keystone (2:14.2.0-0+deb10u2) buster-security; urgency=medium

  * Non maintainer upload by the LTS team
  * Add salsa CI
  * Fix CVE-2021-38155: keystone allows information disclosure
    during account locking (related to PCI DSS features). By guessing
    the name of an account and failing to authenticate multiple times,
    any unauthenticated actor could both confirm the account exists
    and obtain that account's corresponding UUID, which might be
    leveraged for other unrelated attacks.
  * Fix CVE-2021-3563: Only the first 72 characters of an application
    secret were verified allowing attackers bypass some password
    complexity which administrators may be counting on. The highest
    threat from this vulnerability is to data confidentiality and integrity.

 -- Bastien Roucariès <rouca@debian.org>  Thu, 04 Jan 2024 23:48:53 +0000

keystone (2:14.2.0-0+deb10u1) buster-security; urgency=medium

  * New upstream point release.
  * Removed patch applied upstream:
    - PY3_switch_to_using_unicode_text_values.patch
  * Removed debian/keystone.cron.hourly: UUID tokens are removed in favor of
    Fernet tokens, therefore, this cron job is useless.
  * Add upstream patches to fix grave security bug: EC2 and credential
    endpoints are not protected from a scoped context (Closes: #959900).
    - 0001-Add-cadf-auditing-to-credentials.patch
    - CVE_Check_timestamp_of_signed_EC2_token_request.patch
    - Ensure_OAuth1_authorized_roles_are_respected.patch
    - CVE_Fix_security_issues_with_EC2_credentials.patch

 -- Thomas Goirand <zigo@debian.org>  Mon, 25 Mar 2019 15:04:48 +0100

keystone (2:14.0.1-2) unstable; urgency=medium

  * Add PY3_switch_to_using_unicode_text_values.patch and requires
    python3-ldappool >= 2.3.1, which fixes using ldap with Keystone under
    Python 3 (Closes: #923949).

 -- Thomas Goirand <zigo@debian.org>  Fri, 08 Mar 2019 12:19:47 +0100

keystone (2:14.0.1-1) unstable; urgency=medium

  [ Michal Arbet ]
  * New upstream version
  * d/control: Add me to uploaders field
  * d/copyright: Add me to copyright file

  [ Thomas Goirand ]
  * Update German debconf translation thanks to Chris Leick
    <c.leick@vollbio.de> (Closes: #910622).

 -- Thomas Goirand <zigo@debian.org>  Tue, 08 Jan 2019 09:38:02 +0100

keystone (2:14.0.0-2) unstable; urgency=medium

  * Do not run keystone.tests.unit.test_sql_upgrade tests, as it looks like
    broken if using SQLite (Closes: #909989).
  * Install correctly the examples folder into keystone-doc (ie: no nested
    examples folder).

 -- Thomas Goirand <zigo@debian.org>  Mon, 01 Oct 2018 08:50:53 +0200

keystone (2:14.0.0-1) unstable; urgency=medium

  * New upstream release.
  * Updated debconf translations, with thanks to:
    - fr.po, Julien Patriarca (Closes: #901433).
    - nl.po, Frans Spiesschaert (Closes: #898866).
  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Wed, 05 Sep 2018 13:04:10 +0200

keystone (2:14.0.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Removed patches applied upstream:
    - remove_at_expression_from_tags.patch
    - CVE-2018-14432_Reduce_duplication_in_federated_auth_APIs.patch
  * Fixed (build-)depends for this release.

 -- Thomas Goirand <zigo@debian.org>  Mon, 20 Aug 2018 14:28:30 +0200

keystone (2:13.0.0-7) unstable; urgency=high

  [ Michal Arbet ]
  * Remove auth-token stuff

  [ Thomas Goirand ]
  * Removed using twice --bootstrap-region-id ${REGION_NAME} when doing the
    keystone bootstraping.
  * CVE-2018-14432: authenticated user may discover projects they have no
    authority to access, leaking all projects in the deployment and their
    attributes. Applie upstream patch for Ocata rebased to Newton: "Reduce
    duplication in federated auth APIs (Closes: #904616).

  [ Ondřej Nový ]
  * d/control: Use team+openstack@tracker.debian.org as maintainer

 -- Thomas Goirand <zigo@debian.org>  Fri, 06 Apr 2018 11:08:58 +0000

keystone (2:13.0.0-6) unstable; urgency=medium

  * Do not create role admin, created during bootstrap.
  * Added selection of endpoint protocol (ie: http / https).

 -- Thomas Goirand <zigo@debian.org>  Thu, 22 Mar 2018 12:12:14 +0000

keystone (2:13.0.0-5) unstable; urgency=medium

  * Switch back to Apache instead of uwsgi.

 -- Thomas Goirand <zigo@debian.org>  Thu, 08 Mar 2018 20:30:01 +0100

keystone (2:13.0.0-4) unstable; urgency=medium

  * Calls systemctl enable keystone-admin / keystone-public before starting.

 -- Thomas Goirand <zigo@debian.org>  Thu, 08 Mar 2018 16:26:30 +0100

keystone (2:13.0.0-3) unstable; urgency=medium

  * Switch back to using invoke-rc.d instead of service.
  * Remove option --no-orphans for uwsgi: this creates some 104 errors (ie: TCP
    connection reset by peer).

 -- Thomas Goirand <zigo@debian.org>  Thu, 08 Mar 2018 15:56:50 +0100

keystone (2:13.0.0-2) unstable; urgency=medium

  * Switch to using service start instead of invoke-rc.d to start keystone
    from postinst.

 -- Thomas Goirand <zigo@debian.org>  Thu, 08 Mar 2018 09:03:24 +0000

keystone (2:13.0.0-1) unstable; urgency=medium

  * New upstream release.
  * Switch to uwsgi instead of Apache.
  * Explicitely use python3 versions of config file generators.
  * Allow setting-up endpoints with IPv6 or FQDN when using debconf.
  * Handle policy.json correctly.

 -- Thomas Goirand <zigo@debian.org>  Tue, 06 Mar 2018 09:55:14 +0000

keystone (2:13.0.0~rc2-1) unstable; urgency=medium

  * New upstream rc release.
  * Uploading to unstable.
  * Add remove_at_expression_from_tags.patch.

 -- Thomas Goirand <zigo@debian.org>  Tue, 27 Feb 2018 10:31:50 +0000

keystone (2:13.0.0~rc1-2) unstable; urgency=medium

  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Tue, 27 Feb 2018 10:26:17 +0000

keystone (2:13.0.0~rc1-1) experimental; urgency=medium

  [ Thomas Goirand ]
  * Add new role, rating, needed for cloudkitty.

  [ Ondřej Nový ]
  * d/control: Set Vcs-* to salsa.debian.org
  * Running wrap-and-sort -bast

  [ Thomas Goirand ]
  * New upstream release.
  * Fixed (build-)depends for this release.
  * Standards-Version is now 4.1.3.
  * Fixed tests to use pkgos-dh_auto_test and stestr.
  * Remove init-system-helpers from depends, as it's essential.
  * Also package examples.
  * Remove dh-systemd.
  * Switched to Python 3:
    - Blacklist broken test: SAMLGenerationTests.test_sign_assertion_exc.

 -- Thomas Goirand <zigo@debian.org>  Wed, 14 Feb 2018 13:26:44 +0000

keystone (2:12.0.0-2) unstable; urgency=medium

  * Testing if a2dissite is available in postrm (Closes: #844448).
  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Wed, 01 Nov 2017 11:51:03 +0000

keystone (2:12.0.0-1) experimental; urgency=medium

  [ Daniel Baumann ]
  * Updating vcs fields.
  * Updating copyright format url.
  * Updating maintainer field.
  * Running wrap-and-sort -bast.
  * Updating standards version to 4.0.0.
  * Removing gbp.conf, not used anymore or should be specified in the
    developers dotfiles.
  * Correcting permissions in debian packaging files.
  * Updating standards version to 4.0.1.
  * Deprecating priority extra as per policy 4.0.1.
  * Updating standards version to 4.1.0.

  [ Thomas Goirand ]
  * New upstream release.
  * Fixed (build-)depends for this release.
  * Removed obsolete patches.
  * Allow Babel 2.4.0 (patch requirements.txt).
  * Do not install policy.json and keystone.py/wsgi.py.
  * Do not use --noverbose when doing db_sync.
  * Fixed generating keystone.conf and now generating keystone.policy.yaml.
  * Create a MANIFEST.in to install missing migration files.
  * Also setup fernet tokens at install time.
  * More parameters when doing the bootstrap.

 -- Thomas Goirand <zigo@debian.org>  Wed, 04 Oct 2017 23:44:59 +0200

keystone (2:10.0.0-9) unstable; urgency=high

  * CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated
    Keystone. Applied upstream patch: Do not fetch group assignments without
    groups (Closes: #861189).

 -- Thomas Goirand <zigo@debian.org>  Tue, 25 Apr 2017 22:29:13 +0200

keystone (2:10.0.0-8) unstable; urgency=medium

  * Do not use /sbin/route at all, and use ip only if it is available. The
    previous "fix" was in fact wrong, as net-tools and iproute2 aren't
    essential packages and adding it as depends wont fix.

 -- Thomas Goirand <zigo@debian.org>  Fri, 31 Mar 2017 14:26:30 +0200

keystone (2:10.0.0-7) unstable; urgency=medium

  * Team upload.
  * Dependency added: net-tools (Closes: #858215)

 -- David Rabel <david.rabel@noresoft.com>  Sun, 19 Mar 2017 22:31:50 +0100

keystone (2:10.0.0-6) unstable; urgency=medium

  * Team upload.
  * Require newer python-routes (Closes: #851152)

 -- Ondřej Nový <onovy@debian.org>  Tue, 24 Jan 2017 10:52:37 +0100

keystone (2:10.0.0-5) unstable; urgency=medium

  * Check if /var/log/keystone exists in cron job (Closes: #847692).

 -- Thomas Goirand <zigo@debian.org>  Sun, 18 Dec 2016 11:52:15 +0100

keystone (2:10.0.0-4) unstable; urgency=medium

  * Fix passlib call of encrypt() which is replaced by hash() upstream
    (Closes: #846729).

 -- Thomas Goirand <zigo@debian.org>  Mon, 05 Dec 2016 12:33:54 +0100

keystone (2:10.0.0-3) unstable; urgency=medium

  * Team upload.

  [ Ondřej Nový ]
  * Bumped debhelper compat version to 10

  [ Ondřej Kobližek ]
  * Add upstream patch Remove_trailing_d_from_-days_param_of_OpenSSL_command.patch
    (Closes: #843865)
  * Patch-out upper constraints of SQLAlchemy

 -- Ondřej Kobližek <koblizeko@gmail.com>  Mon, 28 Nov 2016 13:04:02 +0100

keystone (2:10.0.0-2) unstable; urgency=medium

  * Fixed unix right of /var/log/keystone (Closes: #840221).

 -- Thomas Goirand <zigo@debian.org>  Mon, 10 Oct 2016 11:53:43 +0200

keystone (2:10.0.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Thu, 06 Oct 2016 17:25:06 +0200

keystone (2:10.0.0~rc2-1) unstable; urgency=medium

  [ Ondřej Nový ]
  * d/s/options: extend-diff-ignore of .gitreview
  * d/control: Use correct branch in Vcs-* fields

  [ Thomas Goirand ]
  * New upstream release.
  * Uploading to unstable.
  * Build-Depends on openstack-pkg-tools >= 53~.
  * Fixed oslotest EPOCH.

 -- Thomas Goirand <zigo@debian.org>  Tue, 04 Oct 2016 09:49:06 +0200

keystone (2:10.0.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Add --parallel when running unit tests.
  * Add python-pep8 as build-depends-indep.

 -- Thomas Goirand <zigo@debian.org>  Thu, 22 Sep 2016 09:50:50 +0200

keystone (2:10.0.0~b3-1) experimental; urgency=medium

  * New upstream release.
  * Fixed (build-)depends for this release.
  * Using OpenStack's Gerrit as VCS URL.
  [ Thomas Goirand ]
  * Always reconfigure apache to include keystone's vhost.
  * Also redo the keystone_bootstrap_admin in case of upgrades, and do a
    db_unregister of keystone/register-endpoint and
    keystone/create-admin-tenant to make sure we don't make it twice.

  [ Ondřej Nový ]
  * Added python-pep8 to build depends (Closes: #834617)

 -- Thomas Goirand <zigo@debian.org>  Thu, 15 Sep 2016 14:58:20 +0200

keystone (2:10.0.0~b2-1) experimental; urgency=medium

  * New upstream release.
  * Fixed (build-)depends for this release.
  * Added missing build-depends: python-testresources.
  * Added missing runtime depends: apache2.
  * Make the cron.hourly work also with a commented provider= directive.
  * Also setup apache if not setting-up db.

 -- Thomas Goirand <zigo@debian.org>  Thu, 14 Jul 2016 21:34:02 +0000

keystone (2:10.0.0~b1-1) experimental; urgency=medium

  [ Ondřej Nový ]
  * d/copyright: Changed source URL to https protocol

  [ Thomas Goirand ]
  * New upstream release.
  * Fixed (build-)depends for this release.
  * Drop now useless patches.
  * Remove files from $(CURDIR)/debian/tmp/usr/etc to avoid dh_install
    --fail-missing to fail.
  * Install tempest plugin correctly.
  * Patch requirements.txt to trash lines than breaks deps calculation.
  * Using oslo-config-generator to build keystone.conf.
  * Move all binaries to python-keystone, preparing Py3 transition.
  * keystone-all is gone, using uwsgi instead.

 -- Thomas Goirand <zigo@debian.org>  Mon, 06 Jun 2016 15:30:58 +0000

keystone (2:9.0.0-2) unstable; urgency=high

  [ Ondřej Nový ]
  * Use /bin/sh as su shell in postinst script explicitly
  * Standards-Version is 3.9.8 now (no change)
  * Use /bin/sh instead of /bin/bash as default shell for "keystone" user

  [ Thomas Goirand ]
  * Fix the cron job to not run if we're not using UUID tokens, as it otherwise
    fail and fill-up the log file (LP: #1520321).
  * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in
    revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0".
    (Closes: #824683).

 -- Thomas Goirand <zigo@debian.org>  Thu, 19 May 2016 07:22:58 +0000

keystone (2:9.0.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Thu, 07 Apr 2016 17:53:48 +0200

keystone (2:9.0.0~rc2-1) unstable; urgency=medium

  * New upstream release.
  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Mon, 04 Apr 2016 22:56:57 +0200

keystone (2:9.0.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Require version >= 0.10.0 of python-migrate to make sure we have the
    python-decorator package installed.
  * Fixed (build-)depends for this release.

 -- Thomas Goirand <zigo@debian.org>  Mon, 21 Mar 2016 16:12:36 +0100

keystone (2:9.0.0~b3-2) experimental; urgency=medium

  * Using "keystone-manage bootstrap" to create the initial admin, and then
    using it to further create users and endpoints. Note that through using
    environment variables, no passwords are leaking in /proc.

 -- Thomas Goirand <zigo@debian.org>  Wed, 09 Mar 2016 21:31:44 +0000

keystone (2:9.0.0~b3-1) experimental; urgency=medium

  [ Ondřej Nový ]
  * Fixed VCS URLs (https).

  [ Thomas Goirand ]
  * New upstream release.
  * Fixed (build-)depends for this release.
  * Standards-Version: 3.9.7 (no change).
  * Rebased / refresh all patches.

 -- Thomas Goirand <zigo@debian.org>  Thu, 03 Mar 2016 20:00:57 +0800

keystone (2:9.0.0~b2-3) experimental; urgency=medium

  * Added auto-creation of the Member and ResellerAdmin roles as this is
    needed for Swift auto-account-creation to work.

 -- Thomas Goirand <zigo@debian.org>  Mon, 08 Feb 2016 08:11:14 +0000

keystone (2:9.0.0~b2-2) experimental; urgency=medium

  * Added git as build-depends.
  * Bump EPOCH to align with Ubuntu.
  * Remove version of init-system-helpers in keystone depends, as 1.18 is not
    available in Trusty.
  * By default, add a heat_stack_owner role.

 -- Thomas Goirand <zigo@debian.org>  Mon, 25 Jan 2016 16:09:28 +0800

keystone (1:9.0.0~b2-1) experimental; urgency=medium

  * New upstream release.
  * Fixed (build-)depends for this release.
  * Fixed debian/copyright ordering.
  * Standards-Version is now 3.9.6 (no change).
  * Fix syntax error on an old debian/changelog entry.

 -- Thomas Goirand <zigo@debian.org>  Mon, 07 Dec 2015 12:32:48 +0100

keystone (1:8.0.0-4) unstable; urgency=medium

  * If the debconf prompt for creating Keystone endpoint was yes, check first
    if there's no service already registered.
  * Also create a service project when creating users and tenants.
  * Setting-up /v2.0 as endpoint URL for Keystone to avoid compatibility issues
    with some services, even though we're using API v3.

 -- Thomas Goirand <zigo@debian.org>  Wed, 04 Nov 2015 09:06:22 +0000

keystone (1:8.0.0-3) unstable; urgency=medium

  * Switching Keystone to use and configure API v3 by default.

 -- Thomas Goirand <zigo@debian.org>  Mon, 02 Nov 2015 13:04:02 +0000

keystone (1:8.0.0-2) unstable; urgency=medium

  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Fri, 16 Oct 2015 13:11:24 +0000

keystone (1:8.0.0-1) experimental; urgency=medium

  * New upstream release.
  * Now depends on pymysql.
  * Added a /etc/apache2/sites-available/wsgi-keystone.conf.

 -- Thomas Goirand <zigo@debian.org>  Tue, 13 Oct 2015 14:56:01 +0200

keystone (1:8.0.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Fixed (build-)depends for this release.
  * Rebased fixes-jsonschema-requirements.txt.patch.

 -- Thomas Goirand <zigo@debian.org>  Wed, 23 Sep 2015 14:11:47 +0200

keystone (1:8.0.0~b3-4) experimental; urgency=medium

  * Doing the db_sync using the --noverbose option.

 -- Thomas Goirand <zigo@debian.org>  Mon, 21 Sep 2015 12:40:13 +0000

keystone (1:8.0.0~b3-3) experimental; urgency=medium

  * Re-enabled KeystoneAdmin and KeystoneServiceAdmin roles, and using
    openstackclient instead of keystoneclient which is deprecated.
  * Stop doing pki_setup (it's not recommended upstream anymore).

 -- Thomas Goirand <zigo@debian.org>  Mon, 21 Sep 2015 09:36:02 +0000

keystone (1:8.0.0~b3-2) experimental; urgency=medium

  * Fixed some (build-)depends versions.
  * Added patch to fix requiremnts.txt regarding python-jsonschema version.
  * Fixed admin user, role and tenant creation.
  * Back to /v2.0/ endpoints.

 -- Thomas Goirand <zigo@debian.org>  Fri, 11 Sep 2015 08:45:50 +0000

keystone (1:8.0.0~b3-1) experimental; urgency=medium

  * New upstream release.
  * Now setting-up /v3 endpoint, not /v2.0.
  * Added AppArmor confinement for keystone-all.
  * Upstream removed run_tests.sh, now using testr directly.

 -- Thomas Goirand <zigo@debian.org>  Tue, 11 Aug 2015 14:36:02 +0200

keystone (1:8.0.0~b2-1) experimental; urgency=medium

  * New upstream release.
  * Fixed (build-)depends for this release.

 -- Thomas Goirand <zigo@debian.org>  Wed, 01 Jul 2015 12:29:17 +0200

keystone (2015.1.0-2) unstable; urgency=medium

  * Accepting SQLA 1.0.6.

 -- Thomas Goirand <zigo@debian.org>  Wed, 01 Jul 2015 02:47:07 +0000

keystone (2015.1.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Thu, 30 Apr 2015 20:55:28 +0000

keystone (2015.1~rc2-1) unstable; urgency=medium

  * New upstream release.
  * Uploading to unstable.
  * Review (build-)depends.

 -- Thomas Goirand <zigo@debian.org>  Mon, 22 Dec 2014 12:18:01 +0800

keystone (2014.2.1-1) experimental; urgency=medium

  * New upstream release.
  * Added oslo.serialization as (build-)depends.
  * Added depends: init-system-helpers (>= 1.18~), and deb-systemd-helper
    manual calls to activate the keystone.service.

 -- Thomas Goirand <zigo@debian.org>  Fri, 12 Dec 2014 17:29:27 +0800

keystone (2014.2-1) experimental; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Thu, 16 Oct 2014 15:33:30 +0000

keystone (2014.2~rc2-1) experimental; urgency=medium

  * New upstream release.
  * Mangling upstream rc and beta versions in watch file.
  * Updated nl.po thanks to Frans Spiesschaert (Closes: #764205).
  * Using templated init script from openstack-pkg-tools >= 13.
  * Removed silly python-support build-depends.

 -- Thomas Goirand <zigo@debian.org>  Mon, 13 Oct 2014 00:47:25 +0800

keystone (2014.2~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Updated (build-)depends for this release.

 -- Thomas Goirand <zigo@debian.org>  Tue, 30 Sep 2014 22:21:49 +0800

keystone (2014.2~b3-2) experimental; urgency=medium

  * Adds patch to avoid "git clone" when running the unit tests
    keystone.tests.test_keystoneclient.KcMasterTestCase.*. See
    https://review.openstack.org/122768/ for details.

 -- Thomas Goirand <zigo@debian.org>  Fri, 19 Sep 2014 14:36:23 +0800

keystone (2014.2~b3-1) experimental; urgency=medium

  * New upstream release.
  * New (build-)depends for this release.
  * Ship a systemd service file using dh-systemd.

  [ gustavo panizzo]
  * Support to run keystone as user keystone.
  * Support to run keystone under systemd.

 -- Thomas Goirand <zigo@debian.org>  Mon, 30 Jun 2014 23:07:59 +0800

keystone (2014.1.1-2) unstable; urgency=medium

  * CVE-2014-3476: privilege escalation through trust chained delegation.
    Applied upstream patch. (Closes: #751454).

 -- Thomas Goirand <zigo@debian.org>  Fri, 13 Jun 2014 17:30:08 +0800

keystone (2014.1.1-1) unstable; urgency=medium

  * New upstream release.
  * Remove cve-2014-0204-stable-icehouse.patch applied upstream.
  * Removed sql_migration_ensure_using_innodb_utf8_for_assignment_table.patch
    applied upstream.

 -- Thomas Goirand <zigo@debian.org>  Mon, 09 Jun 2014 23:22:20 +0800

keystone (2014.1-6) unstable; urgency=medium

  * Now build-depends on openstack-pkg-tools >= 12~.

 -- Thomas Goirand <zigo@debian.org>  Thu, 05 Jun 2014 09:09:54 +0000

keystone (2014.1-5) unstable; urgency=medium

  * Updates cve-2014-0204-stable-icehouse.patch with latest version from
    upstream (Closes: #749026).

 -- Thomas Goirand <zigo@debian.org>  Fri, 30 May 2014 23:09:45 +0800

keystone (2014.1-4) unstable; urgency=medium

  * Switched from restarting keystone to copytruncate in logrotate.

 -- Thomas Goirand <zigo@debian.org>  Thu, 29 May 2014 14:19:42 +0800

keystone (2014.1-3) unstable; urgency=medium

  * Added sql migration: ensure using innodb utf8 for assignment table which
    fixes upgrade path from Havana.
  * Fixed cs.po.
  * Added cve-2014-0204-stable-icehouse.patch.
  * Standards-Version: is now 3.9.5

 -- Thomas Goirand <zigo@debian.org>  Tue, 20 May 2014 23:26:00 +0800

keystone (2014.1-2) unstable; urgency=medium

  * Fixed debian/watch to use github tags.
  * Now using "service X restart" to restart keystone after logrotate, and stop
    using dpkg-dev (Closes: #747890).

 -- Thomas Goirand <zigo@debian.org>  Sat, 17 May 2014 01:54:29 +0800

keystone (2014.1-1) unstable; urgency=medium

  * New upstream release.
  * Uploading to unstable.
  * Fixed config file handling (DEFAULT/connection vs database/connection).
    (Closes: #744761).

 -- Thomas Goirand <zigo@debian.org>  Tue, 15 Apr 2014 15:30:07 +0800

keystone (2014.1~rc2-1) experimental; urgency=low

  * New upstream pre-release.
  * Removed broken patch: defines-gettext-function-to-avoid-ftbfs.patch

 -- Thomas Goirand <zigo@debian.org>  Wed, 09 Apr 2014 23:17:06 +0800

keystone (2014.1~rc1-1) experimental; urgency=low

  * New upstream release.
  * Fixed new upsteram (build-)dependencies.
  * Drops now useless fix-sqla-version-in-requirements patch.

 -- Thomas Goirand <zigo@debian.org>  Fri, 28 Mar 2014 14:39:11 +0800

keystone (2014.1~b3-1) experimental; urgency=low

  * New upstream release (Icehouse beta 3).
  * Refresh patches.
  * Reviewed (build-)dependencies.
  * Fixed sphinx build for docs and man pages.

 -- Thomas Goirand <zigo@debian.org>  Mon, 17 Feb 2014 15:27:56 +0800

keystone (2013.2.2-1) unstable; urgency=medium

  * New upstream point release.
  * Refreshed patches.
  * Remove patches applied upstream:
    Limit_calls_to_memcache_backend_as_user_token_index_increases_in_size.patch

 -- Thomas Goirand <zigo@debian.org>  Fri, 14 Feb 2014 09:57:43 +0800

keystone (2013.2.1-2) unstable; urgency=medium

  * Adds a cut -d" " -f1 when detecting the local interface connected to the
    default gateway, so that it works with more than one default gateway.
  * Updated es.po debconf translation thanks to Matias A. Bellone
    <matiasbellone+debian@gmail.com> (Closes: #732538).
  * Backported patch to replace oauth2 by oauthlib.
  * Changed dependency from oauth2 to oauthlib.

  [gustavo panizzo]
  * Patch to improve performance (lp: #1251123).

 -- Thomas Goirand <zigo@debian.org>  Fri, 20 Dec 2013 22:00:34 +0800

keystone (2013.2.1-1) unstable; urgency=high

  * New upstream release (Closes: #731981) This fixes CVE-2013-6391.
  * Refreshed sql_conn.patch.
  * Removed CVE-2013-4477-havana.patch now applied upstream.
  * (build-)depends on python-iso8601 >= 0.1.8 instead of 0.1.4.

 -- Thomas Goirand <zigo@debian.org>  Mon, 16 Dec 2013 16:46:48 +0800

keystone (2013.2-4) unstable; urgency=low

  * Fixes restart of keystone in logrotate script. (Closes: #731495).

 -- Thomas Goirand <zigo@debian.org>  Fri, 06 Dec 2013 15:18:07 +0800

keystone (2013.2-3) unstable; urgency=medium

  * Updated German debconf templates, thanks: Chris Leick <c.leick@vollbio.de>
    (Closes: #730454).

 -- Thomas Goirand <zigo@debian.org>  Wed, 04 Dec 2013 16:32:51 +0800

keystone (2013.2-2) unstable; urgency=low

  * Moved python-memcache to Depends: instead of Recommends:.
  * Added missing python-babel depends.
  * Fixes a failed install if the target computer doesn't have a default route
    (lp: #1247342).
  * CVE-2013-4477: remove role assignment adds role using LDAP assignment
    (Closes: #728233).

 -- Thomas Goirand <zigo@debian.org>  Sun, 03 Nov 2013 16:02:42 +0800

keystone (2013.2-1) unstable; urgency=low

  * New upstream release.
  * Uploading to unstable.

 -- Thomas Goirand <zigo@debian.org>  Fri, 18 Oct 2013 00:18:57 +0800

keystone (2013.2~rc3-1) experimental; urgency=low

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Sat, 29 Jun 2013 22:31:32 +0800

keystone (2013.1.2-1) unstable; urgency=low

  [ Thomas Goirand ]
  * Ran wrap-and-sort.
  * New upstream release.

  [ gustavo panizzo <gfa@zumbi.com.ar> ]
  * Add support for TLS when using LDAP.
  * CVE-2013-2157: Authentication bypass when using LDAP backend.
    [OSSA 2013-015]

 -- Thomas Goirand <zigo@debian.org>  Thu, 30 May 2013 11:25:11 +0800

keystone (2013.1.1-2) unstable; urgency=low

  * Uploading to unstable.
  * New upstream release:
    - Fixes CVE-2013-2059: Keystone tokens not immediately invalidated when
    user is deleted [OSSA 2013-011] (Closes: #707598).
  * Also installs httpd/keystone.py.

 -- Thomas Goirand <zigo@debian.org>  Fri, 10 May 2013 10:22:18 +0800

keystone (2013.1-1) experimental; urgency=low

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Wed, 30 Jan 2013 20:12:55 +0800

keystone (2012.2.3-2) experimental; urgency=low

  * CVE-2013-1865: Online validation of Keystone PKI tokens bypasses
    revocation check.

 -- Thomas Goirand <zigo@debian.org>  Thu, 21 Mar 2013 00:52:02 +0800

keystone (2012.2.3-1) experimental; urgency=low

  * New upstream release.
  * CVE-2013-0247: Keystone denial of service through invalid token requests.
  * CVE-2013-0282 Keystone EC2-style authentication accepts disabled
    user/tenants (Closes: #700947).
  * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using XML entities
    (Closes: #700948)

 -- Thomas Goirand <zigo@debian.org>  Sun, 03 Feb 2013 11:05:36 +0800

keystone (2012.2.1-1) experimental; urgency=low

  * New upstream version.
  * Rewrite of the maintainer scripts using the pkgos scripts.
  * Fixes etc/default_catalog.templates to include Quantum config and
  to use regionOne and not RegionOne by default.
  * Increased compat level to 9 (and debhelper build-dep).
  * Fixes build-dep git-core -> git.

 -- Thomas Goirand <zigo@debian.org>  Sun, 02 Dec 2012 13:08:38 +0000

keystone (2012.2~rc1-1) experimental; urgency=low

  * New snapshot release
  * Refresh patches
  * Remove CVE-2012-3542 incorporated upstream

 -- Mehdi Abaakouk <sileht@sileht.net>  Mon, 24 Sep 2012 10:37:31 +0200

keystone (2012.2~e3-1) experimental; urgency=low

  [ Mehdi Abaakouk ]
  * New upstream version.

  [ Thomas Goirand ]
  * Fixed build-dependencies correctly.
  * Made the package compatible with Ubuntu.
  * Now using xz level 9 compression.

 -- Mehdi Abaakouk <sileht@sileht.net>  Mon, 10 Sep 2012 17:56:09 +0200

keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low

  * CVE-2013-2059: Keystone tokens not immediately invalidated when user is
    deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up
    from Launchpad. Thanks to the Canonical security team (Closes: #707598).

 -- Thomas Goirand <zigo@debian.org>  Fri, 10 May 2013 10:09:14 +0800

keystone (2012.1.1-13) unstable; urgency=high

  * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947).
  * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using
    XML entities (Closes: #700948).

 -- Thomas Goirand <zigo@debian.org>  Tue, 19 Feb 2013 12:56:42 +0800

keystone (2012.1.1-12) unstable; urgency=low

  * CVE-2013-0247: Keystone denial of service through invalid token requests
    (Closes: #699835).

 -- Thomas Goirand <zigo@debian.org>  Wed, 06 Feb 2013 09:52:07 +0800

keystone (2012.1.1-11) unstable; urgency=high

  * Applies security patch from upstream: Ensures User is member of tenant in
  ec2 validation (Closes: #694433).
  * Added Japanese debconf template translation, thanks to victory
  <victory.deb@gmail.com> (Closes: #693056).

 -- Thomas Goirand <zigo@debian.org>  Mon, 26 Nov 2012 14:05:33 +0000

keystone (2012.1.1-10) unstable; urgency=low

  * Fixes keystone.config which wasn't starting dbconfig-common at first
  setup.
  * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in
  the postinst using "install -m" instead of cp -auxf.
  * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's
  what we run with Folsom, and that it might cause problems as
  "keystone.sqlite" isn't a valid MySQL db name. Changed debian/keystone.config
  accordingly.

 -- Thomas Goirand <zigo@debian.org>  Wed, 10 Oct 2012 15:46:14 +0000

keystone (2012.1.1-9) unstable; urgency=high

  * Fixes sometimes failing keystone.postrm (db_get in some conditions can
  return false), and fixed non-consistant indenting.
  * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
  /keystone.conf.sample for temporary storing the conf file (this was a policy
  violation, as the doc folder should never be required).
  * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
  CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).

 -- Thomas Goirand <zigo@debian.org>  Mon, 01 Oct 2012 05:52:23 +0000

keystone (2012.1.1-8) unstable; urgency=low

  * Fixes parsing of the SQL connection in keystone.config.

 -- Thomas Goirand <zigo@debian.org>  Sun, 30 Sep 2012 01:48:50 +0000

keystone (2012.1.1-7) unstable; urgency=low

  * Fixes band handling (eg: policy violation) of keystone.conf which was
  conffiles, but changed in the posinst (Closes: #687311).

 -- Thomas Goirand <zigo@debian.org>  Wed, 12 Sep 2012 17:09:47 +0000

keystone (2012.1.1-6) unstable; urgency=high

  * CVE-2012-4413: Revoking a role does not affect existing tokens
  (Closes: #687428).

 -- Thomas Goirand <zigo@debian.org>  Sun, 09 Sep 2012 02:21:11 +0000

keystone (2012.1.1-5) unstable; urgency=low

  * CVE-2012-3542: Fixes lack of authorization for adding users to tenants
  (Closes: #686265)
  * Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
  * Really adds the nl debconf translation this time (Closes: #685671).

 -- Thomas Goirand <zigo@debian.org>  Mon, 27 Aug 2012 11:45:44 +0000

keystone (2012.1.1-4) unstable; urgency=low

  * Updated debian/keystone.templates, debian/control after review from
  the internationalization team (Closes: #683414, #679295).
  * Updated debconf translations with thanks to:
  - de: Pfannenstein Erik <epfannenstein@gmx.de> (Closes: #684877)
  - cs: Michal Šimůnek <michal.simunek@gmail.com> (Closes: #685434)
  - pl: Michał Kułach <michalkulach@gmail.com> (Closes: #685431)
  - fr: David Prévot <taffit@debian.org> (Closes: #685325)
  - sv: Martin Bagge <brother@bsnet.se> (Closes: #684942)
  - sk: helix84 <helix84@centrum.sk> (Closes: #684606)
  - ru: Yuri Kozlov <yuray@komyakino.ru> (Closes: #684590)
  - da: Joe Dalton <joedalton2@yahoo.dk> (Closes: #684565)
  - pt: Pedro Ribeiro <p.m42.ribeiro@gmail.com> (Closes: #682438)
  - es: SM Baby Siabef <siabef.debian@gmail.com> (Closes: #685435)
  - it: Beatrice Torracca <beatricet@libero.it> (Closes: #685623)
  * Added debconf translations with thanks to:
  - pt_BR: Adriano Rafael Gomes <adrianorg@gmail.com> (Closes: #685405)
  - nl: Jeroen Schot <schot@A-Eskwadraat.nl> (Closes: #685671)

 -- Thomas Goirand <zigo@debian.org>  Tue, 21 Aug 2012 08:06:07 +0000

keystone (2012.1.1-3) unstable; urgency=low

  * Re-added Debconf template which has been removed by the patch of 2012.1.1-2
  from Bubulle (Closes: #683337).
  * Removed one occurence of a dependency declared twice: python-sqlalchemy.

 -- Thomas Goirand <zigo@debian.org>  Tue, 31 Jul 2012 12:37:24 +0000

keystone (2012.1.1-2) unstable; urgency=low

  * Debconf templates and debian/control reviewed by the debian-l10n-
    english team as part of the Smith review project. Closes: #679295
  * [Debconf translation updates]
  * Recycle translations from nova for several languages. Additionnally:
  * Danish (Joe Hansen).  Closes: #680082
  * Swedish (Martin Bagge / brother).  Closes: #680847
  * Spanish; (SM Baby Siabef).  Closes: #681003
  * Italian (Beatrice Torracca).  Closes: #681249
  * Slovak (Ivan Masár). Closes: #682784
  * Fixed the get-vcs-source target in debian/rules.

 -- Thomas Goirand <zigo@debian.org>  Thu, 19 Jul 2012 06:21:30 +0000

keystone (2012.1.1-1) unstable; urgency=low

  * New upstream release.

 -- Ghe Rivero <ghe.rivero@stackops.com>  Fri, 22 Jun 2012 09:41:24 +0200

keystone (2012.1-3) unstable; urgency=low

  * Add logrotate for keystone.log. Closes: #663717

 -- Mehdi Abaakouk <sileht@sileht.net>  Tue, 22 May 2012 14:48:56 +0200

keystone (2012.1-2) unstable; urgency=low

  * Fixed python version requisites on webob and pam. Closes: #665804

 -- Ghe Rivero <ghe.rivero@stackops.com>  Wed, 02 May 2012 10:17:35 +0200

keystone (2012.1-1) unstable; urgency=low

  * New upstream release

 -- Ghe Rivero <ghe.rivero@stackops.com>  Mon, 09 Apr 2012 09:06:22 +0200

keystone (2012.1~rc2-1) unstable; urgency=low

  * New upstream release.

 -- Ghe Rivero <ghe.rivero@stackops.com>  Wed, 04 Apr 2012 10:09:36 +0200

keystone (2012.1~rc1-2) unstable; urgency=low

  * Removed check timeout from keystone.postinst. Closes: #665739

 -- Ghe Rivero <ghe@debian.org>  Tue, 27 Mar 2012 13:12:01 +0200

keystone (2012.1~rc1-1) unstable; urgency=low

  * New upstream release.

 -- Ghe Rivero <ghe.rivero@stackops.com>  Sat, 24 Mar 2012 09:14:50 +0100

keystone (2012.1~e4+git35-g4e4f793-1) UNRELEASED; urgency=low

  [ Julien Danjou ]
  * Install egg-info
  This is needed at least for Swift.

  [ Ghe Rivero ]
  * Added keystone/auth-token question. Closes: #662458

 -- Julien Danjou <acid@debian.org>  Fri, 02 Mar 2012 10:34:30 +0100

keystone (2012.1~e4-1) unstable; urgency=low

  *  New upstream release

 -- Ghe Rivero <ghe@debian.org>  Fri, 02 Mar 2012 08:38:43 +0100

keystone (2012.1~e3+git772-g6919b05-1) UNRELEASED; urgency=low

  [ Julien Danjou ]
  * Fix permissions /etc/keystone
  * Add projectmanager role on initial database creation
  * Do not run dbconfig by default
    That fixes LP#931236 until #607171 is fixed in dbconfig-common.
    Patch based on:
    http://bazaar.launchpad.net/~ubuntu-server-dev/keystone/essex/revision/83

 -- Julien Danjou <acid@debian.org>  Mon, 06 Feb 2012 10:35:52 +0100

keystone (2012.1~e3-4) unstable; urgency=low

  * Add missing python-migrate, python-prettytable, python-mox in
    build deps (Closes: #658592)
  * Deactivate tests because they fails (upstream problem)

 -- Julien Danjou <acid@debian.org>  Mon, 06 Feb 2012 10:35:52 +0100

keystone (2012.1~e3-3) unstable; urgency=low

  * Add missing dependency on python-dateutil

 -- Julien Danjou <acid@debian.org>  Tue, 31 Jan 2012 12:37:35 +0100

keystone (2012.1~e3-2) unstable; urgency=low

  * Add dbconfig prerm

 -- Julien Danjou <acid@debian.org>  Fri, 27 Jan 2012 16:13:48 +0100

keystone (2012.1~e3-1) unstable; urgency=low

  * New upstream release.
  * Use dbconfig to configure database

 -- Julien Danjou <acid@debian.org>  Thu, 26 Jan 2012 17:03:10 +0100

keystone (2012.1~e2-4) unstable; urgency=low

  * Fix default location of keystone db file

 -- Ghe Rivero <ghe@debian.org>  Tue, 24 Jan 2012 09:43:15 +0100

keystone (2012.1~e2-3) unstable; urgency=low

  * Add missing build depends on python-nose (Closes: #652805)
  * Remove useless python fields in control

 -- Julien Danjou <acid@debian.org>  Tue, 27 Dec 2011 11:40:18 +0100

keystone (2012.1~e2-2) unstable; urgency=low

  * Fix init script

 -- Julien Danjou <acid@debian.org>  Mon, 19 Dec 2011 17:16:48 +0100

keystone (2012.1~e2-1) unstable; urgency=low

  * New upstream release.
  * Disable doc building because it's currently failing.

 -- Julien Danjou <acid@debian.org>  Fri, 16 Dec 2011 11:12:44 +0100

keystone (2012.1~e1-2) unstable; urgency=low

  * Fix python-keystone installation file by including only keystone lib
    (Closes: #649907).
  * Add missing manpages.

 -- Julien Danjou <acid@debian.org>  Fri, 25 Nov 2011 10:43:59 +0100

keystone (2012.1~e1-1) unstable; urgency=low

  * New upstream release.
  * Cherry-pick 33c1c9390331b3bacd3791b537b6a1147715925c from upstream to
    fix documentation building.

 -- Julien Danjou <acid@debian.org>  Thu, 24 Nov 2011 16:21:50 +0100

keystone (2011.3-1) unstable; urgency=low

  * Initial release (Closes: #647611)

 -- Julien Danjou <acid@debian.org>  Tue, 15 Nov 2011 11:29:13 +0100
