Morgan, Icehouse EOL is 15 month after its release, so it won't happen until somewhere in July... So we'll need a fix there too.
Title: User token revocation does not work with read-only LDAP backend
Reporter: Yukihiro KAWADA (GMO Internet, Inc)
Products: Keystone
Affects: up to 2014.1.4 and 2014.2 versions through 2014.2.2
Description:
Yukihiro KAWADA from GMO Internet, Inc reported a vulnerability in Keystone read-only LDAP backend. When a user or group is disabled/deleted, the tokens for those users (or authorization for the users in the group) will not be revoked at all and will only expire according to the tokens expiration date. Only setups using a read-only LDAP backend in Keystone are affected.
Morgan, Icehouse EOL is 15 month after its release, so it won't happen until somewhere in July... So we'll need a fix there too.
Title: User token revocation does not work with read-only LDAP backend
Reporter: Yukihiro KAWADA (GMO Internet, Inc)
Products: Keystone
Affects: up to 2014.1.4 and 2014.2 versions through 2014.2.2
Description:
Yukihiro KAWADA from GMO Internet, Inc reported a vulnerability in Keystone read-only LDAP backend. When a user or group is disabled/deleted, the tokens for those users (or authorization for the users in the group) will not be revoked at all and will only expire according to the tokens expiration date. Only setups using a read-only LDAP backend in Keystone are affected.