Debian Bug report logs -
#687428
CVE-2012-4413: Revoking a role does not affect existing tokens
Reported by: Thomas Goirand <zigo@debian.org>
Date: Wed, 12 Sep 2012 16:27:04 UTC
Severity: grave
Fixed in version keystone/2012.1.1-6
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#687428; Package keystone.
(Wed, 12 Sep 2012 16:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 12 Sep 2012 16:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: keystone
Version: 2012.1.1-5
Severity: grave
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token's lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 12 Sep 2012 16:51:10 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Wed, 12 Sep 2012 16:51:10 GMT) (full text, mbox, link).
Message #10 received at 687428-close@bugs.debian.org (full text, mbox, reply):
Source: keystone
Source-Version: 2012.1.1-6
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 687428@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Sep 2012 02:21:11 +0000
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-6
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
keystone - OpenStack identity service
keystone-doc - OpenStack identity service - documentation
python-keystone - OpenStack identity service - library
Closes: 687428
Changes:
keystone (2012.1.1-6) unstable; urgency=high
.
* CVE-2012-4413: Revoking a role does not affect existing tokens
(Closes: #687428).
Checksums-Sha1:
35f20c2c3155fe730e139b9b5b0972960c011acc 1898 keystone_2012.1.1-6.dsc
77598adfa87e9e992823b294400c24d89850f91c 21484 keystone_2012.1.1-6.debian.tar.gz
8000478332a7eb80fea7ccb2885af36250f23ce6 92106 python-keystone_2012.1.1-6_all.deb
352189c7828b8009909ef04de443a6e9aadb94f6 16188 keystone_2012.1.1-6_all.deb
6e4af9c779ae4baf012ee84764e251e3b4c2fd94 238588 keystone-doc_2012.1.1-6_all.deb
Checksums-Sha256:
82926c771762879549f321d45f61dd7e86c9578b04866f8d6c5a5aab5d1fef49 1898 keystone_2012.1.1-6.dsc
c1fcdae8521e9ecf20e981ccb28d23d637efe3e2908feb75d9553eb007c82181 21484 keystone_2012.1.1-6.debian.tar.gz
10539f0efafbd412f89c150fe4d7f183b02c58bd182351cd3f4c361ac38757a8 92106 python-keystone_2012.1.1-6_all.deb
5daff669579445e526abcbd7e3f56c648f2cfdcf1b33c33c413f9a2232fbeff7 16188 keystone_2012.1.1-6_all.deb
a21d911ae67794aa04a7dbc161ff6995680944b5576467b29b8541ed8ed35099 238588 keystone-doc_2012.1.1-6_all.deb
Files:
fa526b1da8d4c462968d7ce7f24d3861 1898 net extra keystone_2012.1.1-6.dsc
4de01f57c514360e7941b70de03de548 21484 net extra keystone_2012.1.1-6.debian.tar.gz
924ddd38f56343be1510da33b764f073 92106 python extra python-keystone_2012.1.1-6_all.deb
785254c5e5d23e44ed9957762d51ca55 16188 python extra keystone_2012.1.1-6_all.deb
f360094d06a1771885d601392730706a 238588 doc extra keystone-doc_2012.1.1-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBQubMACgkQl4M9yZjvmklhUgCePKEAocqOd0T2kp9TFcDKlGSI
RmIAnR8uaOX487MHzjtIXzy+Se0juWpG
=sCBZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 13 Oct 2012 07:25:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:09:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon