[Yahoo-eng-team] [Bug 1842149] [NEW] TLS ciphers/protocols are not configurable for console proxies

Public bug reported: Description === The console proxies (VNC, SPICE, etc) currently don't allow the allowed TLS ciphers and protocol versions to be configurable. This results in the defaults being used from the underlying system (or even compiled defaults in OpenSSL), which may not be

[Yahoo-eng-team] [Bug 1523646] Re: Nova/Cinder Key Manager for Barbican Uses Stale Cache

This issue has been published as OSSN-0063 on the mailing lists and wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0063 ** Changed in: ossn Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed

[Yahoo-eng-team] [Bug 1493448] Re: All operations are perfomed with admin priveleges when 'use_user_token' is False

This has been published as OSSN-0060: https://wiki.openstack.org/wiki/OSSN/OSSN-0060 ** Changed in: ossn Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance.

[Yahoo-eng-team] [Bug 1516031] Re: Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)

This issue has been published as OSSN-0061: https://wiki.openstack.org/wiki/OSSN/OSSN-0061 ** Changed in: ossn Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance.

[Yahoo-eng-team] [Bug 1490804] Re: PKI Token Revocation Bypass (CVE-2015-7546)

This issue has been published as OSSN-0062: https://wiki.openstack.org/wiki/OSSN/OSSN-0062 ** Changed in: ossn Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

[Yahoo-eng-team] [Bug 1456228] Re: Trusted vm can be powered on untrusted host

This has been published as OSSN-0059: https://wiki.openstack.org/wiki/OSSN/OSSN-0059 ** Changed in: ossn Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova).

[Yahoo-eng-team] [Bug 1451931] Re: ironic password config not marked as secret

This has been published as OSSN-0049: https://wiki.openstack.org/wiki/OSSN/OSSN-0049 ** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova).

[Yahoo-eng-team] [Bug 1515302] [NEW] Group membership attribute is hard-coded when using 'user_enable_emulation'

ute is 'uniquemember', users are listed as not enabled. ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: New ** Changed in: keystone Assignee: (unassigned) => Nathan Kinder (nkinder) -- You received this bug notification because you are a

[Yahoo-eng-team] [Bug 1401170] Re: 0-size images allow unprivileged user to deplete glance resources

This has been published as OSSN-0057: https://wiki.openstack.org/wiki/OSSN/OSSN-0057 ** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance.

[Yahoo-eng-team] [Bug 1455582] Re: Hypervisor compromise may result in malicious trust creation

This has been published as OSSN-0053: https://wiki.openstack.org/wiki/OSSN/OSSN-0053 ** Changed in: ossn Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1464750] Re: Service accounts can be used to login horizon

This has been published as OSSN-0055: https://wiki.openstack.org/wiki/OSSN/OSSN-0055 ** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova).

[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack

This has been published as OSSN-0054: https://wiki.openstack.org/wiki/OSSN/OSSN-0054 ** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard

[Yahoo-eng-team] [Bug 1390124] Re: No validation between client's IdP and Keystone IdP

This has been published as OSSN-0047: https://wiki.openstack.org/wiki/OSSN/OSSN-0047 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1440185] [NEW] Identity provider create fails if remote_id is not set

Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: In Progress ** Changed in: keystone Assignee: (unassigned) = Nathan Kinder (nkinder) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https

[Yahoo-eng-team] [Bug 1434701] [NEW] websso should compare remote_id_attribute to remote_id of IdP

Public bug reported: When using the websso feature in keystone, the identity provider is looked up based on the value of the 'remote_id_attribute' environment variable provided by the SAML assertion (or claim in the case of OpenID Connect). Logic would dictate that the 'remote_id_attribute'

[Yahoo-eng-team] [Bug 1420942] Re: noVNC insecure cookie allows session hijacking

This should be marked as public now. As Tritan mentioned in comment#8, it's already been disclosed (not to mention that we already wrote and published an OSSN). ** Information type changed from Private Security to Public Security ** Also affects: ossn Importance: Undecided Status: New

[Yahoo-eng-team] [Bug 1420942] Re: noVNC insecure cookie allows session hijacking

This has been published as OSSN-0044: https://wiki.openstack.org/wiki/OSSN/OSSN-0044 ** Changed in: ossn Status: New = Fix Released ** Changed in: ossn Assignee: (unassigned) = Paul McMillan (paul-mcmillan) -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1341954] Re: suds client subject to cache poisoning by local attacker

This has been published as OSSN-0038 to the openstack and openstack-dev mailing lists as well as the wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0038 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1354512] Re: Anonymous user can download public image through Swift

This was published as OSSN-0025: https://wiki.openstack.org/wiki/OSSN/OSSN-0025 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance.

[Yahoo-eng-team] [Bug 1384365] [NEW] Domain admin should be allowed to show their domain

be allowed to view/show their own domain. ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: In Progress ** Changed in: keystone Assignee: (unassigned) = Nathan Kinder (nkinder) -- You received this bug notification because you

[Yahoo-eng-team] [Bug 1381809] [NEW] Domain aware policy shoule restrict certain operations to cloud admin

: rule:admin_required, identity:delete_mapping: rule:admin_required, identity:update_mapping: rule:admin_required, --- ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: New ** Changed

[Yahoo-eng-team] [Bug 1337349] Re: Nova qemu hypervisor host smbios serial number is leaked to guest

This issue has been published as OSSN-0028: https://wiki.openstack.org/wiki/OSSN/OSSN-0028 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova).

[Yahoo-eng-team] [Bug 1376983] [NEW] v2.0 API does not work with httpd for admin interface

://docs.openstack.org/;, type: text/html, rel: describedby}]}} --- There's nothing really of interest in keystone.log with debug enabled. ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status

[Yahoo-eng-team] [Bug 1376983] Re: v2.0 API does not work with httpd for admin interface

*** This bug is a duplicate of bug 1343579 *** https://bugs.launchpad.net/bugs/1343579 ** This bug has been marked a duplicate of bug 1343579 Versionless GET on keystone gives different answer with port 5000 and 35357 -- You received this bug notification because you are a member of

[Yahoo-eng-team] [Bug 1376053] [NEW] user_enabled_invert does not properly handle string values

that is returned from LDAP, leading to accounts being inadvertently disabled. This code needs to handle converting a str type to bool before inverting the value. ** Affects: keystone Importance: Medium Assignee: Nathan Kinder (nkinder) Status: In Progress ** Tags: juno-rc-potential

[Yahoo-eng-team] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning

This was published as OSSN-0027: https://wiki.openstack.org/wiki/OSSN/OSSN-0027 ** Changed in: ossn Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron.

[Yahoo-eng-team] [Bug 1004114] Re: Password logging

This was published as OSSN-0024: https://wiki.openstack.org/wiki/OSSN/OSSN-0024 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1365961] Re: Dangerous iptables rule generated in case of protocol any and source-port/destination-port usage

The security note for this issue has been published as OSSN-0029: https://wiki.openstack.org/wiki/OSSN/OSSN-0029 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

[Yahoo-eng-team] [Bug 1373599] [NEW] Trust operations in policy.json are misleading

Public bug reported: The sample policy.json files included in Keystone have the trust API operations listed. For example: identity:create_trust: user_id:%(trust.trustor_user_id)s, identity:get_trust: rule:admin_or_owner, identity:list_trusts: , identity:list_roles_for_trust: ,

[Yahoo-eng-team] [Bug 1348844] Re: Keystone logs auth tokens in URLs at log level info

This was published as OSSN-0023: https://wiki.openstack.org/wiki/OSSN/OSSN-0023 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1365712] Re: Command Execution Possible Through Config File Tampering

This is already covered by published note OSSN-0026: https://wiki.openstack.org/wiki/OSSN/OSSN-0026 ** Changed in: ossn Status: New = Fix Released ** Changed in: ossn Assignee: (unassigned) = Travis McPeak (travis-mcpeak) -- You received this bug notification because you are a

[Yahoo-eng-team] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present

This was published as OSSN-0022: https://wiki.openstack.org/wiki/OSSN/OSSN-0022 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova).

[Yahoo-eng-team] [Bug 1004114] Re: Password logging

We should write an OSSN for this so people are aware of the fact that passwords for users will be logged in Horizon if debug logging is enabled. Now that a keystoneclient patch has been merged, we will soon have a release that doesn't log passwords anymore. We should recommend using the newer

[Yahoo-eng-team] [Bug 1347909] [NEW] Trust unit tests should target additional threat scenarios

Public bug reported: During the OpenStack Security Group Juno midcycle, some threat modelling work around Keystone trusts identified some threat scenarios that the existing unit tests do not cover. It should be made clear that these scenarios are handled correctly by Keystone form a security

[Yahoo-eng-team] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present

** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1316822 Title: soft reboot of instance does not ensure

[Yahoo-eng-team] [Bug 1335437] [NEW] LDAP attributes mapped to None can cause 500 errors

has no attribute 'lower' - ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: In Progress ** Changed in: keystone Status: New = In Progress ** Changed in: keystone Assignee

[Yahoo-eng-team] [Bug 1334926] Re: floatingip still working once connected even after it is disociated

** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is

[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them

The new revision of OSSN-0013 has been published to the mailing lists and the wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0013 ** Changed in: ossn Status: In Progress = Fix Released ** Changed in: ossn Assignee: Robert Clark (robert-clark) = Nathan Kinder (nkinder) -- You

[Yahoo-eng-team] [Bug 1313746] Re: Non-admins can create public images

Published as OSSN-0015 on the wiki and the openstack and openstack-dev mailing lists: https://wiki.openstack.org/wiki/OSSN/OSSN-0015 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them

Reopening this OSSN bug. The workaround in the OSSN has been reported to not work. Details from the reporter to come shortly. ** Changed in: ossn Status: Fix Released = In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1317314] Re: making an image public should be only admin by default

The OSSN for this is being handled in bug #1313746. Closing this as a duplicate. ** Changed in: ossn Status: New = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1317314

[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them

This has been published as OSSN-0013 to the mailing lists (openstack and openstack-dev), and the OpenStack wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0013 ** Changed in: ossn Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1287219] Re: scope of domain admin too broad in v3 policy sample

Published as OSSN-0010 to the following locations: openst...@lists.openstack.org openstack-...@lists.openstack.org https://wiki.openstack.org/wiki/OSSN/OSSN-0010 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1308793] [NEW] Remove LDAP password hashing code

Public bug reported: Keystone currently has code that hashes LDAP user passwords when creating and updating users (using salted SHA-1). Keystone itself should not be doing this hashing. The LDAP server itself is supposed to receive the clear text userPassword attribute value so it can hash it

[Yahoo-eng-team] [Bug 1268751] Re: Potential token revocation abuse via group membership

An OSSN on this issue has been published to the wiki, openstack-dev, and openstack mailing lists: http://git.openstack.org/cgit/openstack/openstack-security- notes/commit/?id=5380798f052eaebc023271c90d65b8f6d6fa6331 https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0009action=editredlink=1

[Yahoo-eng-team] [Bug 1300982] [NEW] No headers in REST API auth request results in HTTP 500

Public bug reported: REQ to http://host.example.com:35357/v2.0/tokens: {auth:{passwordCredentials:{username: admin, password:***}, tenant:admin}} RESP: Status Code: 500 Internal Server Error Connection: keep-alive Content-Length: 266 Content-Type: application/xml Date: Wed,

[Yahoo-eng-team] [Bug 1300982] Re: No headers in REST API auth request results in HTTP 500

I just attempted to reproduce this on a Havana install, and it seems to report an appropriate response/error: - # curl -v -A -H Host: -H Accept: -H Content-Type: -d @/tmp/request.txt

[Yahoo-eng-team] [Bug 1227575] Re: DoS style attack on noVNC server can lead to service interruption or disruption

I've adjusted the Summary section as suggested by Rob. I've gone ahead and published the following OSSN to the following locations: https://wiki.openstack.org/wiki/OSSN/OSSN-0008 openst...@lists.openstack.org openstack-...@lists.openstack.org Thanks everyone for the reviews and

[Yahoo-eng-team] [Bug 1240554] Re: Insecure live migration with libvirt driver

** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1240554 Title: Insecure live migration with libvirt driver

[Yahoo-eng-team] [Bug 1280965] [NEW] LDAP dumb user is not filtered when listing role assignments

to the additional role assignments for the dumb member. We should be filtering out the dumb member in RoleApi.list_role_assignments(), as we already do inRoleApi. get_role_assignments(). ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: In Progress

[Yahoo-eng-team] [Bug 1254619] Re: external.Default authentication plugin only considers leftmost part of the REMOTE_USER split by @

Published the following OSSN to the openstack and openstack-dev mailing lists: - Keystone can allow user impersonation when using REMOTE_USER for external authentication --- ### Summary ### When external authentication is used with

[Yahoo-eng-team] [Bug 1226078] Re: Glance allows user to create images and add other tenants as members (CVE-2013-4354)

Published on OpenStack and OpenStack-Dev mailing lists on 11 Dec 2013. ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1226078

[Yahoo-eng-team] [Bug 1237989] Re: user can update his password without knowing the old password

Published on OpenStack and OpenStack-Dev mailing lists on 22 Nov 2013. ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.