|
Message-ID: <CAGYSk8dJDG4Z5YPf3Mye8h4YmrP1O_NXg+vt-7tMmCmvP4pxWA@mail.gmail.com> Date: Wed, 12 Sep 2012 10:34:40 -0700 From: Matt Joyce <matt.joyce@...udscaling.com> To: Soren Hansen <soren@...ux2go.dk> Cc: Thierry Carrez <thierry@...nstack.org>, oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org, openstack@...ts.launchpad.net Subject: Re: [Openstack] [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413) hah! On Wed, Sep 12, 2012 at 10:32 AM, Soren Hansen <soren@...ux2go.dk> wrote: > So if I can grant people access to a particular tenant, I can invalidate > everyone's tokens at will now? > > Best regards, Soren. > Sent from my phone. Please pardon my brevity. > On Sep 12, 2012 6:40 PM, "Thierry Carrez" <thierry@...nstack.org> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> OpenStack Security Advisory: 2012-014 >> CVE: CVE-2012-4413 >> Date: September 12, 2012 >> Title: Revoking a role does not affect existing tokens >> Impact: High >> Reporter: Dolph Mathews (Rackspace) >> Products: Keystone >> Affects: Essex, Folsom >> >> Description: >> Dolph Mathews reported a vulnerability in Keystone. Granting and >> revoking roles from a user is not reflected upon token validation for >> pre-existing tokens. Pre-existing tokens continue to be valid for the >> original set of roles for the remainder of the token's lifespan, or >> until explicitly invalidated. This fix invalidates all tokens held by >> a user upon role grant/revoke to circumvent the issue. >> >> Folsom fix: >> >> http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2 >> >> Essex fix: >> >> http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e >> >> References: >> https://bugs.launchpad.net/keystone/+bug/1041396 >> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413 >> >> Notes: >> This fix will be included in the future Keystone 2012.1.3 stable >> update and the upcoming Folsom-RC1 development milestone. >> >> - -- >> Thierry Carrez (ttx) >> OpenStack Vulnerability Management Team >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP >> PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo >> +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi >> toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD >> 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3 >> 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512 >> UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT >> GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M >> ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL >> kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx >> 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI >> bggBCxcI2PLQgjuWyF4M >> =+6UN >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@...ts.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@...ts.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.