--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/07-CVE-2014-2828.patch Tue Apr 15 07:31:13 2014 -0700
@@ -0,0 +1,56 @@
+Upstream patch for bug 1300274.
+
+Fixed in Havana 2013.2.4, Icehouse 2014.1
+
+From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
+From: Florent Flament <[email protected]>
+Date: Tue, 1 Apr 2014 12:48:22 +0000
+Subject: Sanitizes authentication methods received in requests.
+
+When a user authenticates against Identity V3 API, he can specify
+multiple authentication methods. This patch removes duplicates, which
+could have been used to achieve DoS attacks.
+
+Closes-Bug: 1300274
+(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
+Cherry-pick from https://review.openstack.org/#/c/84425/
+
+Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
+
+--- keystone-2013.1.4/keystone/auth/controllers.py.orig 2014-04-10 14:46:27.890585026 -0600
++++ keystone-2013.1.4/keystone/auth/controllers.py 2014-04-10 14:47:53.783687911 -0600
+@@ -228,7 +228,13 @@
+ :returns: list of auth method names
+
+ """
+- return self.auth['identity']['methods']
++ # Sanitizes methods received in request's body
++ # Filters out duplicates, while keeping elements' order.
++ method_names = []
++ for method in self.auth['identity']['methods']:
++ if method not in method_names:
++ method_names.append(method)
++ return method_names
+
+ def get_method_data(self, method):
+ """ Get the auth method payload.
+--- keystone-2013.1.4/tests/test_v3_auth.py.orig 2014-04-10 14:50:45.929495618 -0600
++++ keystone-2013.1.4/tests/test_v3_auth.py 2014-04-10 14:50:48.764440233 -0600
+@@ -83,6 +83,17 @@
+ None,
+ auth_data)
+
++ def test_get_method_names_duplicates(self):
++ auth_data = self.build_authentication_request(
++ token='test',
++ user_id='test',
++ password='test')['auth']
++ auth_data['identity']['methods'] = ['password', 'token',
++ 'password', 'password']
++ context = None
++ auth_info = auth.controllers.AuthInfo(context, auth_data)
++ self.assertEqual(auth_info.get_method_names(),
++ ['password', 'token'])
+
+ class TestTokenAPIs(test_v3.RestfulTestCase):
+ def setUp(self):