Please review this vulnerability description. Once confirmed, it will
go out in an OSSA.
Title: Token authorization for a user in a disabled tenant is allowed
Impact: High
Reporter: Rohit Karajgi (NTT Data)
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 development
milestone)
Good description, ack.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not raise
Unauthorized error
To
Description looks good. Maybe add that the fix already shipped in
2012.1.2 and 2012.2.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user
OSSA sent: https://lists.launchpad.net/openstack/msg17035.html
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant
Can a keystone dev comment on the potential security impact of this bug?
I'm trying to figure out if we need to go back and issue a security
advisory for this. Would this token be successfully validated allowing
a user to do stuff with the token they shouldn't have received?
** This bug has been
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4457
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a
Russell: It's exactly as you describe.
In this case, authentication succeeds as expected, but authorization
should fail (disabling the tenant should break the user-tenant
authorization relationship).
Once the token is established with authorization on the tenant, keystone
would respond 200 OK to
This bug was fixed in the package keystone -
2012.1+stable~20120824-a16a0ab9-0ubuntu2
---
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed;
urgency=low
* New upstream release (LP: #1041120):
-
Test coverage log.
** Attachment added: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.log
https://bugs.launchpad.net/bugs/988920/+attachment/3283190/+files/2012.1%2Bstable%7E20120824-a16a0ab9-0ubuntu2.log
** Tags added: verification-done
--
You received this bug notification because you are a
** Changed in: keystone (Ubuntu)
Status: New = Fix Released
** Also affects: keystone (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: keystone (Ubuntu Precise)
Status: New = Confirmed
--
You received this bug notification because you are a member of
** Branch linked: lp:ubuntu/precise-proposed/keystone
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not
11 matches
Mail list logo
