This bug was fixed in the package keystone - 2:13.0.4-0ubuntu1~cloud0 ---------------
keystone (2:13.0.4-0ubuntu1~cloud0) xenial-queens; urgency=medium . * New update for the Ubuntu Cloud Archive. . keystone (2:13.0.4-0ubuntu1) bionic-security; urgency=medium . [ Chris MacNaughton ] * d/watch: Update to point at opendev.org. * New stable point release for OpenStack Queens (LP: #1893234). - d/p/0001-fixing-dn-to-id.patch: Dropped. Fixed in upstream release. . [ Corey Bryant ] * SECURITY UPDATE: EC2 and/or credential endpoints are not protected from a scoped context. Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID. - debian/patches/CVE-2020-12689-CVE-2020-12691.patch: Fix security issues with EC2 credentials, addressing several issues in the creation and use of EC2/S3 credentials with keystone tokens. - CVE-2020-12689, CVE-2020-12691 * SECURITY UPDATE: OAuth1 request token authorize silently ignores roles parameter. - debian/patches/CVE-2020-12690.patch: Ensure OAuth1 authorized roles are respected. - CVE-2020-12691 * SECURITY UPDATE: Keystone doesn't check signature TTL of the EC2 credential auth method. - debian/patches/CVE-2020-12692.patch: Check timestamp of signed EC2 token request. - CVE-2020-12692
This bug was fixed in the package keystone - 2:13.0. 4-0ubuntu1~ cloud0
---------------
keystone (2:13.0. 4-0ubuntu1~ cloud0) xenial-queens; urgency=medium fixing- dn-to-id. patch: Dropped. Fixed in upstream patches/ CVE-2020- 12689-CVE- 2020-12691. patch: Fix security patches/ CVE-2020- 12690.patch: Ensure OAuth1 authorized patches/ CVE-2020- 12692.patch: Check timestamp of signed
.
* New update for the Ubuntu Cloud Archive.
.
keystone (2:13.0.4-0ubuntu1) bionic-security; urgency=medium
.
[ Chris MacNaughton ]
* d/watch: Update to point at opendev.org.
* New stable point release for OpenStack Queens (LP: #1893234).
- d/p/0001-
release.
.
[ Corey Bryant ]
* SECURITY UPDATE: EC2 and/or credential endpoints are not protected
from a scoped context. Keystone V3 /credentials endpoint policy
logic allows to change credentials owner or target project ID.
- debian/
issues with EC2 credentials, addressing several issues in the
creation and use of EC2/S3 credentials with keystone tokens.
- CVE-2020-12689, CVE-2020-12691
* SECURITY UPDATE: OAuth1 request token authorize silently ignores
roles parameter.
- debian/
roles are respected.
- CVE-2020-12691
* SECURITY UPDATE: Keystone doesn't check signature TTL of the EC2
credential auth method.
- debian/
EC2 token request.
- CVE-2020-12692