<p>So if I can grant people access to a particular tenant, I can invalidate everyone's tokens at will now? </p>
<p>Best regards, Soren.<br>
Sent from my phone. Please pardon my brevity.</p>
<div class="gmail_quote">On Sep 12, 2012 6:40 PM, "Thierry Carrez" <<a href="mailto:thierry@openstack.org">thierry@openstack.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
OpenStack Security Advisory: 2012-014<br>
CVE: CVE-<a href="tel:2012-4413" value="+4520124413">2012-4413</a><br>
Date: September 12, 2012<br>
Title: Revoking a role does not affect existing tokens<br>
Impact: High<br>
Reporter: Dolph Mathews (Rackspace)<br>
Products: Keystone<br>
Affects: Essex, Folsom<br>
<br>
Description:<br>
Dolph Mathews reported a vulnerability in Keystone. Granting and<br>
revoking roles from a user is not reflected upon token validation for<br>
pre-existing tokens. Pre-existing tokens continue to be valid for the<br>
original set of roles for the remainder of the token's lifespan, or<br>
until explicitly invalidated. This fix invalidates all tokens held by<br>
a user upon role grant/revoke to circumvent the issue.<br>
<br>
Folsom fix:<br>
<a href="http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2" target="_blank">http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2</a><br>
<br>
Essex fix:<br>
<a href="http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e" target="_blank">http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e</a><br>
<br>
References:<br>
<a href="https://bugs.launchpad.net/keystone/+bug/1041396" target="_blank">https://bugs.launchpad.net/keystone/+bug/1041396</a><br>
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413" target="_blank">http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413</a><br>
<br>
Notes:<br>
This fix will be included in the future Keystone 2012.1.3 stable<br>
update and the upcoming Folsom-RC1 development milestone.<br>
<br>
- --<br>
Thierry Carrez (ttx)<br>
OpenStack Vulnerability Management Team<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP<br>
PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo<br>
+HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi<br>
toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD<br>
62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3<br>
7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512<br>
UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT<br>
GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M<br>
ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL<br>
kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx<br>
3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI<br>
bggBCxcI2PLQgjuWyF4M<br>
=+6UN<br>
-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to     : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote></div>