[openstack-dev] Essex patch for CVE-2013-0270

Thomas Goirand zigo at debian.org
Wed Feb 13 14:53:37 UTC 2013


On 02/12/2013 12:11 AM, Thierry Carrez wrote:
> Dolph Mathews wrote:
>> Dan Prince also wrote a more specific fix for the same issue and
>> backported it to essex here:
>> https://bugs.launchpad.net/keystone/+bug/1098307
> 
> Indeed, we didn't backport the size-limiting middleware because we don't
> backport new features as part of security vulnerability fixes (following
> what distributions security teams accept).
> 
> As mentioned in the advisory, the fix for CVE-2013-0270 in Essex is here:
> https://review.openstack.org/#/c/21216/
> 

I'm quite confused now.

We have CVE-2013-0247 and CVE-2013-0270. Aren't these the same problem?
Patches are conflicting and are doing approximately the same in
different ways. What am I missing?

Thomas



More information about the OpenStack-dev mailing list