hah! On Wed, Sep 12, 2012 at 10:32 AM, Soren Hansen <so...@linux2go.dk> wrote:
> So if I can grant people access to a particular tenant, I can invalidate > everyone's tokens at will now? > > Best regards, Soren. > Sent from my phone. Please pardon my brevity. > On Sep 12, 2012 6:40 PM, "Thierry Carrez" <thie...@openstack.org> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> OpenStack Security Advisory: 2012-014 >> CVE: CVE-2012-4413 >> Date: September 12, 2012 >> Title: Revoking a role does not affect existing tokens >> Impact: High >> Reporter: Dolph Mathews (Rackspace) >> Products: Keystone >> Affects: Essex, Folsom >> >> Description: >> Dolph Mathews reported a vulnerability in Keystone. Granting and >> revoking roles from a user is not reflected upon token validation for >> pre-existing tokens. Pre-existing tokens continue to be valid for the >> original set of roles for the remainder of the token's lifespan, or >> until explicitly invalidated. This fix invalidates all tokens held by >> a user upon role grant/revoke to circumvent the issue. >> >> Folsom fix: >> >> http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2 >> >> Essex fix: >> >> http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e >> >> References: >> https://bugs.launchpad.net/keystone/+bug/1041396 >> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413 >> >> Notes: >> This fix will be included in the future Keystone 2012.1.3 stable >> update and the upcoming Folsom-RC1 development milestone. >> >> - -- >> Thierry Carrez (ttx) >> OpenStack Vulnerability Management Team >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP >> PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo >> +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi >> toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD >> 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3 >> 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512 >> UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT >> GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M >> ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL >> kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx >> 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI >> bggBCxcI2PLQgjuWyF4M >> =+6UN >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp