** Changed in: ossa Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1577558
Title: [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911) Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: If you set the token provider to token.provider = fernet, get an unscoped token from v2.0, then rescope that token to a project, you'll notice the audit ids don't match. I've recreated this issue in a test [0]. What should happen is that the unscoped token response will have a list of audit_ids containing a single audit_id. The project scoped token response from the unscoped token will also have a list of audit_ids in the token response but the original audit_id from the unscoped token will be in the list of the project scoped token. Right now this behavior doesn't exist in with the fernet provider on v2.0. [0] https://review.openstack.org/#/c/311816/1 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1577558/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp