It was reported [1] that since mysql only stores timestamps with an accuracy of seconds rather than microseconds, doing comparisons of token expiration times will fail and tokens will not show up as being revoked. CVE request has been sent to oss-security by upstream [2] Upstream fix: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7aee6304f653475a4130dc3e5be602e91481f108 [1]: https://bugs.launchpad.net/keystone/+bug/1347961 [2]: http://seclists.org/oss-sec/2014/q3/296
It's stated in the Launchpad ticket that this would only impact Icehouse (openstack-2014.X) since that's where revocation events were added.
Statement: This issue does not affected openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 4.0.
Keystone in RHEL-OSP-5 (Icehouse) includes this code, although it is marked as experimental in Icehouse upstream, we do include an example of how to enable it in our documentation and thus will need to release an erratum.
IssueDescription: It was found that the MySQL token driver did not correctly store token expiration times, which prevented manual token revocation. Only OpenStack Identity setups configured to make use of revocation events were affected.
This issue has been addressed in following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1122 https://rhn.redhat.com/errata/RHSA-2014-1122.html
This issue has been addressed in following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1121 https://rhn.redhat.com/errata/RHSA-2014-1121.html