Bug 1127253 (CVE-2014-5253)
Summary: | CVE-2014-5253 openstack-keystone: domain-scoped tokens don't get revoked | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abaron, aortega, apevec, apevec, ayoung, bfilippov, chazlett, chrisw, dallan, gkotton, gmollett, itamar, jonathansteffan, jose.castro.leon, jrusnack, lhh, lpeer, markmc, nkinder, p, rbryant, sclewis, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that domain-scoped tokens were not revoked when a domain was disabled. Only OpenStack Identity setups configured to make use of revocation events were affected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-02 19:47:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1131344, 1131345 | ||
Bug Blocks: | 1127260 |
Description
Vasyl Kaigorodov
2014-08-06 13:11:28 UTC
It's stated in the Launchpad ticket that this would only impact Icehouse (openstack-2014.X) since that's where revocation events were added. Statement: This issue does not affected openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 4.0. Keystone in RHEL-OSP-5 (Icehouse) includes this code, although it is marked as experimental in Icehouse upstream, we do include an example of how to enable it in our documentation and thus will need to release an erratum. IssueDescription: It was discovered that domain-scoped tokens were not revoked when a domain was disabled. Only OpenStack Identity setups configured to make use of revocation events were affected. This issue has been addressed in following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1122 https://rhn.redhat.com/errata/RHSA-2014-1122.html This issue has been addressed in following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1121 https://rhn.redhat.com/errata/RHSA-2014-1121.html |