openstack team mailing list archive

Thread
Date

Re: [OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Tue, 02 Oct 2012 22:01:50 +0200
In-reply-to: <CA+KYVfiCkC_5SGN8BCLFfTmNovhkwQcPYvypBLXrFpQfVNmyjQ@mail.gmail.com>
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1

andi abes wrote:
> is the plan going forward to announce these on friday afternoons?

We generally release embargoed issues only on Tue-Thu.

In this precise case, the fixes have been long committed and released,
but they were never brought to the Vulnerability Management Team
attention, which resulted in the lack of a published advisory. In this
case we thought the sooner we issue an advisory would be the better.

Regards,

-- 
Thierry Carrez (ttx)
Vulnerability Management Team hat on

References

[OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)
From: Russell Bryant, 2012-09-28
Re: [OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)
From: andi abes, 2012-09-28