[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Nov 21 11:03:11 UTC 2017
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/521808
Log:
commit 70af7986265a3defea054c46efc82d0698917298
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date: Tue Nov 21 09:38:09 2017 +0100
Hash token before storing it in Swift
Swauth uses token value as object name. Object names are logged in proxy
and object servers. Anybody with access to proxy/object server logs can
see token values. Attacker can use this token to access user's data in
Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
HASH_PATH_SUFFIX) is used as object name now.
WARNING: In deployments without memcached this patch logs out all users
because tokens became invalid.
CVE-2017-16613
SecurityImpact
Closes-Bug: #1655781
Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c
More information about the Openstack-security
mailing list