diff -Nru python-keystoneclient-0.7.1/debian/changelog python-keystoneclient-0.7.1/debian/changelog
--- python-keystoneclient-0.7.1/debian/changelog	2015-01-16 19:30:16.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/changelog	2015-07-16 21:25:42.000000000 +0000
@@ -1,12 +1,19 @@
-python-keystoneclient (1:0.7.1-ubuntu1.1) trusty-security; urgency=medium
+python-keystoneclient (1:0.7.1-ubuntu1.2) trusty-security; urgency=medium
 
   * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
     - debian/patches/CVE-2014-7144.patch: properly parse option in
-      keystoneclient/middleware/auth_token.py, added test to
-      keystoneclient/tests/test_auth_token_middleware.py.
+      keystoneclient/middleware/auth_token.py.
     - CVE-2014-7144
+  * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
+    - debian/patches/CVE-2015-1852.patch: properly parse option in
+      keystoneclient/middleware/s3_token.py, added test to
+      keystoneclient/tests/test_s3_token_middleware.py.
+    - CVE-2015-1852
+  * Properly run test suite during build:
+    - debian/control: added python-testresources to Build-Depends
+    - debian/rules: call testr directly
 
- -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Jan 2015 14:30:16 -0500
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 16 Jul 2015 15:05:21 -0400
 
 python-keystoneclient (1:0.7.1-ubuntu1) trusty; urgency=medium
 
diff -Nru python-keystoneclient-0.7.1/debian/control python-keystoneclient-0.7.1/debian/control
--- python-keystoneclient-0.7.1/debian/control	2014-03-27 17:15:57.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/control	2015-07-16 19:43:42.000000000 +0000
@@ -21,6 +21,7 @@
  python-setuptools,
  python-simplejson,
  python-six,
+ python-testresources,
  python-testtools,
  python-webob,
  testrepository
diff -Nru python-keystoneclient-0.7.1/debian/patches/CVE-2014-7144.patch python-keystoneclient-0.7.1/debian/patches/CVE-2014-7144.patch
--- python-keystoneclient-0.7.1/debian/patches/CVE-2014-7144.patch	2015-01-16 19:30:28.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/patches/CVE-2014-7144.patch	2015-07-16 21:26:07.000000000 +0000
@@ -1,98 +1,24 @@
-Backport of:
-
-From 5c9c97f1a5dffe5964e945bf68d009fd68e616fc Mon Sep 17 00:00:00 2001
-From: Qin Zhao <chaochin@gmail.com>
-Date: Wed, 6 Aug 2014 15:47:58 +0800
-Subject: [PATCH] Fix the condition expression for ssl_insecure
-
-In the existing code, self.ssl_insecure is a string. If insecure
-option is set in nova api-paste.ini, whatever it is 'true' or
-'false', kwargs['verify'] will become False. This commit corrects
-the condition expression. This patch is backported from
-https://review.openstack.org/#/c/113191/
-
-Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
-Closes-Bug: 1353315
----
- keystoneclient/middleware/auth_token.py            |   26 +++++++++++++++++++-
- keystoneclient/tests/test_auth_token_middleware.py |   23 +++++++++++++++++
- 2 files changed, 48 insertions(+), 1 deletion(-)
+Description: fix incorrect cert verification with ssl_insecure option
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
 
 Index: python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py
 ===================================================================
---- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py	2015-01-16 14:29:22.284295970 -0500
-+++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py	2015-01-16 14:29:54.920608413 -0500
-@@ -350,6 +350,27 @@
-     return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
- 
- 
-+def _conf_values_type_convert(conf):
-+    """Convert conf values into correct type."""
-+    if not conf:
-+        return {}
-+    _opts = {}
-+    opt_types = dict((o.dest, o.type) for o in opts)
-+    for k, v in six.iteritems(conf):
-+        try:
-+            if v is None:
-+                _opts[k] = v
-+            else:
-+                _opts[k] = opt_types[k](v)
-+        except KeyError:
-+            _opts[k] = v
-+        except ValueError as e:
-+            raise ConfigurationError(
-+                'Unable to convert the value of %s option into correct '
-+                'type: %s' % (k, e))
-+    return _opts
-+
-+
- class InvalidUserToken(Exception):
-     pass
- 
-@@ -385,7 +406,10 @@
-     def __init__(self, app, conf):
-         self.LOG = logging.getLogger(conf.get('log_name', __name__))
-         self.LOG.info('Starting keystone auth_token middleware')
--        self.conf = conf
-+        # NOTE(wanghong): If options are set in paste file, all the option
-+        # values passed into conf are string type. So, we should convert the
-+        # conf value into correct type.
-+        self.conf = _conf_values_type_convert(conf)
-         self.app = app
- 
-         # delay_auth_decision means we still allow unauthenticated requests
-Index: python-keystoneclient-0.7.1/keystoneclient/tests/test_auth_token_middleware.py
-===================================================================
---- python-keystoneclient-0.7.1.orig/keystoneclient/tests/test_auth_token_middleware.py	2015-01-16 14:29:22.284295970 -0500
-+++ python-keystoneclient-0.7.1/keystoneclient/tests/test_auth_token_middleware.py	2015-01-16 14:29:22.284295970 -0500
-@@ -487,6 +487,29 @@
-         self.assertEqual(
-             set([inner_cache, outer_cache]), set(self.middleware._cache_pool))
- 
-+    def test_conf_values_type_convert(self):
-+        conf = {
-+            'revocation_cache_time': '24',
-+            'identity_uri': 'https://keystone.example.com:1234',
-+            'include_service_catalog': '0',
-+            'nonexsit_option': '0',
-+        }
-+
-+        middleware = auth_token.AuthProtocol(self.fake_app, conf)
-+        self.assertEqual(datetime.timedelta(seconds=24),
-+                         middleware.token_revocation_list_cache_timeout)
-+        self.assertEqual(False, middleware.include_service_catalog)
-+        self.assertEqual('https://keystone.example.com:1234',
-+                         middleware.identity_uri)
-+        self.assertEqual('0', middleware.conf['nonexsit_option'])
-+
-+    def test_conf_values_type_convert_with_wrong_value(self):
-+        conf = {
-+            'include_service_catalog': '123',
-+        }
-+        self.assertRaises(auth_token.ConfigurationError,
-+                          auth_token.AuthProtocol, self.fake_app, conf)
-+
- 
- class CommonAuthTokenMiddlewareTest(object):
+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py	2015-07-16 17:07:22.000000000 -0400
++++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py	2015-07-16 17:14:26.575852486 -0400
+@@ -163,6 +163,7 @@
+ from keystoneclient.openstack.common import jsonutils
+ from keystoneclient.openstack.common import memorycache
+ from keystoneclient.openstack.common import timeutils
++from keystoneclient.openstack.common import strutils
+ from keystoneclient import utils
+ 
+ 
+@@ -426,7 +427,7 @@
+         self.cert_file = self._conf_get('certfile')
+         self.key_file = self._conf_get('keyfile')
+         self.ssl_ca_file = self._conf_get('cafile')
+-        self.ssl_insecure = self._conf_get('insecure')
++        self.ssl_insecure = strutils.bool_from_string(self._conf_get('insecure'))
  
+         # signing
+         self.signing_dirname = self._conf_get('signing_dir')
diff -Nru python-keystoneclient-0.7.1/debian/patches/CVE-2015-1852.patch python-keystoneclient-0.7.1/debian/patches/CVE-2015-1852.patch
--- python-keystoneclient-0.7.1/debian/patches/CVE-2015-1852.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/patches/CVE-2015-1852.patch	2015-07-16 21:25:19.000000000 +0000
@@ -0,0 +1,81 @@
+Backport of:
+
+From 0e3a23d28438f3a298a384b1e1f1390cfa92b151 Mon Sep 17 00:00:00 2001
+From: Brant Knudson <bknudson@us.ibm.com>
+Date: Tue, 7 Apr 2015 19:38:29 +0000
+Subject: [PATCH] Fix s3_token middleware parsing insecure option
+
+The "insecure" option was being treated as a bool when it was
+actually provided as a string. The fix is to parse the string to
+a bool.
+
+Closes-Bug: 1411063
+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
+---
+ keystoneclient/middleware/s3_token.py            |  3 ++-
+ keystoneclient/tests/test_s3_token_middleware.py | 24 +++++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+Index: python-keystoneclient-0.7.1/keystoneclient/middleware/s3_token.py
+===================================================================
+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/s3_token.py	2015-07-16 17:24:42.779762830 -0400
++++ python-keystoneclient-0.7.1/keystoneclient/middleware/s3_token.py	2015-07-16 17:25:16.408194217 -0400
+@@ -39,6 +39,7 @@
+ from six.moves import urllib
+ 
+ from keystoneclient.openstack.common import jsonutils
++from keystoneclient.openstack.common import strutils
+ 
+ 
+ PROTOCOL_NAME = 'S3 Token Authentication'
+@@ -113,7 +114,7 @@
+         self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
+ 
+         # SSL
+-        insecure = conf.get('insecure', False)
++        insecure = strutils.bool_from_string(conf.get('insecure', False))
+         cert_file = conf.get('certfile')
+         key_file = conf.get('keyfile')
+ 
+Index: python-keystoneclient-0.7.1/keystoneclient/tests/test_s3_token_middleware.py
+===================================================================
+--- python-keystoneclient-0.7.1.orig/keystoneclient/tests/test_s3_token_middleware.py	2015-07-16 17:24:42.779762830 -0400
++++ python-keystoneclient-0.7.1/keystoneclient/tests/test_s3_token_middleware.py	2015-07-16 17:24:42.779762830 -0400
+@@ -123,7 +123,7 @@
+     @mock.patch.object(requests, 'post')
+     def test_insecure(self, MOCK_REQUEST):
+         self.middleware = (
+-            s3_token.filter_factory({'insecure': True})(FakeApp()))
++            s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+ 
+         text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+         if six.PY3:
+@@ -141,6 +141,28 @@
+         mock_args, mock_kwargs = MOCK_REQUEST.call_args
+         self.assertIs(mock_kwargs['verify'], False)
+ 
++    def test_insecure_option(self):
++        # insecure is passed as a string.
++
++        # Some non-secure values.
++        true_values = ['true', 'True', '1', 'yes']
++        for val in true_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertIs(False, middleware.verify)
++
++        # Some "secure" values, including unexpected value.
++        false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++        for val in false_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertEqual('false_ind', middleware.verify)
++
++        # Default is secure.
++        config = {'certfile': 'false_ind'}
++        middleware = s3_token.filter_factory(config)(FakeApp())
++        self.assertIs('false_ind', middleware.verify)
++
+ 
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+     def setUp(self):
diff -Nru python-keystoneclient-0.7.1/debian/patches/series python-keystoneclient-0.7.1/debian/patches/series
--- python-keystoneclient-0.7.1/debian/patches/series	2015-01-16 19:29:18.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/patches/series	2015-07-16 21:24:02.000000000 +0000
@@ -1 +1,2 @@
 CVE-2014-7144.patch
+CVE-2015-1852.patch
diff -Nru python-keystoneclient-0.7.1/debian/rules python-keystoneclient-0.7.1/debian/rules
--- python-keystoneclient-0.7.1/debian/rules	2014-03-27 17:15:57.000000000 +0000
+++ python-keystoneclient-0.7.1/debian/rules	2015-07-16 19:40:28.000000000 +0000
@@ -8,7 +8,7 @@
 
 override_dh_auto_test:
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
-	bash run_tests.sh -N -P || true
+	testr init && testr run
 endif
 
 get-orig-source: