Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 29 Jan 2016 19:49:16 +0000
From: Tristan Cacqueray <>
Subject: [OSSA 2016-005] Potential reuse of revoked Identity tokens

OSSA-2016-005: Potential reuse of revoked Identity tokens

:Date: January 29, 2016
:CVE: CVE-2015-7546

- Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1
- Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2

Liu Sheng reported a vulnerability in Keystone. By manipulating a
token content, an authenticated user may prevent its revocation. This
can allow unauthorized access to cloud resources if a revoked token is
intercepted by an attacker. Only keystone setups using PKI or PKIZ
token are affected

- (keystone) (Kilo)
- (keystonemiddleware) (Kilo)
- (keystone) (Liberty)
- (keystonemiddleware) (Liberty)
- (keystone) (Mitaka)
- (keystonemiddleware) (Mitaka)

- Liu Sheng from Huawei (CVE-2015-7546)


- The keystone fix is included in 2015.1.3 (Kilo) and will be included
  in a future 8.0.2 (Liberty) releases.
- The keystonemiddleware fix will be included in future 1.5.4 (Kilo)
  and 2.3.3 (Liberty) releases.
- Both keystone and keystonemiddleware needs to be updated

Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.