[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Nov 21 11:00:08 UTC 2017
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/521808
Log:
commit f38fc679eef7a46c53bcf907975dd1e4511b94eb
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date: Tue Nov 21 09:38:09 2017 +0100
Hash token before storing it in Swift
Swauth uses token value as object name. Object names are logged in proxy and
object servers. Anybody with access to proxy/object server logs can see token
values. Attacker can use this token to access user's data in Swift store.
Instead of token, hashed token (with HASH_PATH_PREFIX and HASH_PATH_SUFFIX) is
used as object name now.
WARNING: In deployments without memcached this patch logs out all users because
tokens became invalid.
CVE-2017-16613
SecurityImpact
Closes-Bug: #1655781
Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c
More information about the Openstack-security
mailing list