Thierry Carrez (thierry) of the OpenStack project reports: Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations. Folsom fixes: http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d Essex fixes: http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de
All fixes above are in 2012.1.1 https://admin.fedoraproject.org/updates/FEDORA-2012-10695/openstack-keystone-2012.1.1-1.fc17 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6413/openstack-keystone-2012.1.1-1.el6
This is now public: http://article.gmane.org/gmane.comp.security.oss.general/8058