** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1577558
Title:
[OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent
(CVE-2016-4911)
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
If you set the token provider to token.provider = fernet, get an
unscoped token from v2.0, then rescope that token to a project, you'll
notice the audit ids don't match. I've recreated this issue in a test
[0].
What should happen is that the unscoped token response will have a
list of audit_ids containing a single audit_id. The project scoped
token response from the unscoped token will also have a list of
audit_ids in the token response but the original audit_id from the
unscoped token will be in the list of the project scoped token.
Right now this behavior doesn't exist in with the fernet provider on
v2.0.
[0] https://review.openstack.org/#/c/311816/1
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1577558/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
