We are jazzed to announce the release of: keystone 22.0.1: OpenStack Identity This release is part of the zed stable release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 22.0.1 ^^^^^^ Security Issues *************** * Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated. * [bug 1992183 (https://bugs.launchpad.net/keystone/+bug/1992183)] [CVE-2022-2447 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2022-2447)] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token's expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value. Bug Fixes ********* * Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade. Changes in keystone 22.0.0..22.0.1 ---------------------------------- 65f1fb6b4 Properly trimm bcrypt hashed passwords a62c18ec6 fix(federation): allow using numerical group names 1b3536a7a Force algo specific maximum length 7c30c9e00 [PooledLDAPHandler] Ensure result3() invokes message.clean() e4e097c5b Limit token expiration to application credential expiration cdf4107b0 Update TOX_CONSTRAINTS_FILE for stable/zed 5994dc23a Update .gitreview for stable/zed Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + keystone/common/password_hashing.py | 35 ++++-- keystone/conf/identity.py | 6 +- keystone/federation/utils.py | 38 ++++--- keystone/identity/backends/ldap/common.py | 21 +++- keystone/token/provider.py | 17 +++ .../bcrypt_truncation_fix-674dc5d7f1e776f2.yaml | 7 ++ ...th-truncation-and-warning-bd69090315ec18a7.yaml | 9 ++ ...ch_application_credential-56d058355a9f240d.yaml | 10 ++ tox.ini | 11 +- 16 files changed, 296 insertions(+), 40 deletions(-)