I took a quick look at the master tests and they look like they cover it. So there's no new vulnerability in Keystone here. I think the reporter assumed that tokens weren't revoked on a password change operation (which is the safe thing to assume, and I'm not sure if it's documented anywhere that tokens are revoked).
I took a quick look at the master tests and they look like they cover it. So there's no new vulnerability in Keystone here. I think the reporter assumed that tokens weren't revoked on a password change operation (which is the safe thing to assume, and I'm not sure if it's documented anywhere that tokens are revoked).