| 2014-07-25 21:27:13 |
Lance Bragstad |
bug |
|
|
added bug |
| 2014-07-25 21:33:01 |
Lance Bragstad |
description |
Steps to recreate
1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call. |
Steps to recreate
1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L319
This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist. |
|
| 2014-07-25 21:35:22 |
Lance Bragstad |
description |
Steps to recreate
1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L319
This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist. |
Steps to recreate
1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here: https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319
This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist. |
|
| 2014-07-25 21:48:29 |
OpenStack Infra |
keystone: status |
New |
In Progress |
|
| 2014-07-25 21:48:29 |
OpenStack Infra |
keystone: assignee |
|
Brant Knudson (blk-u) |
|
| 2014-07-25 21:56:03 |
Lance Bragstad |
keystone: importance |
Undecided |
Medium |
|
| 2014-07-25 22:12:38 |
OpenStack Infra |
keystone: assignee |
Brant Knudson (blk-u) |
Lance Bragstad (lbragstad) |
|
| 2014-07-28 14:23:08 |
Lance Bragstad |
keystone: assignee |
Lance Bragstad (lbragstad) |
Brant Knudson (blk-u) |
|
| 2014-07-28 17:58:37 |
Brant Knudson |
keystone: milestone |
|
juno-3 |
|
| 2014-07-28 17:58:52 |
Brant Knudson |
keystone: importance |
Medium |
High |
|
| 2014-07-28 18:08:10 |
Brant Knudson |
information type |
Public |
Public Security |
|
| 2014-07-29 01:38:41 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Committed |
|
| 2014-07-29 09:55:36 |
Thierry Carrez |
bug task added |
|
ossa |
|
| 2014-07-30 19:18:25 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2014-07-31 09:45:00 |
Thierry Carrez |
ossa: importance |
Undecided |
High |
|
| 2014-07-31 09:45:00 |
Thierry Carrez |
ossa: status |
Incomplete |
Confirmed |
|
| 2014-07-31 09:45:21 |
Thierry Carrez |
nominated for series |
|
keystone/icehouse |
|
| 2014-07-31 09:45:21 |
Thierry Carrez |
bug task added |
|
keystone/icehouse |
|
| 2014-08-04 14:33:35 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
| 2014-08-04 16:44:56 |
OpenStack Infra |
keystone/icehouse: status |
New |
In Progress |
|
| 2014-08-04 16:44:56 |
OpenStack Infra |
keystone/icehouse: assignee |
|
Lance Bragstad (lbragstad) |
|
| 2014-08-05 17:16:54 |
OpenStack Infra |
keystone/icehouse: assignee |
Lance Bragstad (lbragstad) |
Brant Knudson (blk-u) |
|
| 2014-08-05 19:51:02 |
Thierry Carrez |
keystone/icehouse: milestone |
|
2014.1.2 |
|
| 2014-08-07 01:17:29 |
OpenStack Infra |
tags |
|
in-stable-icehouse |
|
| 2014-08-07 01:18:08 |
OpenStack Infra |
keystone/icehouse: status |
In Progress |
Fix Committed |
|
| 2014-08-07 15:27:05 |
Thierry Carrez |
ossa: status |
Confirmed |
Triaged |
|
| 2014-08-07 19:35:29 |
Chuck Short |
keystone/icehouse: status |
Fix Committed |
Fix Released |
|
| 2014-08-08 23:39:19 |
Dolph Mathews |
keystone/icehouse: importance |
Undecided |
High |
|
| 2014-08-11 14:23:49 |
Thierry Carrez |
ossa: status |
Triaged |
In Progress |
|
| 2014-08-15 12:14:03 |
Tristan Cacqueray |
summary |
Token issued_at time changes on /v3/auth/token GET requests |
Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252) |
|
| 2014-08-15 15:59:42 |
Tristan Cacqueray |
summary |
Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252) |
[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252) |
|
| 2014-08-15 15:59:44 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Released |
|
| 2014-09-04 14:31:23 |
Thierry Carrez |
keystone: status |
Fix Committed |
Fix Released |
|
| 2014-10-16 08:19:24 |
Thierry Carrez |
keystone: milestone |
juno-3 |
2014.2 |
|
