Comment 35 for bug 1688137
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: PCI-DSS account lock out DoS and account UUID lookup oracle | #35 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
A fix for the account name and UUID oracles has merged with backports applied as far back as stable/train (so definitely covering all officially maintained branches at this point). We should probably issue a security advisory covering these points.
However, the other concern raised in this report is essentially with the intent of PCI-DSS controls 8.1.6 and 8.1.7, which I think should not be treated as a bug (if you don't want someone to be able to lock our another user's account by repeatedly failing to log into it, don't enable that feature in Keystone). I think the bug report should be retitled to focus on the oracles, which were certainly unintended behaviors detrimental to account security.