[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
Salvatore Bonaccorso
carnil at debian.org
Thu May 19 04:18:33 UTC 2016
Hi Thomas,
On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Version: 2:9.0.0-1
> > Severity: grave
> > Tags: security patch upstream
> >
> > Hi,
> >
> > the following vulnerability was published for keystone.
> >
> > CVE-2016-4911[0]:
> > Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> > [1] https://bugs.launchpad.net/keystone/+bug/1577558
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore,
>
> It is my view that this bug doesn't deserve Severity: grave, as Fernet
> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
> Fernet Tokens are a very new thing).
>
> Your thoughts?
Thanks for your feedback. Wanted to be rather safe than sorry.
> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
> and never the less, I'll update the package in Sid/Testing.
I can confirm that it should only affect 9.0.0, so sid. Could you
upload the isolated fix? I will then update the tracker information
once it enters the archive.
Thanks!
Regards,
Salvatore
More information about the Openstack-devel
mailing list