keystone (2:14.2.0-0+deb10u1) buster-security; urgency=medium * New upstream point release. * Removed patch applied upstream: - PY3_switch_to_using_unicode_text_values.patch * Removed debian/keystone.cron.hourly: UUID tokens are removed in favor of Fernet tokens, therefore, this cron job is useless. * Add upstream patches to fix grave security bug: EC2 and credential endpoints are not protected from a scoped context (Closes: #959900). - 0001-Add-cadf-auditing-to-credentials.patch - CVE_Check_timestamp_of_signed_EC2_token_request.patch - Ensure_OAuth1_authorized_roles_are_respected.patch - CVE_Fix_security_issues_with_EC2_credentials.patch -- Thomas Goirand Mon, 25 Mar 2019 15:04:48 +0100 keystone (2:14.0.1-2) unstable; urgency=medium * Add PY3_switch_to_using_unicode_text_values.patch and requires python3-ldappool >= 2.3.1, which fixes using ldap with Keystone under Python 3 (Closes: #923949). -- Thomas Goirand Fri, 08 Mar 2019 12:19:47 +0100 keystone (2:14.0.1-1) unstable; urgency=medium [ Michal Arbet ] * New upstream version * d/control: Add me to uploaders field * d/copyright: Add me to copyright file [ Thomas Goirand ] * Update German debconf translation thanks to Chris Leick (Closes: #910622). -- Thomas Goirand Tue, 08 Jan 2019 09:38:02 +0100 keystone (2:14.0.0-2) unstable; urgency=medium * Do not run keystone.tests.unit.test_sql_upgrade tests, as it looks like broken if using SQLite (Closes: #909989). * Install correctly the examples folder into keystone-doc (ie: no nested examples folder). -- Thomas Goirand Mon, 01 Oct 2018 08:50:53 +0200 keystone (2:14.0.0-1) unstable; urgency=medium * New upstream release. * Updated debconf translations, with thanks to: - fr.po, Julien Patriarca (Closes: #901433). - nl.po, Frans Spiesschaert (Closes: #898866). * Uploading to unstable. -- Thomas Goirand Wed, 05 Sep 2018 13:04:10 +0200 keystone (2:14.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Removed patches applied upstream: - remove_at_expression_from_tags.patch - CVE-2018-14432_Reduce_duplication_in_federated_auth_APIs.patch * Fixed (build-)depends for this release. -- Thomas Goirand Mon, 20 Aug 2018 14:28:30 +0200 keystone (2:13.0.0-7) unstable; urgency=high [ Michal Arbet ] * Remove auth-token stuff [ Thomas Goirand ] * Removed using twice --bootstrap-region-id ${REGION_NAME} when doing the keystone bootstraping. * CVE-2018-14432: authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Applie upstream patch for Ocata rebased to Newton: "Reduce duplication in federated auth APIs (Closes: #904616). [ Ondřej Nový ] * d/control: Use team+openstack@tracker.debian.org as maintainer -- Thomas Goirand Fri, 06 Apr 2018 11:08:58 +0000 keystone (2:13.0.0-6) unstable; urgency=medium * Do not create role admin, created during bootstrap. * Added selection of endpoint protocol (ie: http / https). -- Thomas Goirand Thu, 22 Mar 2018 12:12:14 +0000 keystone (2:13.0.0-5) unstable; urgency=medium * Switch back to Apache instead of uwsgi. -- Thomas Goirand Thu, 08 Mar 2018 20:30:01 +0100 keystone (2:13.0.0-4) unstable; urgency=medium * Calls systemctl enable keystone-admin / keystone-public before starting. -- Thomas Goirand Thu, 08 Mar 2018 16:26:30 +0100 keystone (2:13.0.0-3) unstable; urgency=medium * Switch back to using invoke-rc.d instead of service. * Remove option --no-orphans for uwsgi: this creates some 104 errors (ie: TCP connection reset by peer). -- Thomas Goirand Thu, 08 Mar 2018 15:56:50 +0100 keystone (2:13.0.0-2) unstable; urgency=medium * Switch to using service start instead of invoke-rc.d to start keystone from postinst. -- Thomas Goirand Thu, 08 Mar 2018 09:03:24 +0000 keystone (2:13.0.0-1) unstable; urgency=medium * New upstream release. * Switch to uwsgi instead of Apache. * Explicitely use python3 versions of config file generators. * Allow setting-up endpoints with IPv6 or FQDN when using debconf. * Handle policy.json correctly. -- Thomas Goirand Tue, 06 Mar 2018 09:55:14 +0000 keystone (2:13.0.0~rc2-1) unstable; urgency=medium * New upstream rc release. * Uploading to unstable. * Add remove_at_expression_from_tags.patch. -- Thomas Goirand Tue, 27 Feb 2018 10:31:50 +0000 keystone (2:13.0.0~rc1-2) unstable; urgency=medium * Uploading to unstable. -- Thomas Goirand Tue, 27 Feb 2018 10:26:17 +0000 keystone (2:13.0.0~rc1-1) experimental; urgency=medium [ Thomas Goirand ] * Add new role, rating, needed for cloudkitty. [ Ondřej Nový ] * d/control: Set Vcs-* to salsa.debian.org * Running wrap-and-sort -bast [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Standards-Version is now 4.1.3. * Fixed tests to use pkgos-dh_auto_test and stestr. * Remove init-system-helpers from depends, as it's essential. * Also package examples. * Remove dh-systemd. * Switched to Python 3: - Blacklist broken test: SAMLGenerationTests.test_sign_assertion_exc. -- Thomas Goirand Wed, 14 Feb 2018 13:26:44 +0000 keystone (2:12.0.0-2) unstable; urgency=medium * Testing if a2dissite is available in postrm (Closes: #844448). * Uploading to unstable. -- Thomas Goirand Wed, 01 Nov 2017 11:51:03 +0000 keystone (2:12.0.0-1) experimental; urgency=medium [ Daniel Baumann ] * Updating vcs fields. * Updating copyright format url. * Updating maintainer field. * Running wrap-and-sort -bast. * Updating standards version to 4.0.0. * Removing gbp.conf, not used anymore or should be specified in the developers dotfiles. * Correcting permissions in debian packaging files. * Updating standards version to 4.0.1. * Deprecating priority extra as per policy 4.0.1. * Updating standards version to 4.1.0. [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Removed obsolete patches. * Allow Babel 2.4.0 (patch requirements.txt). * Do not install policy.json and keystone.py/wsgi.py. * Do not use --noverbose when doing db_sync. * Fixed generating keystone.conf and now generating keystone.policy.yaml. * Create a MANIFEST.in to install missing migration files. * Also setup fernet tokens at install time. * More parameters when doing the bootstrap. -- Thomas Goirand Wed, 04 Oct 2017 23:44:59 +0200 keystone (2:10.0.0-9) unstable; urgency=high * CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated Keystone. Applied upstream patch: Do not fetch group assignments without groups (Closes: #861189). -- Thomas Goirand Tue, 25 Apr 2017 22:29:13 +0200 keystone (2:10.0.0-8) unstable; urgency=medium * Do not use /sbin/route at all, and use ip only if it is available. The previous "fix" was in fact wrong, as net-tools and iproute2 aren't essential packages and adding it as depends wont fix. -- Thomas Goirand Fri, 31 Mar 2017 14:26:30 +0200 keystone (2:10.0.0-7) unstable; urgency=medium * Team upload. * Dependency added: net-tools (Closes: #858215) -- David Rabel Sun, 19 Mar 2017 22:31:50 +0100 keystone (2:10.0.0-6) unstable; urgency=medium * Team upload. * Require newer python-routes (Closes: #851152) -- Ondřej Nový Tue, 24 Jan 2017 10:52:37 +0100 keystone (2:10.0.0-5) unstable; urgency=medium * Check if /var/log/keystone exists in cron job (Closes: #847692). -- Thomas Goirand Sun, 18 Dec 2016 11:52:15 +0100 keystone (2:10.0.0-4) unstable; urgency=medium * Fix passlib call of encrypt() which is replaced by hash() upstream (Closes: #846729). -- Thomas Goirand Mon, 05 Dec 2016 12:33:54 +0100 keystone (2:10.0.0-3) unstable; urgency=medium * Team upload. [ Ondřej Nový ] * Bumped debhelper compat version to 10 [ Ondřej Kobližek ] * Add upstream patch Remove_trailing_d_from_-days_param_of_OpenSSL_command.patch (Closes: #843865) * Patch-out upper constraints of SQLAlchemy -- Ondřej Kobližek Mon, 28 Nov 2016 13:04:02 +0100 keystone (2:10.0.0-2) unstable; urgency=medium * Fixed unix right of /var/log/keystone (Closes: #840221). -- Thomas Goirand Mon, 10 Oct 2016 11:53:43 +0200 keystone (2:10.0.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 06 Oct 2016 17:25:06 +0200 keystone (2:10.0.0~rc2-1) unstable; urgency=medium [ Ondřej Nový ] * d/s/options: extend-diff-ignore of .gitreview * d/control: Use correct branch in Vcs-* fields [ Thomas Goirand ] * New upstream release. * Uploading to unstable. * Build-Depends on openstack-pkg-tools >= 53~. * Fixed oslotest EPOCH. -- Thomas Goirand Tue, 04 Oct 2016 09:49:06 +0200 keystone (2:10.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Add --parallel when running unit tests. * Add python-pep8 as build-depends-indep. -- Thomas Goirand Thu, 22 Sep 2016 09:50:50 +0200 keystone (2:10.0.0~b3-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Using OpenStack's Gerrit as VCS URL. [ Thomas Goirand ] * Always reconfigure apache to include keystone's vhost. * Also redo the keystone_bootstrap_admin in case of upgrades, and do a db_unregister of keystone/register-endpoint and keystone/create-admin-tenant to make sure we don't make it twice. [ Ondřej Nový ] * Added python-pep8 to build depends (Closes: #834617) -- Thomas Goirand Thu, 15 Sep 2016 14:58:20 +0200 keystone (2:10.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Added missing build-depends: python-testresources. * Added missing runtime depends: apache2. * Make the cron.hourly work also with a commented provider= directive. * Also setup apache if not setting-up db. -- Thomas Goirand Thu, 14 Jul 2016 21:34:02 +0000 keystone (2:10.0.0~b1-1) experimental; urgency=medium [ Ondřej Nový ] * d/copyright: Changed source URL to https protocol [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Drop now useless patches. * Remove files from $(CURDIR)/debian/tmp/usr/etc to avoid dh_install --fail-missing to fail. * Install tempest plugin correctly. * Patch requirements.txt to trash lines than breaks deps calculation. * Using oslo-config-generator to build keystone.conf. * Move all binaries to python-keystone, preparing Py3 transition. * keystone-all is gone, using uwsgi instead. -- Thomas Goirand Mon, 06 Jun 2016 15:30:58 +0000 keystone (2:9.0.0-2) unstable; urgency=high [ Ondřej Nový ] * Use /bin/sh as su shell in postinst script explicitly * Standards-Version is 3.9.8 now (no change) * Use /bin/sh instead of /bin/bash as default shell for "keystone" user [ Thomas Goirand ] * Fix the cron job to not run if we're not using UUID tokens, as it otherwise fail and fill-up the log file (LP: #1520321). * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0". (Closes: #824683). -- Thomas Goirand Thu, 19 May 2016 07:22:58 +0000 keystone (2:9.0.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 07 Apr 2016 17:53:48 +0200 keystone (2:9.0.0~rc2-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. -- Thomas Goirand Mon, 04 Apr 2016 22:56:57 +0200 keystone (2:9.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Require version >= 0.10.0 of python-migrate to make sure we have the python-decorator package installed. * Fixed (build-)depends for this release. -- Thomas Goirand Mon, 21 Mar 2016 16:12:36 +0100 keystone (2:9.0.0~b3-2) experimental; urgency=medium * Using "keystone-manage bootstrap" to create the initial admin, and then using it to further create users and endpoints. Note that through using environment variables, no passwords are leaking in /proc. -- Thomas Goirand Wed, 09 Mar 2016 21:31:44 +0000 keystone (2:9.0.0~b3-1) experimental; urgency=medium [ Ondřej Nový ] * Fixed VCS URLs (https). [ Thomas Goirand ] * New upstream release. * Fixed (build-)depends for this release. * Standards-Version: 3.9.7 (no change). * Rebased / refresh all patches. -- Thomas Goirand Thu, 03 Mar 2016 20:00:57 +0800 keystone (2:9.0.0~b2-3) experimental; urgency=medium * Added auto-creation of the Member and ResellerAdmin roles as this is needed for Swift auto-account-creation to work. -- Thomas Goirand Mon, 08 Feb 2016 08:11:14 +0000 keystone (2:9.0.0~b2-2) experimental; urgency=medium * Added git as build-depends. * Bump EPOCH to align with Ubuntu. * Remove version of init-system-helpers in keystone depends, as 1.18 is not available in Trusty. * By default, add a heat_stack_owner role. -- Thomas Goirand Mon, 25 Jan 2016 16:09:28 +0800 keystone (1:9.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Fixed debian/copyright ordering. * Standards-Version is now 3.9.6 (no change). * Fix syntax error on an old debian/changelog entry. -- Thomas Goirand Mon, 07 Dec 2015 12:32:48 +0100 keystone (1:8.0.0-4) unstable; urgency=medium * If the debconf prompt for creating Keystone endpoint was yes, check first if there's no service already registered. * Also create a service project when creating users and tenants. * Setting-up /v2.0 as endpoint URL for Keystone to avoid compatibility issues with some services, even though we're using API v3. -- Thomas Goirand Wed, 04 Nov 2015 09:06:22 +0000 keystone (1:8.0.0-3) unstable; urgency=medium * Switching Keystone to use and configure API v3 by default. -- Thomas Goirand Mon, 02 Nov 2015 13:04:02 +0000 keystone (1:8.0.0-2) unstable; urgency=medium * Uploading to unstable. -- Thomas Goirand Fri, 16 Oct 2015 13:11:24 +0000 keystone (1:8.0.0-1) experimental; urgency=medium * New upstream release. * Now depends on pymysql. * Added a /etc/apache2/sites-available/wsgi-keystone.conf. -- Thomas Goirand Tue, 13 Oct 2015 14:56:01 +0200 keystone (1:8.0.0~rc1-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Rebased fixes-jsonschema-requirements.txt.patch. -- Thomas Goirand Wed, 23 Sep 2015 14:11:47 +0200 keystone (1:8.0.0~b3-4) experimental; urgency=medium * Doing the db_sync using the --noverbose option. -- Thomas Goirand Mon, 21 Sep 2015 12:40:13 +0000 keystone (1:8.0.0~b3-3) experimental; urgency=medium * Re-enabled KeystoneAdmin and KeystoneServiceAdmin roles, and using openstackclient instead of keystoneclient which is deprecated. * Stop doing pki_setup (it's not recommended upstream anymore). -- Thomas Goirand Mon, 21 Sep 2015 09:36:02 +0000 keystone (1:8.0.0~b3-2) experimental; urgency=medium * Fixed some (build-)depends versions. * Added patch to fix requiremnts.txt regarding python-jsonschema version. * Fixed admin user, role and tenant creation. * Back to /v2.0/ endpoints. -- Thomas Goirand Fri, 11 Sep 2015 08:45:50 +0000 keystone (1:8.0.0~b3-1) experimental; urgency=medium * New upstream release. * Now setting-up /v3 endpoint, not /v2.0. * Added AppArmor confinement for keystone-all. * Upstream removed run_tests.sh, now using testr directly. -- Thomas Goirand Tue, 11 Aug 2015 14:36:02 +0200 keystone (1:8.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. -- Thomas Goirand Wed, 01 Jul 2015 12:29:17 +0200 keystone (2015.1.0-2) unstable; urgency=medium * Accepting SQLA 1.0.6. -- Thomas Goirand Wed, 01 Jul 2015 02:47:07 +0000 keystone (2015.1.0-1) unstable; urgency=medium * New upstream release. -- Thomas Goirand Thu, 30 Apr 2015 20:55:28 +0000 keystone (2015.1~rc2-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. * Review (build-)depends. -- Thomas Goirand Mon, 22 Dec 2014 12:18:01 +0800 keystone (2014.2.1-1) experimental; urgency=medium * New upstream release. * Added oslo.serialization as (build-)depends. * Added depends: init-system-helpers (>= 1.18~), and deb-systemd-helper manual calls to activate the keystone.service. -- Thomas Goirand Fri, 12 Dec 2014 17:29:27 +0800 keystone (2014.2-1) experimental; urgency=medium * New upstream release. -- Thomas Goirand Thu, 16 Oct 2014 15:33:30 +0000 keystone (2014.2~rc2-1) experimental; urgency=medium * New upstream release. * Mangling upstream rc and beta versions in watch file. * Updated nl.po thanks to Frans Spiesschaert (Closes: #764205). * Using templated init script from openstack-pkg-tools >= 13. * Removed silly python-support build-depends. -- Thomas Goirand Mon, 13 Oct 2014 00:47:25 +0800 keystone (2014.2~rc1-1) experimental; urgency=medium * New upstream release. * Updated (build-)depends for this release. -- Thomas Goirand Tue, 30 Sep 2014 22:21:49 +0800 keystone (2014.2~b3-2) experimental; urgency=medium * Adds patch to avoid "git clone" when running the unit tests keystone.tests.test_keystoneclient.KcMasterTestCase.*. See https://review.openstack.org/122768/ for details. -- Thomas Goirand Fri, 19 Sep 2014 14:36:23 +0800 keystone (2014.2~b3-1) experimental; urgency=medium * New upstream release. * New (build-)depends for this release. * Ship a systemd service file using dh-systemd. [ gustavo panizzo] * Support to run keystone as user keystone. * Support to run keystone under systemd. -- Thomas Goirand Mon, 30 Jun 2014 23:07:59 +0800 keystone (2014.1.1-2) unstable; urgency=medium * CVE-2014-3476: privilege escalation through trust chained delegation. Applied upstream patch. (Closes: #751454). -- Thomas Goirand Fri, 13 Jun 2014 17:30:08 +0800 keystone (2014.1.1-1) unstable; urgency=medium * New upstream release. * Remove cve-2014-0204-stable-icehouse.patch applied upstream. * Removed sql_migration_ensure_using_innodb_utf8_for_assignment_table.patch applied upstream. -- Thomas Goirand Mon, 09 Jun 2014 23:22:20 +0800 keystone (2014.1-6) unstable; urgency=medium * Now build-depends on openstack-pkg-tools >= 12~. -- Thomas Goirand Thu, 05 Jun 2014 09:09:54 +0000 keystone (2014.1-5) unstable; urgency=medium * Updates cve-2014-0204-stable-icehouse.patch with latest version from upstream (Closes: #749026). -- Thomas Goirand Fri, 30 May 2014 23:09:45 +0800 keystone (2014.1-4) unstable; urgency=medium * Switched from restarting keystone to copytruncate in logrotate. -- Thomas Goirand Thu, 29 May 2014 14:19:42 +0800 keystone (2014.1-3) unstable; urgency=medium * Added sql migration: ensure using innodb utf8 for assignment table which fixes upgrade path from Havana. * Fixed cs.po. * Added cve-2014-0204-stable-icehouse.patch. * Standards-Version: is now 3.9.5 -- Thomas Goirand Tue, 20 May 2014 23:26:00 +0800 keystone (2014.1-2) unstable; urgency=medium * Fixed debian/watch to use github tags. * Now using "service X restart" to restart keystone after logrotate, and stop using dpkg-dev (Closes: #747890). -- Thomas Goirand Sat, 17 May 2014 01:54:29 +0800 keystone (2014.1-1) unstable; urgency=medium * New upstream release. * Uploading to unstable. * Fixed config file handling (DEFAULT/connection vs database/connection). (Closes: #744761). -- Thomas Goirand Tue, 15 Apr 2014 15:30:07 +0800 keystone (2014.1~rc2-1) experimental; urgency=low * New upstream pre-release. * Removed broken patch: defines-gettext-function-to-avoid-ftbfs.patch -- Thomas Goirand Wed, 09 Apr 2014 23:17:06 +0800 keystone (2014.1~rc1-1) experimental; urgency=low * New upstream release. * Fixed new upsteram (build-)dependencies. * Drops now useless fix-sqla-version-in-requirements patch. -- Thomas Goirand Fri, 28 Mar 2014 14:39:11 +0800 keystone (2014.1~b3-1) experimental; urgency=low * New upstream release (Icehouse beta 3). * Refresh patches. * Reviewed (build-)dependencies. * Fixed sphinx build for docs and man pages. -- Thomas Goirand Mon, 17 Feb 2014 15:27:56 +0800 keystone (2013.2.2-1) unstable; urgency=medium * New upstream point release. * Refreshed patches. * Remove patches applied upstream: Limit_calls_to_memcache_backend_as_user_token_index_increases_in_size.patch -- Thomas Goirand Fri, 14 Feb 2014 09:57:43 +0800 keystone (2013.2.1-2) unstable; urgency=medium * Adds a cut -d" " -f1 when detecting the local interface connected to the default gateway, so that it works with more than one default gateway. * Updated es.po debconf translation thanks to Matias A. Bellone (Closes: #732538). * Backported patch to replace oauth2 by oauthlib. * Changed dependency from oauth2 to oauthlib. [gustavo panizzo] * Patch to improve performance (lp: #1251123). -- Thomas Goirand Fri, 20 Dec 2013 22:00:34 +0800 keystone (2013.2.1-1) unstable; urgency=high * New upstream release (Closes: #731981) This fixes CVE-2013-6391. * Refreshed sql_conn.patch. * Removed CVE-2013-4477-havana.patch now applied upstream. * (build-)depends on python-iso8601 >= 0.1.8 instead of 0.1.4. -- Thomas Goirand Mon, 16 Dec 2013 16:46:48 +0800 keystone (2013.2-4) unstable; urgency=low * Fixes restart of keystone in logrotate script. (Closes: #731495). -- Thomas Goirand Fri, 06 Dec 2013 15:18:07 +0800 keystone (2013.2-3) unstable; urgency=medium * Updated German debconf templates, thanks: Chris Leick (Closes: #730454). -- Thomas Goirand Wed, 04 Dec 2013 16:32:51 +0800 keystone (2013.2-2) unstable; urgency=low * Moved python-memcache to Depends: instead of Recommends:. * Added missing python-babel depends. * Fixes a failed install if the target computer doesn't have a default route (lp: #1247342). * CVE-2013-4477: remove role assignment adds role using LDAP assignment (Closes: #728233). -- Thomas Goirand Sun, 03 Nov 2013 16:02:42 +0800 keystone (2013.2-1) unstable; urgency=low * New upstream release. * Uploading to unstable. -- Thomas Goirand Fri, 18 Oct 2013 00:18:57 +0800 keystone (2013.2~rc3-1) experimental; urgency=low * New upstream release. -- Thomas Goirand Sat, 29 Jun 2013 22:31:32 +0800 keystone (2013.1.2-1) unstable; urgency=low [ Thomas Goirand ] * Ran wrap-and-sort. * New upstream release. [ gustavo panizzo ] * Add support for TLS when using LDAP. * CVE-2013-2157: Authentication bypass when using LDAP backend. [OSSA 2013-015] -- Thomas Goirand Thu, 30 May 2013 11:25:11 +0800 keystone (2013.1.1-2) unstable; urgency=low * Uploading to unstable. * New upstream release: - Fixes CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011] (Closes: #707598). * Also installs httpd/keystone.py. -- Thomas Goirand Fri, 10 May 2013 10:22:18 +0800 keystone (2013.1-1) experimental; urgency=low * New upstream release. -- Thomas Goirand Wed, 30 Jan 2013 20:12:55 +0800 keystone (2012.2.3-2) experimental; urgency=low * CVE-2013-1865: Online validation of Keystone PKI tokens bypasses revocation check. -- Thomas Goirand Thu, 21 Mar 2013 00:52:02 +0800 keystone (2012.2.3-1) experimental; urgency=low * New upstream release. * CVE-2013-0247: Keystone denial of service through invalid token requests. * CVE-2013-0282 Keystone EC2-style authentication accepts disabled user/tenants (Closes: #700947). * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using XML entities (Closes: #700948) -- Thomas Goirand Sun, 03 Feb 2013 11:05:36 +0800 keystone (2012.2.1-1) experimental; urgency=low * New upstream version. * Rewrite of the maintainer scripts using the pkgos scripts. * Fixes etc/default_catalog.templates to include Quantum config and to use regionOne and not RegionOne by default. * Increased compat level to 9 (and debhelper build-dep). * Fixes build-dep git-core -> git. -- Thomas Goirand Sun, 02 Dec 2012 13:08:38 +0000 keystone (2012.2~rc1-1) experimental; urgency=low * New snapshot release * Refresh patches * Remove CVE-2012-3542 incorporated upstream -- Mehdi Abaakouk Mon, 24 Sep 2012 10:37:31 +0200 keystone (2012.2~e3-1) experimental; urgency=low [ Mehdi Abaakouk ] * New upstream version. [ Thomas Goirand ] * Fixed build-dependencies correctly. * Made the package compatible with Ubuntu. * Now using xz level 9 compression. -- Mehdi Abaakouk Mon, 10 Sep 2012 17:56:09 +0200 keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low * CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up from Launchpad. Thanks to the Canonical security team (Closes: #707598). -- Thomas Goirand Fri, 10 May 2013 10:09:14 +0800 keystone (2012.1.1-13) unstable; urgency=high * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947). * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using XML entities (Closes: #700948). -- Thomas Goirand Tue, 19 Feb 2013 12:56:42 +0800 keystone (2012.1.1-12) unstable; urgency=low * CVE-2013-0247: Keystone denial of service through invalid token requests (Closes: #699835). -- Thomas Goirand Wed, 06 Feb 2013 09:52:07 +0800 keystone (2012.1.1-11) unstable; urgency=high * Applies security patch from upstream: Ensures User is member of tenant in ec2 validation (Closes: #694433). * Added Japanese debconf template translation, thanks to victory (Closes: #693056). -- Thomas Goirand Mon, 26 Nov 2012 14:05:33 +0000 keystone (2012.1.1-10) unstable; urgency=low * Fixes keystone.config which wasn't starting dbconfig-common at first setup. * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in the postinst using "install -m" instead of cp -auxf. * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's what we run with Folsom, and that it might cause problems as "keystone.sqlite" isn't a valid MySQL db name. Changed debian/keystone.config accordingly. -- Thomas Goirand Wed, 10 Oct 2012 15:46:14 +0000 keystone (2012.1.1-9) unstable; urgency=high * Fixes sometimes failing keystone.postrm (db_get in some conditions can return false), and fixed non-consistant indenting. * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone /keystone.conf.sample for temporary storing the conf file (this was a policy violation, as the doc folder should never be required). * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled, CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210). -- Thomas Goirand Mon, 01 Oct 2012 05:52:23 +0000 keystone (2012.1.1-8) unstable; urgency=low * Fixes parsing of the SQL connection in keystone.config. -- Thomas Goirand Sun, 30 Sep 2012 01:48:50 +0000 keystone (2012.1.1-7) unstable; urgency=low * Fixes band handling (eg: policy violation) of keystone.conf which was conffiles, but changed in the posinst (Closes: #687311). -- Thomas Goirand Wed, 12 Sep 2012 17:09:47 +0000 keystone (2012.1.1-6) unstable; urgency=high * CVE-2012-4413: Revoking a role does not affect existing tokens (Closes: #687428). -- Thomas Goirand Sun, 09 Sep 2012 02:21:11 +0000 keystone (2012.1.1-5) unstable; urgency=low * CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265) * Added Chinese debconf translation thanks to ben . * Really adds the nl debconf translation this time (Closes: #685671). -- Thomas Goirand Mon, 27 Aug 2012 11:45:44 +0000 keystone (2012.1.1-4) unstable; urgency=low * Updated debian/keystone.templates, debian/control after review from the internationalization team (Closes: #683414, #679295). * Updated debconf translations with thanks to: - de: Pfannenstein Erik (Closes: #684877) - cs: Michal Šimůnek (Closes: #685434) - pl: Michał Kułach (Closes: #685431) - fr: David Prévot (Closes: #685325) - sv: Martin Bagge (Closes: #684942) - sk: helix84 (Closes: #684606) - ru: Yuri Kozlov (Closes: #684590) - da: Joe Dalton (Closes: #684565) - pt: Pedro Ribeiro (Closes: #682438) - es: SM Baby Siabef (Closes: #685435) - it: Beatrice Torracca (Closes: #685623) * Added debconf translations with thanks to: - pt_BR: Adriano Rafael Gomes (Closes: #685405) - nl: Jeroen Schot (Closes: #685671) -- Thomas Goirand Tue, 21 Aug 2012 08:06:07 +0000 keystone (2012.1.1-3) unstable; urgency=low * Re-added Debconf template which has been removed by the patch of 2012.1.1-2 from Bubulle (Closes: #683337). * Removed one occurence of a dependency declared twice: python-sqlalchemy. -- Thomas Goirand Tue, 31 Jul 2012 12:37:24 +0000 keystone (2012.1.1-2) unstable; urgency=low * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Closes: #679295 * [Debconf translation updates] * Recycle translations from nova for several languages. Additionnally: * Danish (Joe Hansen). Closes: #680082 * Swedish (Martin Bagge / brother). Closes: #680847 * Spanish; (SM Baby Siabef). Closes: #681003 * Italian (Beatrice Torracca). Closes: #681249 * Slovak (Ivan Masár). Closes: #682784 * Fixed the get-vcs-source target in debian/rules. -- Thomas Goirand Thu, 19 Jul 2012 06:21:30 +0000 keystone (2012.1.1-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Fri, 22 Jun 2012 09:41:24 +0200 keystone (2012.1-3) unstable; urgency=low * Add logrotate for keystone.log. Closes: #663717 -- Mehdi Abaakouk Tue, 22 May 2012 14:48:56 +0200 keystone (2012.1-2) unstable; urgency=low * Fixed python version requisites on webob and pam. Closes: #665804 -- Ghe Rivero Wed, 02 May 2012 10:17:35 +0200 keystone (2012.1-1) unstable; urgency=low * New upstream release -- Ghe Rivero Mon, 09 Apr 2012 09:06:22 +0200 keystone (2012.1~rc2-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Wed, 04 Apr 2012 10:09:36 +0200 keystone (2012.1~rc1-2) unstable; urgency=low * Removed check timeout from keystone.postinst. Closes: #665739 -- Ghe Rivero Tue, 27 Mar 2012 13:12:01 +0200 keystone (2012.1~rc1-1) unstable; urgency=low * New upstream release. -- Ghe Rivero Sat, 24 Mar 2012 09:14:50 +0100 keystone (2012.1~e4+git35-g4e4f793-1) UNRELEASED; urgency=low [ Julien Danjou ] * Install egg-info This is needed at least for Swift. [ Ghe Rivero ] * Added keystone/auth-token question. Closes: #662458 -- Julien Danjou Fri, 02 Mar 2012 10:34:30 +0100 keystone (2012.1~e4-1) unstable; urgency=low * New upstream release -- Ghe Rivero Fri, 02 Mar 2012 08:38:43 +0100 keystone (2012.1~e3+git772-g6919b05-1) UNRELEASED; urgency=low [ Julien Danjou ] * Fix permissions /etc/keystone * Add projectmanager role on initial database creation * Do not run dbconfig by default That fixes LP#931236 until #607171 is fixed in dbconfig-common. Patch based on: http://bazaar.launchpad.net/~ubuntu-server-dev/keystone/essex/revision/83 -- Julien Danjou Mon, 06 Feb 2012 10:35:52 +0100 keystone (2012.1~e3-4) unstable; urgency=low * Add missing python-migrate, python-prettytable, python-mox in build deps (Closes: #658592) * Deactivate tests because they fails (upstream problem) -- Julien Danjou Mon, 06 Feb 2012 10:35:52 +0100 keystone (2012.1~e3-3) unstable; urgency=low * Add missing dependency on python-dateutil -- Julien Danjou Tue, 31 Jan 2012 12:37:35 +0100 keystone (2012.1~e3-2) unstable; urgency=low * Add dbconfig prerm -- Julien Danjou Fri, 27 Jan 2012 16:13:48 +0100 keystone (2012.1~e3-1) unstable; urgency=low * New upstream release. * Use dbconfig to configure database -- Julien Danjou Thu, 26 Jan 2012 17:03:10 +0100 keystone (2012.1~e2-4) unstable; urgency=low * Fix default location of keystone db file -- Ghe Rivero Tue, 24 Jan 2012 09:43:15 +0100 keystone (2012.1~e2-3) unstable; urgency=low * Add missing build depends on python-nose (Closes: #652805) * Remove useless python fields in control -- Julien Danjou Tue, 27 Dec 2011 11:40:18 +0100 keystone (2012.1~e2-2) unstable; urgency=low * Fix init script -- Julien Danjou Mon, 19 Dec 2011 17:16:48 +0100 keystone (2012.1~e2-1) unstable; urgency=low * New upstream release. * Disable doc building because it's currently failing. -- Julien Danjou Fri, 16 Dec 2011 11:12:44 +0100 keystone (2012.1~e1-2) unstable; urgency=low * Fix python-keystone installation file by including only keystone lib (Closes: #649907). * Add missing manpages. -- Julien Danjou Fri, 25 Nov 2011 10:43:59 +0100 keystone (2012.1~e1-1) unstable; urgency=low * New upstream release. * Cherry-pick 33c1c9390331b3bacd3791b537b6a1147715925c from upstream to fix documentation building. -- Julien Danjou Thu, 24 Nov 2011 16:21:50 +0100 keystone (2011.3-1) unstable; urgency=low * Initial release (Closes: #647611) -- Julien Danjou Tue, 15 Nov 2011 11:29:13 +0100