Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 12:35:34 -0500
From: Dolph Mathews <dolph.mathews@...il.com>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, oss-security@...ts.openwall.com, 
	openstack-announce@...ts.openstack.org
Cc: Ryan Lane <rlane@...imedia.org>
Subject: Re: [Openstack] [OSSA 2012-014] Revoking a role does not affect
 existing tokens (CVE-2012-4413)

Ryan Lane deserves recognition for originally identifying this as a
potential vulnerability.

Thanks, Ryan!

-Dolph


On Wed, Sep 12, 2012 at 11:36 AM, Thierry Carrez <thierry@...nstack.org>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> OpenStack Security Advisory: 2012-014
> CVE: CVE-2012-4413
> Date: September 12, 2012
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
>
> Description:
> Dolph Mathews reported a vulnerability in Keystone. Granting and
> revoking roles from a user is not reflected upon token validation for
> pre-existing tokens. Pre-existing tokens continue to be valid for the
> original set of roles for the remainder of the token's lifespan, or
> until explicitly invalidated. This fix invalidates all tokens held by
> a user upon role grant/revoke to circumvent the issue.
>
> Folsom fix:
>
> http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
>
> Essex fix:
>
> http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
>
> References:
> https://bugs.launchpad.net/keystone/+bug/1041396
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
>
> Notes:
> This fix will be included in the future Keystone 2012.1.3 stable
> update and the upcoming Folsom-RC1 development milestone.
>
> - --
> Thierry Carrez (ttx)
> OpenStack Vulnerability Management Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP
> PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo
> +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi
> toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD
> 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3
> 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512
> UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT
> GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M
> ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL
> kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx
> 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI
> bggBCxcI2PLQgjuWyF4M
> =+6UN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@...ts.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.