keystone fixed for CVE-2013-2157 bug 473304

Package-Manager: portage-2.1.11.62/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3

6 files changed, 194 insertions, 19 deletions

diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index abffcccf6dab..ac0444f6f7fe 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.21 2013/06/06 19:24:26 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.22 2013/06/14 21:57:36 prometheanfire Exp $
+
+*keystone-2013.1.2-r1 (14 Jun 2013)
+*keystone-2012.2.4-r5 (14 Jun 2013)
+
+  14 Jun 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/keystone-folsom-4-CVE-2013-2157.patch,
+  +files/keystone-grizzly-2-CVE-2013-2157.patch, +keystone-2012.2.4-r5.ebuild,
+  +keystone-2013.1.2-r1.ebuild, -keystone-2012.2.4-r4.ebuild,
+  -keystone-2013.1.2.ebuild:
+  keystone fixed for CVE-2013-2157 bug 473304
 
 *keystone-2013.1.2 (06 Jun 2013)
 
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index 01e2ac4eac27..3ada298fc886 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -5,31 +5,33 @@ AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b146363
 AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2
 AUX keystone-folsom-4-CVE-2013-2059.patch 2340 SHA256 9c3a1d953abd719c55c77fd13295c0aa5caf730a4656f3a111a1bfc1d92a282c SHA512 c6f50ed21c95c7be256f0a15ef804eaf16f32fec038be53742ce85b9a303f4c613728c95af606aafd779009f298a68517668594a590fa40258dbbb6646c3fbed WHIRLPOOL 723b4d0e5573a2e7473e4613fcfc717d1e0d90ff18a7559baa7fe0a21c6c5fcb84648afcb227ea9231ed87738e0c17cf79153287d2d6b14a65974a67e78dbd2f
 AUX keystone-folsom-4-CVE-2013-2104.patch 12123 SHA256 28893546fa4d9df031285f892be629a475d0464e0c8a9e0a9ab77df7ef8d7fba SHA512 8116ee1227af98a7fd640ea2f16fab9f9a41af24d71d2d82031804dc19fc3aae4d26cc20233d7304a42423fa6b06e69766d19e11ba6fb8adeadc8ffa83f8ae34 WHIRLPOOL 5448626f6ac17eb7512d43683badbf12f1ca1de2b8ab706a786cb17db22b5f9da48d099d1ed33c429ac715621e64707b4d453ccaaf5a83b9408dba43bf51a021
+AUX keystone-folsom-4-CVE-2013-2157.patch 3068 SHA256 fe1cbdef818977610b8f6fa9bf9b2c11a4aab854d1b3da963d9f6d5624e707e0 SHA512 4cebd7f28ebc606fc35a65921d00ff7b989e092371cd3ccaeee2f48d5a6278fea45eee01ee92daba1d75125733ab1a5997d844c5ee0c01fa4b4aa6d317f8e516 WHIRLPOOL 3563405e1f958da3ac1d5f1e06627f49f5740893852f1d826a2f2013f698f25107062bf6d8e89b0243b33fff6e1f1718d2090dc3d9d7a46195bc9ad53ed09dc2
 AUX keystone-grizzly-1-CVE-2013-1977.patch 1545 SHA256 a052c366ed38f4a40e10809080da9106400de59224323b21ef5e609f71674c52 SHA512 59b4cd7a83bc662d9e0459fefe6a5d8a3976fd653220d9248c97a8007af45d23cc0bb38bbba378bdaf5951c70901bbebde709b1717980fb3741da11a21d30573 WHIRLPOOL e2e1f5f9c02edd07a3e738ca8d6997a64df65a147c75d19d0d269712a3b92b77506c0941d131a9183ccea6f0ffed13a1e5e746d39555675c5cb132ff5ade1020
+AUX keystone-grizzly-2-CVE-2013-2157.patch 3371 SHA256 7f4e10e1c559dc8f3ece1a42115f17dc069d86140b4e4ecd6309eae5b787d341 SHA512 a9245c718548da6cd60b29e7cf6c0bd61b18a94cead8200b74d657342b5ef68ad4b4a0e1104121eb32359f960f96ad3840fec285a1d72b26b9729845ae4a8ac7 WHIRLPOOL a8494a2d6f4b5151780e6bcd1a21c409ca8921a4907aca529b72473745fd895c75dfcf926889a1a00f6d3d7446d849e44ce88c25dcfbdd74fdf96421ff78f1eb
 AUX keystone.confd 67 SHA256 8faa32d3354df30b1d1c98cf481be162c27583b84e387f8da57611b689bc2448 SHA512 75b040eda6ef8701e8dac8f34b3dd3c96aedde3b005fac01f20592b3d8afb8bbce57fadc466cda69d7192f96460a5c704d941a16b96d02f3e80f1a3e264c2efe WHIRLPOOL 8e8cb4e8991ca8d8cf1e874bd2286900ca63379c73793bca906ecfc1318ee63a8af6d1f6090e9ef296bfbe5abf018368a5ad6430de1efdea0db626d8c697f3c4
 AUX keystone.initd 1177 SHA256 fcf7e532f2f3fad8413455f67d8e9c4c0522ff99e69bd95d4fff49d2dfa243ac SHA512 a0281f5fdd96963d9479a3463e6b5f1947a2c3c8694e464d4d293ef237392bed796ec7b8431e1add7b73334ed5e11158347f35ab562edda5f7aa7bdb9b05e51e WHIRLPOOL d819103e6f2bdd7ca4d5ab2f645f8ca168cc46567ff7c2d00cb2d536c08319aaa472b06b8f98cf2b6de940089f444e7aa752e4c9deeb849a834108394dfe1862
 AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5
 DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558
 DIST keystone-2013.1.2.tar.gz 794322 SHA256 9a4fc5d39e9cc64ab032aabf1687106f36ee7a0b3c98b988561e09afa7d121ce SHA512 5b32a1c910103e6ced10c0439af4452466f1f9e0b14382c3e10db5776039b02198f5dfbf9ebea9a05c175b9aad0d7c58e7785c4dbf6f193a1668521f81246b72 WHIRLPOOL cbf7773fab6cd4e13c9e85d851dfd10382dd12e4f984eac9fff170b611457f8aaa5cc964a571e9d7eef0efce12504c2d0c2cc1fae954b90f1925c9837e04544d
-EBUILD keystone-2012.2.4-r4.ebuild 2640 SHA256 b41240e50c6f943523f619c3c8f2001f3ab03f6de4070d8c1a61274a8cb5abde SHA512 7eb59189fab88d910d201d2a1099af1317327e9544dbba65803055f4a13958c9c676c7b807b68ab197c9c72a0a94991ccfdf8a88a917ff92b4315ac3507a62b1 WHIRLPOOL 6dd2f64318c2d15ad96b3d91f7c0054c011f1d5f0483c4f36957b59052e13c8a02d8fe9eed8300e3c85033c2f1863f04301a3263227a9c6d8e7eb79d928621fd
-EBUILD keystone-2013.1.2.ebuild 2920 SHA256 a25fc59e7181f0a5a7426fd1c25cf296dbd3dc0e91ad0c70935441e176468ff5 SHA512 1eced3a90437a3ac4992e679a01d97c2eea2f46f31fdea0e5566254dfde555298c70a8ad9cbb4afd3afdeff9a68706a9a3e1fb9d3d9b46669f9810bb65bd98d4 WHIRLPOOL d8a40224d8bbe22c55f77cadcd1485da107b4fdf1be625ed4e5b71819c5fe77b007e7858a19d4d9d4096347eec89883cfb10b05b087baec296e82c3b8b8c03d7
+EBUILD keystone-2012.2.4-r5.ebuild 2693 SHA256 4ff82e1e015666463dbd3c81113031bba25d5e5a065bf5f6f9989c72eef34d5e SHA512 16d3d45f3dbc87eff6836fb4cc6119f6bc37dc5c8490adf2bdaebc241b7e869491ba103695433a5998c5c92079318d4f860a50fda3fbbcc9187a5b7601158cc3 WHIRLPOOL 819a114f04b645dd42ba02149e5d12a70c07a9c0058c69a31b0e0ba6bfe83f6f4bb633ecc84c09d91c63ab534d717bb0a2402e4c15c8cfd2cd2375ed5e858df2
+EBUILD keystone-2013.1.2-r1.ebuild 2977 SHA256 c33932da48d77d9447e320ee66e0d345684561392ec0dfef529702a0dbac73d3 SHA512 7669401013913cef231d75880bbd054184e1a1f6b24dc7ac8d07546f046da37c67afdbe2cd639d6206a78667823f0ebf5f16ff876bfc18ef7563a40412bb2394 WHIRLPOOL b8fb8453b0b5d3248c0b527fe740afd07362203b1da65f30aed82d2b822c2d5321a6f7e7cb4788bbaba1262dedc1f9f592112e93cb200d87ccfeec7357982549
 EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2
-MISC ChangeLog 4703 SHA256 011200036eb409d09858538d101456c08b7767a1782252abae0615228e4ee660 SHA512 124753ed9b00f52b042178fd839ebcba529aa37d866cbc38fb9271a8331676ab1296e974ad801975a827e149f5059218f96d1074a697326daa872ed5e5820bee WHIRLPOOL 0f91091c666a5e42b832b5b4fc6fbc9bc1a2a67cdfe5cd4cf0d7569d32d5b0a045b6fde14c22ba9131960ec54576cea7c077ebf80a1b05e9d06c9bbf80268091
+MISC ChangeLog 5098 SHA256 1e71019a0723ab1f1287c09eb9d70518bf4aef6dced5cbc43e918afd81f08fe9 SHA512 626340a15eccd1bf470e0df2dab672934d606fca0a0307f2ee7950de598da65a88ba6ec7b686ffaa6ac55c11a31aab4822852323cd83b9f37b0e63dfb3f94f87 WHIRLPOOL ae3e2a800c8bb1200a28e94d661f0e2fe2a5044f9a046fc5dd654f836bbbd6b08fc7340dc05054287900915ee6f4c2fa11e35ff1a968ab35c491363a622054ab
 MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRsOI8AAoJECRx6z5ArFrDd30P/RwtF6NBhZ6qlSc+Uxm3WURt
-bymC6rsrHTk+HvRUDZuSS4NGy5YzR87T/ArG0pJ3JVhAIwyhz62qS8q4plRoLnig
-oS7RvSgUipX3HgPoLUZuTbyclavWiJFWo+HoGl0Bun7IWPP29nMWXAlNzgFpvzAM
-KirPFeh7AKaXIulct3k7BfBayX9kWd9sb6v1trQIbsR2rD3pnD/LOoVHVVTf+jQD
-gqKfnzsNlAhJyZfQEEjwgz9reI4ZTzh/qXnHVvbwfB5D0WDbllhptdimx2cuqods
-SRsYO2zoDVMbScuC6eWjbB6Sk0lacejM+n0N8t1cZ+X1jaM3WtB1vc8d4BvmEysm
-grpKnEyFGguQw8GkJXYoiDLb+0hjQI+wCVtPhiUNwNxzL9HpjD5zcQc+bdbQPFmh
-Fw1z4vP3HkJ7FB7JiO8VZg3Yb7OxbM54pGOBMYBnK8exIDkklcNc4PJ/rPcVInW4
-pWZD+CT03DkyH7a3QHQoBTv5MD64fgp1+1Dt9RIt2/B/FzJwnqepSL8XPLdAZLzm
-Qthrf9j5J6GQznewSnVTafvkP+Jqggt/qiNh4BDrh9dTB8b55JJPTlJpktDERGO2
-z+zF6HXt9RH3N3ZDhmwthuYO5HcR1Dli9EPCM8uKn5mHZel4ICa9r0f2spOOdmrQ
-38MI8pxBWPutq7Wijmak
-=zsvt
+iQIcBAEBCAAGBQJRu5HZAAoJECRx6z5ArFrDWN4QAL2Z8sGV34OoKZ8IWKBxNZ0u
+ukBAN5CewEPg6sDKxKg62PYdTCFAOEiPIZU80/FbytfGu4OIuIZoYVoWF6RM+oDd
+uBhtFKaRV/mgNMiVMZZrwT+i16TF0tWOS7Mw8bEft3qEBV7prUotpSc4CKVZUUio
+OJUl2Ki2AQxzyIFw+SLBk4DSuDxLr97pWVZJDD0JvKzhAOiOAekc0pTjcqYj9/fM
+dPDobzE+Bh2xfKhuPD2VO4sSwSm2ziEh0SCKU9HoBQAKtaPYy3LKjQRyQWm9kK1l
+3AtHAsI+DW2fL9vDfmyEBtvH0g9UROGK/iDhA3V5GBiXoLkW5wZoqwFcoPpsyjkI
+QSny+4SK3O7cXYTrmd51cUBjt/ZGqfZD+1bmrAs0gkyQclYnfjdhqbqwGmtZy91f
+YS4Ul3yVOVepqaw0KQm0R+TFuKI3GEnsOlqdc4Hn2c+1kezF7t5UFYH08agG/x92
+pV+tnhzmpi/5v0zwarkts17yadJfBEW0HmwsEnynG/F4JnUQul2yMJCKVrrbPsIP
+ybtdaMsoGIsZqi/i1+Hk4w/pxyTM6FaHKiEijWNe2Vtkzx9zXsCcBKm050Rnzc05
+N46L+C0SHbygDk/mLJNR3kMqt5gT4FREx8HHfq4MKLbBRn93nEkjj8XGzWDLoq3P
+BG9JJAEEmeN/3TJql4tp
+=CGEC
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
new file mode 100644
index 000000000000..e2a172b5dafb
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
@@ -0,0 +1,78 @@
+From 953fd4a2ac43ffcdf7edb4a35e0ca6a1c573092d Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon@cern.ch>
+Date: Thu, 6 Jun 2013 10:57:09 -0500
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py              | 16 ++++++++++++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 03d3ab6..e5bfcf6 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -58,18 +58,6 @@ class Identity(identity.Driver):
+         self.tenant = TenantApi(CONF)
+         self.role = RoleApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     # Identity interface
+     def authenticate(self, user_id=None, tenant_id=None, password=None):
+         """Authenticate based on a user, tenant and password.
+@@ -85,6 +73,8 @@ class Identity(identity.Driver):
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+ 
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index 5f0137c..88e48c5 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -65,3 +65,19 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+         user_api = identity_ldap.UserApi(CONF)
+         self.assertTrue(user_api)
+         self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
++
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': uuid.uuid4().hex,
++            'name': uuid.uuid4().hex,
++            'password': uuid.uuid4().hex,
++            'enabled': True,
++        }
++        self.identity_api.create_user(user['id'], user)
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate,
++                          user_id=user['id'],
++                          password=None)
+-- 
+1.8.2.3
+
+
diff --git a/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch b/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch
new file mode 100644
index 000000000000..37a724cf3d8a
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch
@@ -0,0 +1,83 @@
+From 1eaaf4ddb94626f3ff44931e764858161468e159 Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon@cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py              | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 1fad1120667f4d86f6d05c0109827be7e2160248..9ada436c8b2308a300966bacf8d2a7d78b118331 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -52,18 +52,6 @@ class Identity(identity.Driver):
+         self.role = RoleApi(CONF)
+         self.group = GroupApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     def _validate_domain(self, ref):
+         """Validate that either the default domain or nothing is specified.
+ 
+@@ -109,6 +97,8 @@ class Identity(identity.Driver):
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+ 
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index c0bceea52a6b550736146c88cacdc2fccb72053f..b2e33ee2c379e5662d07de8fbb0458a5acee647a 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -595,6 +595,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+               'name': 'Default',
+               'enabled': True}])
+ 
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': 'no_meta',
++            'name': 'NO_META',
++            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++            'password': 'no_meta2',
++            'enabled': True,
++        }
++        self.identity_man.create_user({}, user['id'], user)
++        self.identity_api.add_user_to_project(self.tenant_baz['id'],
++                                              user['id'])
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate,
++                          user_id=user['id'],
++                          tenant_id=self.tenant_baz['id'],
++                          password=None)
++
+ 
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+     def setUp(self):
+-- 
+1.8.1.4
diff --git a/sys-auth/keystone/keystone-2012.2.4-r4.ebuild b/sys-auth/keystone/keystone-2012.2.4-r5.ebuild
index 884f158b46f6..d8d7b64cfb88 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r4.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r4.ebuild,v 1.1 2013/05/28 16:34:39 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r5.ebuild,v 1.1 2013/06/14 21:57:36 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -73,6 +73,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2059.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
+	"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
 )
 
 python_install() {
diff --git a/sys-auth/keystone/keystone-2013.1.2.ebuild b/sys-auth/keystone/keystone-2013.1.2-r1.ebuild
index a8ac0f9015f7..02552d29a144 100644
--- a/sys-auth/keystone/keystone-2013.1.2.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.2-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.2.ebuild,v 1.1 2013/06/06 19:24:26 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.2-r1.ebuild,v 1.1 2013/06/14 21:57:36 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 PATCHES=(
+	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
 )
 #
 #python_test() {