Reviewed: https://review.openstack.org/258141
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=d5378f173da14a34ca010271477337879002d6d0
Submitter: Jenkins
Branch: master
commit d5378f173da14a34ca010271477337879002d6d0
Author: Brant Knudson <bknud...@us.ibm.com>
Date: Tue Dec 1 11:09:14 2015 -0600
Add audit IDs to revocation events
The revoked tokens' audit ID is now included in the data returned in
the revocation list.
Closes-Bug: 1490804
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1490804
Title:
PKI Token Revocation Bypass (CVE-2015-7546)
Status in django-openstack-auth:
Invalid
Status in OpenStack Identity (keystone):
Fix Released
Status in keystonemiddleware:
In Progress
Status in OpenStack Security Advisory:
Confirmed
Status in OpenStack Security Notes:
Fix Released
Status in python-keystoneclient:
Won't Fix
Bug description:
A keystone token which has been revoked can still be used by manipulating
particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores
the exact token value. Any API will look at the token to see whether or not it
should accept a token. By changing a single byte within the token, the
revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check
the token's inner ID.
[1] http://paste.openstack.org/show/436516/
To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1490804/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
