Activity log for bug #1526823
Date | Who | What changed | Old value | New value | Message |
---|---|---|---|---|---|
2015-12-16 14:41:56 | Adam Heczko | bug | added bug | ||
2015-12-16 14:44:23 | Adam Heczko | description | Problem description: A keystone token which has been revoked can still be used by manipulating particular byte fields within the token. When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1]. It is suggested that the revocation should be changed to only check the token's inner ID. [1] http://paste.openstack.org/show/436516/ Solution proposal: Backport fix from the upstream. Warn customers about issue and potential risks. | Problem description: A keystone token which has been revoked can still be used by manipulating particular byte fields within the token. When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1]. It is suggested that the revocation should be changed to only check the token's inner ID. [1] http://paste.openstack.org/show/436516/ Upstream bug report: https://bugs.launchpad.net/keystone/+bug/1490804 OSSN notice: https://wiki.openstack.org/wiki/OSSN/OSSN-0062 Solution proposal: Backport fix from the upstream. Warn customers about issue and potential risks. | |
2015-12-16 14:44:52 | Adam Heczko | cve linked | 2015-7546 | ||
2015-12-16 14:45:10 | Adam Heczko | nominated for series | mos/5.1.x | ||
2015-12-16 14:45:10 | Adam Heczko | bug task added | mos/5.1.x | ||
2015-12-16 14:45:10 | Adam Heczko | nominated for series | mos/6.1.x | ||
2015-12-16 14:45:10 | Adam Heczko | bug task added | mos/6.1.x | ||
2015-12-16 14:45:10 | Adam Heczko | nominated for series | mos/7.0.x | ||
2015-12-16 14:45:10 | Adam Heczko | bug task added | mos/7.0.x | ||
2015-12-16 14:45:10 | Adam Heczko | nominated for series | mos/6.0.x | ||
2015-12-16 14:45:10 | Adam Heczko | bug task added | mos/6.0.x | ||
2015-12-16 14:45:27 | Adam Heczko | mos: milestone | 8.0 | ||
2015-12-16 14:45:34 | Adam Heczko | mos: importance | Undecided | Medium | |
2015-12-16 14:45:38 | Adam Heczko | mos/5.1.x: importance | Undecided | Medium | |
2015-12-16 14:45:49 | Adam Heczko | mos/6.0.x: importance | Undecided | Medium | |
2015-12-16 14:45:59 | Adam Heczko | mos/6.1.x: importance | Undecided | Medium | |
2015-12-16 14:46:04 | Adam Heczko | mos/7.0.x: importance | Undecided | Medium | |
2015-12-16 14:46:30 | Adam Heczko | mos: importance | Medium | High | |
2015-12-16 14:46:45 | Adam Heczko | mos/5.1.x: importance | Medium | High | |
2015-12-16 14:46:49 | Adam Heczko | mos/6.0.x: importance | Medium | High | |
2015-12-16 14:46:53 | Adam Heczko | mos/6.1.x: importance | Medium | High | |
2015-12-16 14:46:57 | Adam Heczko | mos/7.0.x: importance | Medium | High | |
2015-12-16 14:47:05 | Adam Heczko | mos/5.1.x: milestone | 5.1.1-mu-3 | ||
2015-12-16 14:47:17 | Adam Heczko | mos/6.0.x: milestone | 6.0-mu-8 | ||
2015-12-16 14:47:27 | Adam Heczko | mos/6.1.x: milestone | 6.1-mu-5 | ||
2015-12-16 14:47:44 | Adam Heczko | mos/7.0.x: milestone | 7.0-updates | ||
2015-12-16 14:47:59 | Adam Heczko | mos: assignee | MOS Keystone (mos-keystone) | ||
2015-12-16 14:48:09 | Adam Heczko | mos/5.1.x: assignee | MOS Maintenance (mos-maintenance) | ||
2015-12-16 14:48:20 | Adam Heczko | mos/6.0.x: assignee | MOS Maintenance (mos-maintenance) | ||
2015-12-16 14:48:30 | Adam Heczko | mos/6.1.x: assignee | MOS Maintenance (mos-maintenance) | ||
2015-12-16 14:48:43 | Adam Heczko | mos/7.0.x: assignee | MOS Maintenance (mos-maintenance) | ||
2015-12-16 14:52:56 | Boris Bobrov | mos: status | New | Invalid | |
2015-12-17 16:18:05 | Alexander Ignatov | information type | Public Security | Private Security | |
2015-12-18 09:02:09 | Denis Meltsaykin | mos/5.1.x: status | New | Invalid | |
2015-12-18 09:02:12 | Denis Meltsaykin | mos/6.0.x: status | New | Invalid | |
2015-12-18 09:02:14 | Denis Meltsaykin | mos/6.1.x: status | New | Invalid | |
2015-12-18 09:02:16 | Denis Meltsaykin | mos/7.0.x: status | New | Invalid | |
2015-12-23 11:46:59 | Adam Heczko | tags | release-notes | ||
2016-01-22 10:42:54 | Vitaly Sedelnik | mos/6.1.x: milestone | 6.1-mu-5 | 6.1-updates | |
2016-01-22 10:42:58 | Vitaly Sedelnik | mos/6.0.x: milestone | 6.0-mu-8 | 6.0-updates | |
2016-01-22 10:43:05 | Vitaly Sedelnik | mos/5.1.x: milestone | 5.1.1-mu-3 | 5.1.1-updates | |
2016-01-31 16:57:25 | Vitaly Sedelnik | information type | Private Security | Public Security |