Comment 9 for bug 1577558
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: v2.0 fernet tokens audit ids are inconsistent | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Proposed impact description -
Title: Incorrect Audit IDs in Keystone Fernet Tokens
Reporter: Lance Bragstad (Rackspace)
Products: OpenStack Kesytone
Affects: Master (Newton), Mitaka
Description:
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. When Keystone was configured to use Fernet tokens, the unique string (audit_id) was not properly maintained during a token rescope (requesting a token for a new project scope using the current token for authentication). This resulted in the inability to revoke entire chain of tokens. The revocation of the chain of tokens. Most revocations are not for the entire chain of tokens. Only Master (Newton) and Mitaka releases of Keystone configured to use Fernet as the Keystone token provider were affected.