We high-spiritedly announce the release of: keystone 21.0.1: OpenStack Identity This release is part of the yoga stable release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 21.0.1 ^^^^^^ Security Issues *************** * Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated. * [bug 1992183 (https://bugs.launchpad.net/keystone/+bug/1992183)] [CVE-2022-2447 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2022-2447)] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token's expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value. Bug Fixes ********* * Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade. * [bug 1926483 (https://bugs.launchpad.net/keystone/+bug/1926483)] Keystone will only log warnings about token length for Fernet tokens when the token length exceeds the value of *keystone.conf [DEFAULT] max_token_size*. Changes in keystone 21.0.0..21.0.1 ---------------------------------- 7852ca24a Force algo specific maximum length & Properly trimm bcrypt hashed passwords 7c9628055 [PooledLDAPHandler] Ensure result3() invokes message.clean() 164d9522b Limit token expiration to application credential expiration d39790ac4 Fix host:port handling 1daa8e70c Move fips job to centos-9 aaff84323 Only log warnings about token length when length exceeds max_token_size 86557d285 Yoga-only: Fix wrong python job template used d8d7bc8cf Remove the note of training-labs ae0b0a17b Update TOX_CONSTRAINTS_FILE for stable/yoga 392294b25 Update .gitreview for stable/yoga Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 8 +- keystone/api/ec2tokens.py | 6 +- keystone/common/password_hashing.py | 35 ++++-- keystone/conf/identity.py | 6 +- keystone/identity/backends/ldap/common.py | 21 +++- keystone/token/provider.py | 17 +++ keystone/token/token_formatters.py | 9 +- .../bcrypt_truncation_fix-674dc5d7f1e776f2.yaml | 7 ++ .../notes/bug-1926483-a77ab887e0e7f5c9.yaml | 7 ++ ...th-truncation-and-warning-bd69090315ec18a7.yaml | 9 ++ ...ch_application_credential-56d058355a9f240d.yaml | 10 ++ tox.ini | 11 +- 21 files changed, 326 insertions(+), 58 deletions(-)