[Openstack-devel] Bug#687433: Bug#687433: CVE-2012-4413: openstack revoking a role does not affect existing tokens
Henri Salo
henri at nerv.fi
Wed Sep 12 17:11:15 UTC 2012
On Thu, Sep 13, 2012 at 12:59:59AM +0800, Thomas Goirand wrote:
> On 09/13/2012 12:44 AM, Henri Salo wrote:
> >Package: keystone
> >Version: 2012.1.1-5
> >Severity: important
> >Tags: security
> >
> >>From http://www.openwall.com/lists/oss-security/2012/09/12/7
> >
> >Description:
> >Dolph Mathews reported a vulnerability in Keystone. Granting and
> >revoking roles from a user is not reflected upon token validation for
> >pre-existing tokens. Pre-existing tokens continue to be valid for the
> >original set of roles for the remainder of the token's lifespan, or
> >until explicitly invalidated. This fix invalidates all tokens held by
> >a user upon role grant/revoke to circumvent the issue.
> >
> >Folsom fix:
> >http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
> >
> >Essex fix:
> >http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
> >
> >References:
> >https://bugs.launchpad.net/keystone/+bug/1041396
> >http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
> >
> >Notes:
> >This fix will be included in the future Keystone 2012.1.3 stable
> >update and the upcoming Folsom-RC1 development milestone.
>
> Hi,
>
> Thanks, but I am receiving the embargoed security fixes, and this is
> now a duplicate of 687428. The fixed package has just been uploaded
> to SID, and an unblock request has been sent too. Please do not
> submit such report in the future, we are aware of this kind of
> problems.
>
> I'm therefor closing this bug.
>
> Cheers,
>
> Thomas Goirand (zigo)
I didn't know that and it is impossible to tell when not to report security vulnerabilities of packages in cases like this. Sometimes maintainer is following security advisories and sometimes not.
- Henri
More information about the Openstack-devel
mailing list