[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
zigo at debian.org
Thu May 19 08:54:10 UTC 2016
On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote:
> Hi Thomas,
> On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
>> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
>>> Source: keystone
>>> Version: 2:9.0.0-1
>>> Severity: grave
>>> Tags: security patch upstream
>>> the following vulnerability was published for keystone.
>>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>> For further information see:
>>>  https://security-tracker.debian.org/tracker/CVE-2016-4911
>>>  https://bugs.launchpad.net/keystone/+bug/1577558
>> Hi Salvatore,
>> It is my view that this bug doesn't deserve Severity: grave, as Fernet
>> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
>> Fernet Tokens are a very new thing).
>> Your thoughts?
> Thanks for your feedback. Wanted to be rather safe than sorry.
>> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
>> and never the less, I'll update the package in Sid/Testing.
> I can confirm that it should only affect 9.0.0, so sid. Could you
> upload the isolated fix? I will then update the tracker information
> once it enters the archive.
I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also
confirmed that previous version, currently in jessie-backports, isn't
affected by this issue. So, once Keystone migrates to Testing, we're
good to go.
Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Openstack-devel