Date: Tue, 17 May 2016 12:17:36 -0700 From: morgan fainberg <morgan.fainberg@...il.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE request for vulnerability in OpenStack Keystone A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass Reporter: Lance Bragstad (Rackspace) Products: OpenStack Kesytone Affects: ==9.0.0 Description: Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by it's individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted. References: https://launchpad.net/bugs/1577558 <https://launchpad.net/bugs/1577558> Thanks in advance, -- Morgan Fainberg OpenStack Vulnerability Management Team Download attachment "0xA07C6D8A.asc" of type "application/pgp-keys" (30192 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ