[openstack-dev] Essex patch for CVE-2013-0270
Thierry Carrez
thierry at openstack.org
Thu Feb 14 16:05:02 UTC 2013
Thomas Goirand wrote:
> On 02/12/2013 12:11 AM, Thierry Carrez wrote:
>> Dolph Mathews wrote:
>>> Dan Prince also wrote a more specific fix for the same issue and
>>> backported it to essex here:
>>> https://bugs.launchpad.net/keystone/+bug/1098307
>>
>> Indeed, we didn't backport the size-limiting middleware because we don't
>> backport new features as part of security vulnerability fixes (following
>> what distributions security teams accept).
>>
>> As mentioned in the advisory, the fix for CVE-2013-0270 in Essex is here:
>> https://review.openstack.org/#/c/21216/
>>
>
> I'm quite confused now.
>
> We have CVE-2013-0247 and CVE-2013-0270. Aren't these the same problem?
> Patches are conflicting and are doing approximately the same in
> different ways. What am I missing?
I suspect CVE-2013-0270 is a duplicate CVE assignment for CVE-2013-0247,
which is the one we issued OSSA-2013-003 for.
Hope this helps,
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the OpenStack-dev
mailing list