[PKG-Openstack-devel] Bug#824683: Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Salvatore Bonaccorso carnil at debian.org
Thu May 19 17:22:23 UTC 2016 

Hi,

On Thu, May 19, 2016 at 10:54:10AM +0200, Thomas Goirand wrote:
> On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote:
> > Hi Thomas,
> > 
> > On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
> >> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> >>> Source: keystone
> >>> Version: 2:9.0.0-1
> >>> Severity: grave
> >>> Tags: security patch upstream
> >>>
> >>> Hi,
> >>>
> >>> the following vulnerability was published for keystone.
> >>>
> >>> CVE-2016-4911[0]:
> >>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> >>>
> >>> If you fix the vulnerability please also make sure to include the
> >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >>>
> >>> For further information see:
> >>>
> >>> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> >>> [1] https://bugs.launchpad.net/keystone/+bug/1577558
> >>>
> >>> Regards,
> >>> Salvatore
> >>
> >> Hi Salvatore,
> >>
> >> It is my view that this bug doesn't deserve Severity: grave, as Fernet
> >> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
> >> Fernet Tokens are a very new thing).
> >>
> >> Your thoughts?
> > 
> > Thanks for your feedback. Wanted to be rather safe than sorry.
> > 
> >> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
> >> and never the less, I'll update the package in Sid/Testing.
> > 
> > I can confirm that it should only affect 9.0.0, so sid. Could you
> > upload the isolated fix? I will then update the tracker information
> > once it enters the archive.
> > 
> > Thanks!
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also
> confirmed that previous version, currently in jessie-backports, isn't
> affected by this issue. So, once Keystone migrates to Testing, we're
> good to go.

Thanks. I have updated the security-tracker information.

Regards,
Salvatore

More information about the Openstack-devel mailing list