patch of 2012.1.1-2 from Bubulle (Closes: #683337). * Removed one occurence of a dependency declared twice: python-sqlalchemy. -- Thomas Goirand Tue, 31 Jul 2012 12:37:24 +0000 keystone (2012.1.1-2) unstable; urgency=low * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Closes: #679295 * [Debconf translation updates] * Recycle translations from nova for several languages. Additionnally: * Danish (Joe Hansen). Closes: #680082 * Swedish (Martin Bagge / brother). Closes: #680847 * Spanish; (SM Baby Siabef). Closes: #681003 * Italian (Beatrice Torracca). Closes: #681249 * Slovak (Ivan Masár). Closes: #682784 * Fixed the get-vcs-source target in debian/rules. -- Thomas Goirand Thu, 19 Jul 2012 06:21:30 +0000 keystone (2012.1.1-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Fri, 22 Jun 2012 09:41:24 +0200 keystone (2012.1-3) unstable; urgency=low * Add logrotate for keystone.log. Closes: #663717 -- Mehdi Abaakouk Tue, 22 May 2012 14:48:56 +0200 keystone (2012.1-2) unstable; urgency=low * Fixed python version requisites on webob and pam. Closes: #665804 -- Ghe Rivero Wed, 02 May 2012 10:17:35 +0200 keystone (2012.1-1) unstable; urgency=low * New upstream release -- Ghe Rivero Mon, 09 Apr 2012 09:06:22 +0200 keystone (2012.1~rc2-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Wed, 04 Apr 2012 10:09:36 +0200 keystone (2012.1~rc1-2) unstable; urgency=low * Removed check timeout from keystone.postinst. Closes: #665739 -- Ghe Rivero Tue, 27 Mar 2012 13:12:01 +0200 keystone (2012.1~rc1-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Sat, 24 Mar 2012 09:14:50 +0100 keystone (2012.1~e4+git35-g4e4f793-1) UNRELEASED; urgency=low [ Julien Danjou ] * Install egg-info This is needed at least for Swift. [ Ghe Rivero ] * Added keystone/auth-token question. Closes: #662458 -- Julien Danjou Fri, 02 Mar 2012 10:34:30 +0100 keystone (2012.1~e4-1) unstable; urgency=low * New upstream release -- Ghe Rivero Fri, 02 Mar 2012 08:38:43 +0100 keystone (2012.1~e3+git772-g6919b05-1) UNRELEASED; urgency=low [ Julien Danjou ] * Fix permissions /etc/keystone * Add projectmanager role on initial database creation * Do not run dbconfig by default That fixes LP#931236 until #607171 is fixed in dbconfig-common. Patch based on: http://bazaar.launchpad.net/~ubuntu-server-dev/keystone/essex/revision/83 -- Julien Danjou Mon, 06 Feb 2012 10:35:52 +0100 keystone (2012.1~e3-4) unstable; urgency=low * Add missing python-migrate, python-prettytable, python-mox in build deps (Closes: #658592) * Deactivate tests because they fails (upstream problem) -- Julien Danjou Mon, 06 Feb 2012 10:35:52 +0100 keystone (2012.1~e3-3) unstable; urgency=low * Add missing dependency on python-dateutil -- Julien Danjou Tue, 31 Jan 2012 12:37:35 +0100 keystone (2012.1~e3-2) unstable; urgency=low * Add dbconfig prerm -- Julien Danjou Fri, 27 Jan 2012 16:13:48 +0100 keystone (2012.1~e3-1) unstable; urgency=low * New upstream release. * Use dbconfig to configure database -- Julien Danjou Thu, 26 Jan 2012 17:03:10 +0100 keystone (2012.1~e2-4) unstable; urgency=low * Fix default location of keystone db file -- Ghe Rivero Tue, 24 Jan 2012 09:43:15 +0100 keystone (2012.1~e2-3) unstable; urgency=low * Add missing build depends on python-nose (Closes: #652805) * Remove useless python fields in control -- Julien Danjou Tue, 27 Dec 2011 11:40:18 +0100 keystone (2012.1~e2-2) unstable; urgency=low * Fix init script -- Julien Danjou Mon, 19 Dec 2011 17:16:48 +0100 keystone (2012.1~e2-1) unstable; urgency=low * New upstream release. * Disable doc building because it's currently failing. -- Julien Danjou Fri, 16 Dec 2011 11:12:44 +0100 keystone (2012.1~e1-2) unstable; urgency=low * Fix python-keystone installation file by including only keystone lib (Closes: #649907). * Add missing manpages. -- Julien Danjou Fri, 25 Nov 2011 10:43:59 +0100 keystone (2012.1~e1-1) unstable; urgency=low * New upstream release. * Cherry-pick 33c1c9390331b3bacd3791b537b6a1147715925c from upstream to fix documentation building. -- Julien Danjou Thu, 24 Nov 2011 16:21:50 +0100 keystone (2011.3-1) unstable; urgency=low * Initial release (Closes: #647611) -- Julien Danjou Tue, 15 Nov 2011 11:29:13 +0100