Bugzilla – Bug 892099
VUL-0: CVE-2014-5253: openstack-keystone: domain-scoped tokens don't get revoked
Last modified: 2014-10-06 08:49:54 UTC
If a domain is invalidated (which generates a revocation event), that revocation event won't match domain-scoped tokens so those tokens won't be revoked. This is because the code to calculate the fields for a domain-scoped token don't use the domain-scope so that information can't be used when testing against the revocation events. Upstream commit that fixes this issue: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4447f16da036fe878382ce4e1b05b84bdcc4d4e References: https://bugzilla.redhat.com/show_bug.cgi?id=1127253 https://bugs.launchpad.net/keystone/+bug/1349597 http://seclists.org/oss-sec/2014/q3/296
bugbot adjusting priority
CVE-2014-5253 was assigned to this issue.
For the record: this is specific to the v3 API, which is available but not really used in our product.
SUSE-SU-2014:1219-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 892095,892097,892099 CVE References: CVE-2014-5251,CVE-2014-5252,CVE-2014-5253 Sources used: SUSE Cloud 4 (src): openstack-keystone-2014.1.3.dev3.gb812131-0.7.1, openstack-keystone-doc-2014.1.3.dev3.gb812131-0.7.1
this is supposed to be fixed with the update being out