[Openstack-security] [Bug 1447673] Re: session ID reusable?

Jeremy Stanley fungi at yuggoth.org
Tue May 5 14:49:20 UTC 2015 

Based on discussion above, I've switched this report to public, marked
it as potential security hardening in case someone decides to work on it
in the future, and set the security advisory task to won't fix
indicating it's not a report for which the vulnerability management team
will be issuing one. This is either category B2, D or E in our incident
reporting taxonomy, most probably E. http://security.openstack.org/vmt-
process.html#incident-report-taxonomy

** Information type changed from Private Security to Public Security

** Information type changed from Public Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1447673

Title:
  session ID reusable?

Status in OpenStack Identity (Keystone):
  Incomplete
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added as to
  the bug as attachments.

  Reported via private E-mail from Anass ANNOUR:

  I had tested to reply the session ID and the token to a local
  environnent between to distinct IP, and it worked perfectly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1447673/+subscriptions

More information about the Openstack-security mailing list