Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 May 2016 15:48:18 -0400 (EDT)
From: cve-assign@...re.org
To: morgan.fainberg@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Keystone

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Incorrect Audit IDs in Keystone Fernet Tokens can result in
> revocation bypass
> 
> By rescoping a token a user will receive a new
> token without correct audit_ids, these incorrect audit_ids will prevent
> the entire chain of tokens from being revoked properly. This
> vulnerability does not impact revoking a token by its individual
> audit_id. Only deployments with Keystone configured to use Fernet tokens
> are impacted.
> 
> https://launchpad.net/bugs/1577558

>> caused token rescoping to not work because audit ids were never pulled
>> from the original token.

Use CVE-2016-4911.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXO3T9AAoJEHb/MwWLVhi2vmEP/iC2MvbKll1QM0MxSqXkfJTz
lr771a5N2oPmfxz35nTu38BjcTXVMp0e0VO/9ZmqD0eoXaG6p8K64IcDP/tJkL1f
kIyf8EQEj0g0T8RkcV1J/cGkzd5sRT3EvxH6BJe7UPnW2NXcqO6j+LRY7R5ZFb2y
0iRRQx9HgqijRA8J+WN1tgaRDKeC5zv84rrNi/h0u7669Ps4tAJuaEvRNCMbRahI
MHXTvreTs6UMr8iqL8K1wFfNSVaBoS9ep3t31dr/ZLH0piAxHVzINSNyiqAUbGps
L2mkxY9XoI7AcgZh3C2iw5VD1A86BGEv3vuuSNK8/VOSPoovNaTtcErV25ria6cd
qtH6HQH1S4ibMLI7PDYXf09DwOa6Kbc1IyEKus4S8XSXbUutV9j3l1UaH+3psQcO
jLH2dD2pvVHznFaIrryz0jl/oKb/mPOcgQAFYelOSpwBle3GQdrqO9oBMIji8LIg
B+rLWs5RbeUPYyucXkRrQTU3pn3e0Rt+zxZ8Wpd/P2Yjkp+wNtcacscgqVdk/Njn
e/NaGYYRq/ReD9ES7xkYXkElMP8EO4RDZJhgcvtNODIQYvhPAU1gk06riE5QWk3Y
tZI6Sseir0KpqH3VjAHdAx/nBoAQJh7JdCYv+Xp0ffAPOEWAixfjXsF0emkJvSzg
CMj8C4b8j1qylWAbaTQz
=9W3o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ