[OSSA 2014-026] Revocation events are broken with mysql (CVE-2014-5251)
Bug #1347961 reported by
Brant Knudson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
Since mysql only stores timestamps with an accuracy of seconds rather than microseconds, doing comparisons of token expiration times will fail and tokens will not show up as being revoked.
Changed in keystone: | |
milestone: | none → juno-3 |
Changed in ossa: | |
status: | Incomplete → Confirmed |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
importance: | Undecided → High |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- Revocation events are broken with mysql + Revocation events are broken with mysql (CVE-2014-5251) |
summary: |
- Revocation events are broken with mysql (CVE-2014-5251) + [OSSA 2014-026] Revocation events are broken with mysql (CVE-2014-5251) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
To post a comment you must log in.
A breakpoint in keystone/ contrib/ revoke/ model.py, is_revoked():
mysql:
(Pdb) p self.revoke_map token_id= *': {'expires_ at=2014- 07-22 22:55:53': {'domain_id=*': {'project_id=*': {u'user_ id=949c28307de7 4cafb4ab07c6ada 75d6c': {'role_id=*': {'issued_before': datetime. datetime( 2014, 7, 22, 21, 55, 59, 610579)}}}}}}}}}
{'trust_id=*': {'consumer_id=*': {'access_
DB2:
(Pdb) p self.revoke_map token_id= *': {'expires_ at=2014- 07-22 22:58:44.322976': {'domain_id=*': {'project_id=*': {u'user_ id=c4ed3fa9ee5f 4e02b580389400a 817e0': {'role_id=*': {'issued_before': datetime. datetime( 2014, 7, 22, 21, 58, 49, 390556)}}}}}}}}}
{'trust_id=*': {'consumer_id=*': {'access_