[OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911)
Bug #1577558 reported by
Lance Bragstad
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lance Bragstad | ||
Mitaka |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If you set the token provider to token.provider = fernet, get an unscoped token from v2.0, then rescope that token to a project, you'll notice the audit ids don't match. I've recreated this issue in a test [0].
What should happen is that the unscoped token response will have a list of audit_ids containing a single audit_id. The project scoped token response from the unscoped token will also have a list of audit_ids in the token response but the original audit_id from the unscoped token will be in the list of the project scoped token.
Right now this behavior doesn't exist in with the fernet provider on v2.0.
CVE References
tags: | added: fernet |
tags: | added: mitaka-backport-potential |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Lance Bragstad (lbragstad) |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
- v2.0 fernet tokens audit ids are inconsistent + [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent + (CVE-2016-4911) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in keystone: | |
milestone: | none → newton-1 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/311886
Review: https:/