[Openstack-devel] Bug#687433: CVE-2012-4413: openstack revoking a role does not affect existing tokens
Henri Salo
henri at nerv.fi
Wed Sep 12 16:44:31 UTC 2012
Package: keystone
Version: 2012.1.1-5
Severity: important
Tags: security
>From http://www.openwall.com/lists/oss-security/2012/09/12/7
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token's lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
Folsom fix:
http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
Essex fix:
http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
References:
https://bugs.launchpad.net/keystone/+bug/1041396
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
Notes:
This fix will be included in the future Keystone 2012.1.3 stable
update and the upcoming Folsom-RC1 development milestone.
More information about the Openstack-devel
mailing list