OSSA sent: https://lists.launchpad.net/openstack/msg17035.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not raise
Unaut
Description looks good. Maybe add that the fix already shipped in
2012.1.2 and 2012.2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenan
Good description, ack.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not raise
Unauthorized error
To manage notifications a
Please review this vulnerability description. Once confirmed, it will
go out in an OSSA.
Title: Token authorization for a user in a disabled tenant is allowed
Impact: High
Reporter: Rohit Karajgi (NTT Data)
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 development
milestone)
De
Russell: It's exactly as you describe.
In this case, authentication succeeds as expected, but authorization
should fail (disabling the tenant should break the user-tenant
authorization relationship).
Once the token is established with authorization on the tenant, keystone
would respond 200 OK to
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4457
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not r
** Changed in: keystone
Milestone: folsom-3 => 2012.2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not raise
Unauthoriz
Can a keystone dev comment on the potential security impact of this bug?
I'm trying to figure out if we need to go back and issue a security
advisory for this. Would this token be successfully validated allowing
a user to do stuff with the token they shouldn't have received?
** This bug has been
This bug was fixed in the package keystone -
2012.1+stable~20120824-a16a0ab9-0ubuntu2
---
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed;
urgency=low
* New upstream release (LP: #1041120):
- debian/patches/0013-Flush-tenant-membership-deletion-before-user.
Test coverage log.
** Attachment added: "2012.1+stable~20120824-a16a0ab9-0ubuntu2.log"
https://bugs.launchpad.net/bugs/988920/+attachment/3283190/+files/2012.1%2Bstable%7E20120824-a16a0ab9-0ubuntu2.log
** Tags added: verification-done
--
You received this bug notification because you are a
** Branch linked: lp:ubuntu/precise-proposed/keystone
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/988920
Title:
Token authentication for a user in a disabled tenant does not raise
Unauthorized e
** Changed in: keystone (Ubuntu)
Status: New => Fix Released
** Also affects: keystone (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: keystone (Ubuntu Precise)
Status: New => Confirmed
--
You received this bug notification because you are a member of U
12 matches
Mail list logo