yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577558] Re: [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1577558@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Jul 2016 18:09:52 -0000
Reply-to: Bug 1577558 <1577558@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
    Milestone: None => newton-1

** Also affects: keystone/mitaka
   Importance: Undecided
       Status: New

** Changed in: keystone/mitaka
       Status: New => Fix Released

** Changed in: keystone/mitaka
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1577558

Title:
  [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent
  (CVE-2016-4911)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  If you set the token provider to token.provider = fernet, get an
  unscoped token from v2.0, then rescope that token to a project, you'll
  notice the audit ids don't match. I've recreated this issue in a test
  [0].

  What should happen is that the unscoped token response will have a
  list of audit_ids containing a single audit_id. The project scoped
  token response from the unscoped token will also have a list of
  audit_ids in the token response but the original audit_id from the
  unscoped token will be in the list of the project scoped token.

  Right now this behavior doesn't exist in with the fernet provider on
  v2.0.

  
  [0] https://review.openstack.org/#/c/311816/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1577558/+subscriptions

References

[Bug 1577558] [NEW] v2.0 fernet tokens audit ids are inconsistent
From: Lance Bragstad, 2016-05-02