Comment 3 for bug 1155255
Revision history for this message
| Thierry Carrez (ttx) wrote Re: revoke token does not revoke the tokens created buy the original | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I'm not sure that's a vulnerability to be honest. I'm fine with fixing it -- just not convinced the current behavior should be seen as a vulnerability (in the same way as bug 1097995 is not seen as one).
You can still revoke those tokens manually, I suspect ? I guess that's a question of natural expectations. Is the revocation operation seen as atomic (revoke token), or functional (revoke this token and everything related to it) ? Unless we clearly advertised that the "revoke token" operation also revokes tokens created by this token, I think this is not vulnerability territory.