[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
Thomas Goirand
thomas at goirand.fr
Wed May 18 22:21:28 UTC 2016
On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Version: 2:9.0.0-1
> Severity: grave
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerability was published for keystone.
>
> CVE-2016-4911[0]:
> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> [1] https://bugs.launchpad.net/keystone/+bug/1577558
>
> Regards,
> Salvatore
Hi Salvatore,
It is my view that this bug doesn't deserve Severity: grave, as Fernet
Tokens aren't the default in Keystone (it defaults to UUID tokens, and
Fernet Tokens are a very new thing).
Your thoughts?
Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
and never the less, I'll update the package in Sid/Testing.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list