keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Debian Bug report logs - #824683
keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Date: Wed, 18 May 2016 18:55:39 +0200

Source: keystone
Version: 2:9.0.0-1
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerability was published for keystone.

CVE-2016-4911[0]:
Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4911
[1] https://bugs.launchpad.net/keystone/+bug/1577558

Regards,
Salvatore

Message #10 received at 824683@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 824683@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Date: Thu, 19 May 2016 00:21:28 +0200

On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Version: 2:9.0.0-1
> Severity: grave
> Tags: security patch upstream
> 
> Hi,
> 
> the following vulnerability was published for keystone.
> 
> CVE-2016-4911[0]:
> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> [1] https://bugs.launchpad.net/keystone/+bug/1577558
> 
> Regards,
> Salvatore

Hi Salvatore,

It is my view that this bug doesn't deserve Severity: grave, as Fernet
Tokens aren't the default in Keystone (it defaults to UUID tokens, and
Fernet Tokens are a very new thing).

Your thoughts?

Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
and never the less, I'll update the package in Sid/Testing.

Cheers,

Thomas Goirand (zigo)

Message #15 received at 824683@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <thomas@goirand.fr>

Cc: 824683@bugs.debian.org

Subject: Re: [PKG-Openstack-devel] Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Date: Thu, 19 May 2016 06:18:33 +0200

Hi Thomas,

On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Version: 2:9.0.0-1
> > Severity: grave
> > Tags: security patch upstream
> > 
> > Hi,
> > 
> > the following vulnerability was published for keystone.
> > 
> > CVE-2016-4911[0]:
> > Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> > [1] https://bugs.launchpad.net/keystone/+bug/1577558
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> It is my view that this bug doesn't deserve Severity: grave, as Fernet
> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
> Fernet Tokens are a very new thing).
> 
> Your thoughts?

Thanks for your feedback. Wanted to be rather safe than sorry.

> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
> and never the less, I'll update the package in Sid/Testing.

I can confirm that it should only affect 9.0.0, so sid. Could you
upload the isolated fix? I will then update the tracker information
once it enters the archive.

Thanks!

Regards,
Salvatore

Message #20 received at 824683-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 824683-submitter@bugs.debian.org

Subject: Bug#824683 marked as pending

Date: Thu, 19 May 2016 08:52:56 +0000

tag 824683 pending
thanks

Hello,

Bug #824683 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=openstack/keystone.git;a=commitdiff;h=3304482

---
commit 3304482c3209ea766d8b8f441aafcf644499bd49
Author: Thomas Goirand <thomas@goirand.fr>
Date:   Thu May 19 07:58:43 2016 +0000

      * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in
        revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0".
        (Closes: #824683).

diff --git a/debian/changelog b/debian/changelog
index 1a5cb44..2dac690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-keystone (2:9.0.0-2) unstable; urgency=medium
+keystone (2:9.0.0-2) unstable; urgency=high
 
   [ Ondřej Nový ]
   * Use /bin/sh as su shell in postinst script explicitly
@@ -8,6 +8,9 @@ keystone (2:9.0.0-2) unstable; urgency=medium
   [ Thomas Goirand ]
   * Fix the cron job to not run if we're not using UUID tokens, as it otherwise
     fail and fill-up the log file (LP: #1520321).
+  * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in
+    revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0".
+    (Closes: #824683).
 
  -- Thomas Goirand <zigo@debian.org>  Thu, 19 May 2016 07:22:58 +0000
 

Message #25 received at 824683@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 824683@bugs.debian.org, security@debian.org

Subject: Re: [PKG-Openstack-devel] Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Date: Thu, 19 May 2016 10:54:10 +0200

[Message part 1 (text/plain, inline)]

On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote:
> Hi Thomas,
> 
> On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
>> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
>>> Source: keystone
>>> Version: 2:9.0.0-1
>>> Severity: grave
>>> Tags: security patch upstream
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for keystone.
>>>
>>> CVE-2016-4911[0]:
>>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
>>> [1] https://bugs.launchpad.net/keystone/+bug/1577558
>>>
>>> Regards,
>>> Salvatore
>>
>> Hi Salvatore,
>>
>> It is my view that this bug doesn't deserve Severity: grave, as Fernet
>> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
>> Fernet Tokens are a very new thing).
>>
>> Your thoughts?
> 
> Thanks for your feedback. Wanted to be rather safe than sorry.
> 
>> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
>> and never the less, I'll update the package in Sid/Testing.
> 
> I can confirm that it should only affect 9.0.0, so sid. Could you
> upload the isolated fix? I will then update the tracker information
> once it enters the archive.
> 
> Thanks!
> 
> Regards,
> Salvatore

Hi Salvatore,

I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also
confirmed that previous version, currently in jessie-backports, isn't
affected by this issue. So, once Keystone migrates to Testing, we're
good to go.

Cheers,

Thomas Goirand (zigo)

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 824683-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 824683-close@bugs.debian.org

Subject: Bug#824683: fixed in keystone 2:9.0.0-2

Date: Thu, 19 May 2016 10:21:59 +0000

Source: keystone
Source-Version: 2:9.0.0-2

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 824683@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 May 2016 07:22:58 +0000
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2:9.0.0-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 824683
Changes:
 keystone (2:9.0.0-2) unstable; urgency=high
 .
   [ Ondřej Nový ]
   * Use /bin/sh as su shell in postinst script explicitly
   * Standards-Version is 3.9.8 now (no change)
   * Use /bin/sh instead of /bin/bash as default shell for "keystone" user
 .
   [ Thomas Goirand ]
   * Fix the cron job to not run if we're not using UUID tokens, as it otherwise
     fail and fill-up the log file (LP: #1520321).
   * CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in
     revocation bypass. Add upstream patch: "Fix fernet audit ids for v2.0".
     (Closes: #824683).
Checksums-Sha1:
 3cb43245739cc5e31c36085be45475c8ea86fc3a 3540 keystone_9.0.0-2.dsc
 0535f4728886a6a16c51f532b540260dec1b3466 36172 keystone_9.0.0-2.debian.tar.xz
 1fbe45966aeec751571a784e47c37b89c3988b8f 208832 keystone-doc_9.0.0-2_all.deb
 9312105acb518c8bcf9d473c079338e27f0d2956 84956 keystone_9.0.0-2_all.deb
 f6397cdd788733489c82416e0031fad443a91af7 639334 python-keystone_9.0.0-2_all.deb
Checksums-Sha256:
 1f5fac9c64f5013a597eb21074480acbde445287dd394ebab5666bbc81125f96 3540 keystone_9.0.0-2.dsc
 efed738397470cd587ae2e30700588bd27a467bfa24c3418841a23653ab02563 36172 keystone_9.0.0-2.debian.tar.xz
 6fc877745d994a1a125e940ce52830fe4e5a91a9bd020020016a61362ba4ac43 208832 keystone-doc_9.0.0-2_all.deb
 f7d794f8b4300f7d349881f438f43d3db6b26e01dcb0b70efad96a90afd0355f 84956 keystone_9.0.0-2_all.deb
 6b458a09aa12b9cc1b8438b88411014646ab56533313c2949ad35d899e9062d2 639334 python-keystone_9.0.0-2_all.deb
Files:
 bcf89d9c76e748b565e0cbd99357c2d6 3540 net extra keystone_9.0.0-2.dsc
 27b47b3a7003f53e1dc8e810ca9d899c 36172 net extra keystone_9.0.0-2.debian.tar.xz
 c07d811aafed456256e74fd0c5eb852a 208832 doc extra keystone-doc_9.0.0-2_all.deb
 34f9d8b24e91cd392cc4dac805cdf137 84956 net extra keystone_9.0.0-2_all.deb
 c33ad49774a7cebcbf50c940f2e83082 639334 python extra python-keystone_9.0.0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXPX6mAAoJENQWrRWsa0P+atMQAI7FkeuRB72RkF5Z1+JyEOdj
9zKuxnV0+4dKFmVvFMXexrNB4UYgRUZguikp1xo0vCnz13T9nyOUgiHYokd7qO8c
BanYmi2QYj4OeDU5Zg4M57v+pQHmSHu/Gyt90wyx+sZk/JUhXA7jToE7a1vxnBTq
X5zBAHtouFs8CcEX88yzqDigpc60WXsNmCYXT7VNoW9iKK5HQFIWej2ZDE849mWE
r7E7EutiKJ2OI6Zc9PRJMlhsKDkEQ/dTFxcLT4cPpPlTCaH/Sc9x7Tz+8wyetr9y
AzhaQdZcjwcO1lnLP0c0ypnu4e+fSz8y9FBh0HKRdSVs8gM6Oa42ES81Lle2J0DS
rACdLSSaH5MNRSqEUODzFXqdwQ9/UjudqPdgiZLCozL2OkMGyGG5depQm4I12Vlt
h+h4GyarzGdbJxJ0yJom4cK/57BO+MGJjbyCulbXbtrWe4vtfPERPmMu0JIpcuDb
rN7m0MI1n8172QD6sdAah4MGZQ3Krn5ad25EpVLtTYYZeiNf7NHtsNRbQ7MeluM3
ixPXufq4eLEgiCMOzrgXbh8LplPnN/0LzHRc2BUoS4Nwv7MzWwyvzj/cc/wjtHvV
BzIOO6MT8kr3kskzkylkl8zFspTi16l4xHQTRLK2+uiHw9OuzG2bU+5LCOd63mio
kvr1z8cWgtLDmknqzM76
=JZAL
-----END PGP SIGNATURE-----

Message #35 received at 824683@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 824683@bugs.debian.org, security@debian.org

Subject: Re: [PKG-Openstack-devel] Bug#824683: keystone: CVE-2016-4911: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

Date: Thu, 19 May 2016 19:22:23 +0200

Hi,

On Thu, May 19, 2016 at 10:54:10AM +0200, Thomas Goirand wrote:
> On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote:
> > Hi Thomas,
> > 
> > On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote:
> >> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote:
> >>> Source: keystone
> >>> Version: 2:9.0.0-1
> >>> Severity: grave
> >>> Tags: security patch upstream
> >>>
> >>> Hi,
> >>>
> >>> the following vulnerability was published for keystone.
> >>>
> >>> CVE-2016-4911[0]:
> >>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
> >>>
> >>> If you fix the vulnerability please also make sure to include the
> >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >>>
> >>> For further information see:
> >>>
> >>> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911
> >>> [1] https://bugs.launchpad.net/keystone/+bug/1577558
> >>>
> >>> Regards,
> >>> Salvatore
> >>
> >> Hi Salvatore,
> >>
> >> It is my view that this bug doesn't deserve Severity: grave, as Fernet
> >> Tokens aren't the default in Keystone (it defaults to UUID tokens, and
> >> Fernet Tokens are a very new thing).
> >>
> >> Your thoughts?
> > 
> > Thanks for your feedback. Wanted to be rather safe than sorry.
> > 
> >> Anyway, Keystone in Stable isn't affected (it doesn't have the feature),
> >> and never the less, I'll update the package in Sid/Testing.
> > 
> > I can confirm that it should only affect 9.0.0, so sid. Could you
> > upload the isolated fix? I will then update the tracker information
> > once it enters the archive.
> > 
> > Thanks!
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also
> confirmed that previous version, currently in jessie-backports, isn't
> affected by this issue. So, once Keystone migrates to Testing, we're
> good to go.

Thanks. I have updated the security-tracker information.

Regards,
Salvatore

Send a report that this bug log contains spam.