diff -Nru keystone-2012.1.3+stable-20130423-f48dd0fc/debian/changelog keystone-2012.1.3+stable-20130423-f48dd0fc/debian/changelog --- keystone-2012.1.3+stable-20130423-f48dd0fc/debian/changelog 2013-04-24 16:34:45.000000000 +0000 +++ keystone-2012.1.3+stable-20130423-f48dd0fc/debian/changelog 2013-05-15 19:41:47.000000000 +0000 @@ -1,3 +1,14 @@ +keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1) precise-security; urgency=low + + * SECURITY UPDATE: delete user token immediately upon delete when using v2 + API + - CVE-2013-2059.patch: adjust keystone/identity/core.py to call + token_api.delete_token() during delete. Also update test suite. + - CVE-2013-2059 + - LP: #1166670 + + -- Jamie Strandboge Wed, 15 May 2013 14:41:06 -0500 + keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1) precise-proposed; urgency=low * Resynchronize with stable/essex (LP: #1089488): diff -Nru keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/CVE-2013-2059.patch keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/CVE-2013-2059.patch --- keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/CVE-2013-2059.patch 1970-01-01 00:00:00.000000000 +0000 +++ keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/CVE-2013-2059.patch 2013-05-15 19:40:33.000000000 +0000 @@ -0,0 +1,58 @@ +Origin: upstream predisclosure +Description: delete user token immediately upon delete when using v2 API +Bug: https://bugs.launchpad.net/keystone/+bug/1166670 + +Index: keystone-2012.1+stable~20120824-a16a0ab9/keystone/identity/core.py +=================================================================== +--- keystone-2012.1+stable~20120824-a16a0ab9.orig/keystone/identity/core.py 2013-05-07 14:18:04.000000000 -0500 ++++ keystone-2012.1+stable~20120824-a16a0ab9/keystone/identity/core.py 2013-05-07 14:18:04.000000000 -0500 +@@ -427,6 +427,14 @@ + raise exception.UserNotFound(user_id=user_id) + + self.identity_api.delete_user(context, user_id) ++ try: ++ for token_id in self.token_api.list_tokens(context, user_id): ++ self.token_api.delete_token(context, token_id) ++ except exception.NotImplemented: ++ # The users status has been changed but tokens remain valid for ++ # backends that can't list tokens for users ++ LOG.warning('User %s status has changed, but existing tokens ' ++ 'remain valid' % user_id) + + def set_user_enabled(self, context, user_id, user): + return self.update_user(context, user_id, user) +Index: keystone-2012.1+stable~20120824-a16a0ab9/tests/test_keystoneclient.py +=================================================================== +--- keystone-2012.1+stable~20120824-a16a0ab9.orig/tests/test_keystoneclient.py 2013-05-07 14:18:04.000000000 -0500 ++++ keystone-2012.1+stable~20120824-a16a0ab9/tests/test_keystoneclient.py 2013-05-07 14:18:04.000000000 -0500 +@@ -370,6 +370,30 @@ + self.get_client, + self.user_foo) + ++ def test_delete_user_invalidates_token(self): ++ from keystoneclient import exceptions as client_exceptions ++ ++ admin_client = self.get_client(admin=True) ++ client = self.get_client(admin=False) ++ ++ username = uuid.uuid4().hex ++ password = uuid.uuid4().hex ++ user_id = admin_client.users.create( ++ name=username, password=password, email=uuid.uuid4().hex).id ++ ++ token_id = client.tokens.authenticate( ++ username=username, password=password).id ++ ++ # token should be usable before the user is deleted ++ client.tokens.authenticate(token=token_id) ++ ++ admin_client.users.delete(user=user_id) ++ ++ # authenticate with a token should not work after the user is deleted ++ self.assertRaises(client_exceptions.Unauthorized, ++ client.tokens.authenticate, ++ token=token_id) ++ + def test_token_expiry_maintained(self): + foo_client = self.get_client(self.user_foo) + orig_token = foo_client.service_catalog.catalog['token'] diff -Nru keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/series keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/series --- keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/series 2013-04-24 16:34:45.000000000 +0000 +++ keystone-2012.1.3+stable-20130423-f48dd0fc/debian/patches/series 2013-05-15 19:40:46.000000000 +0000 @@ -1,3 +1,4 @@ fix-ubuntu-tests.patch sql_connection.patch CVE-2013-0247.patch +CVE-2013-2059.patch