[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
thomas at goirand.fr
Wed May 18 22:21:28 UTC 2016
On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Version: 2:9.0.0-1
> Severity: grave
> Tags: security patch upstream
> the following vulnerability was published for keystone.
> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  https://security-tracker.debian.org/tracker/CVE-2016-4911
>  https://bugs.launchpad.net/keystone/+bug/1577558
It is my view that this bug doesn't deserve Severity: grave, as Fernet
Tokens aren't the default in Keystone (it defaults to UUID tokens, and
Fernet Tokens are a very new thing).
Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
and never the less, I'll update the package in Sid/Testing.
Thomas Goirand (zigo)
More information about the Openstack-devel