yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1349597] Re: [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:31:28 -0000
Reply-to: Bug 1349597 <1349597@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1349597

Title:
  [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Invalid
Status in Keystone icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  
  If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

  This is because the code to calculate the fields for a domain-scoped
  token don't use the domain-scope so that information can't be used
  when testing against the revocation events.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1349597/+subscriptions

References

[Bug 1349597] [NEW] Domain-scoped tokens don't get revoked
From: Brant Knudson, 2014-07-28