[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
Thomas Goirand
zigo at debian.org
Thu May 19 08:54:10 UTC 2016
On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
>> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
>>> Source: keystone
>>> Version: 2:9.0.0-1
>>> Severity: grave
>>> Tags: security patch upstream
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for keystone.
>>>
>>> CVE-2016-4911[0]:
>>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
>>> [1] https://bugs.launchpad.net/keystone/+bug/1577558
>>>
>>> Regards,
>>> Salvatore
>>
>> Hi Salvatore,
>>
>> It is my view that this bug doesn't deserve Severity: grave, as Fernet
>> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
>> Fernet Tokens are a very new thing).
>>
>> Your thoughts?
>
> Thanks for your feedback. Wanted to be rather safe than sorry.
>
>> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
>> and never the less, I'll update the package in Sid/Testing.
>
> I can confirm that it should only affect 9.0.0, so sid. Could you
> upload the isolated fix? I will then update the tracker information
> once it enters the archive.
>
> Thanks!
>
> Regards,
> Salvatore
Hi Salvatore,
I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also
confirmed that previous version, currently in jessie-backports, isn't
affected by this issue. So, once Keystone migrates to Testing, we're
good to go.
Cheers,
Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20160519/0924a28a/attachment.sig>
More information about the Openstack-devel
mailing list