Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5012B31D.1060805@openstack.org>
Date: Fri, 27 Jul 2012 17:26:21 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2012-010] Various Keystone token expiration issues (CVE-2012-3426)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2012-010
CVE: CVE-2012-3426
Date: July 27, 2012
Title: Various Keystone token expiration issues
Impact: Medium
Reporter: Derek Higgins
Products: Keystone
Affects: Essex, Folsom

Description:
Derek Higgins reported various issues affecting Keystone token
expiration. A token expiration date can be circumvented by
continuously creating new tokens before the old one has expired.
Existing tokens also remain valid after a user account is disabled or
after an account password changed. An authenticated and authorized
user could potentially leverage those vulnerabilities to extend his
access beyond the account owner expectations.

Folsom fixes:
http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355
http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626
http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d

Essex fixes:
http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa
http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454
http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de

References:
https://bugs.launchpad.net/keystone/+bug/998185
https://bugs.launchpad.net/keystone/+bug/997194
https://bugs.launchpad.net/keystone/+bug/996595
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3426

Notes:
Those fixes were already included in Keystone 2012.1.1 stable update
and the Folsom-1 development milestone.

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQErMZAAoJEFB6+JAlsQQjMrkP/juA+StMaNQNNqfPyV4gFJHG
mI/ZTFq7lf9HBqqxrKbWKdDdAW+AbGM+EXL6Vhu0xBCIk0Q9+dyj1t6BQd/Y/CMv
Je5XWZ3YrufHtNI37I9We8hrNBz4WoVhAyLZNHPHmngRu/Dxz8BNtKC4mSrG5bLL
ammjtdnecRLPa3GkqYi6tFQgKSzAiU/edXx0+h9veMaxvxKmDzwIKJ625p6CmouR
esCnoMkC23e2IoDnq85WaoqK9V8PyMJJ8auU1P+olA/VdvTIXOPAiMOrclEOuFCw
EVENPwXmzh/hM2LZKZSSmRgWxSvADfCWnTWc8VT0CvVbJXkOegwMgsFvzd/oy89Q
huEu0HiBdOw7yDet5n1f63Es0NO108jEvlN4LNEF0emEv6fNo6rbKHpIqw5R+Dxp
Yiu0j3XOiBhE6eIUvVdXv+mAvaRJsk9KzWQaAyrp2UKO52MU6G11+zwJpJCVCRod
yjO2kSm1ksZzSF2ZmoteOeFdqJp11qI1LbfT6vswuacW1zrCPHbAM8RP1DS/5X4d
PdgzJBZhE20G1YcY+kMMqIlmIs9hgP6IcaeHKxXcrW3Oq/flI00Rade/HmAamQ51
PsT9cVeE3uZt8plARG1SXyzQp8WF+U//H2af2BGiClX3TdrZU3EIOsKby77Xgwxl
Z7A0lu7IqS1+4Fm/6738
=fX6q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.