Your message dated Thu, 13 Sep 2012 00:59:59 +0800
with message-id <[email protected]>
and subject line Re: [Openstack-devel] Bug#687433: CVE-2012-4413: openstack
revoking a role does not affect existing tokens
has caused the Debian Bug report #687433,
regarding CVE-2012-4413: openstack revoking a role does not affect existing
tokens
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
687433: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687433
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: keystone
Version: 2012.1.1-5
Severity: important
Tags: security
>From http://www.openwall.com/lists/oss-security/2012/09/12/7
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token's lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
Folsom fix:
http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
Essex fix:
http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
References:
https://bugs.launchpad.net/keystone/+bug/1041396
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
Notes:
This fix will be included in the future Keystone 2012.1.3 stable
update and the upcoming Folsom-RC1 development milestone.
--- End Message ---
--- Begin Message ---
On 09/13/2012 12:44 AM, Henri Salo wrote:
Package: keystone
Version: 2012.1.1-5
Severity: important
Tags: security
From http://www.openwall.com/lists/oss-security/2012/09/12/7
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token's lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
Folsom fix:
http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
Essex fix:
http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
References:
https://bugs.launchpad.net/keystone/+bug/1041396
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
Notes:
This fix will be included in the future Keystone 2012.1.3 stable
update and the upcoming Folsom-RC1 development milestone.
Hi,
Thanks, but I am receiving the embargoed security fixes, and this is now
a duplicate of 687428. The fixed package has just been uploaded to SID,
and an unblock request has been sent too. Please do not submit such
report in the future, we are aware of this kind of problems.
I'm therefor closing this bug.
Cheers,
Thomas Goirand (zigo)
--- End Message ---
