I've set our advisory task to Won't Fix on this one, as no advisory is
required with the fix for bug 1872735 effectively preventing the path to
exploitation.
** Tags added: security
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872755
Title:
ec2 credential "trust_id" can be updated to null
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and
https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials
were created within a trust_id scope, it is still possible to set
these credentials' "trust_id" to "null" using:
curl -X PATCH
https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f
-H 'Accept: application/json' -H 'Content-Type: application/json' -H
"X-Auth-Token: ***" -d'{
"credential": {
"blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\":
\"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"
}
}'
Note "null" in blob.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
