[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token
Kurt Seifried
kseifried at redhat.com
Thu Aug 8 16:58:35 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/08/2013 10:44 AM, Chmouel Boudjnah wrote:
> On Thu, Aug 8, 2013 at 5:53 PM, Kurt Seifried
> <kseifried at redhat.com> wrote:
>> http://docs.python.org/2/library/pickle.html
>>
>> have a giant red warning at the top stating the security risk.
>> Does a similar thing exist for OpenStack tokens?
>
> keystone is not using pickle anywhere.
>
> Chmouel.
>
I know. My pint is that for Python pickle (an unsafe function) it is
OBVIOUSLY documented, in fact in red, at the top of the page.
Now if keystone had warning banners all over the place in giant red
letters saying "deleting keystone tokens does not immediately cause
usage of the token to be invalidated" I'd probably say "no CVE". But
in this case there is no such warning about token use that I am aware
of, hence me asking.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJSA847AAoJEBYNRVNeJnmTYvsP/RKBbOMx2QUfcO0XNYC//V50
z6XWKYWqZOq2SjqBxUcWhgiU+rbCOJnBxkuYBLJrwwX7KbmTpxzFvTgbsRAYBFXS
rur7Wexto1VvyUMzIxRMR6VGfMiCJr4wQsueXcqaPRSF3dqMNdjm2UY+/1r9nq/A
P1DCAVGYoBAwJTepuUKagoo9Y6fEeTxyRmbA6uanB/LsnCm8yknBWjc5WffPvs1Q
DxSGxFy+ZZJtZR+WIq6BOOnL2ob+5PuEdCos31fOCd4LSgIsb2YIo23SJX1/F4CM
FEF3vDqrSrCb0DzOVtQGSLS6PrkYAKXyATqOjkN72tftVEXzmaxrN2Ji/0ZS0W2h
XfS7PUAI/kDl7Hj/G2BCLXUikcqSkOvBiKASGRYrxpLN6TXgBeLhCxkLp7MNA54g
A4crEg/fFCpTFKvN5YPN7FVxkvXkzxGSWma7s8FEnbFPvD97bhKHc795LUr5oTqf
t0z8apZtZygFn/R1cPtmi7rZh4yMrovPSH3yty7YOms8Ma2VprdT0xF+s7zawfCh
sBtK5jqcKtQQesvo/+olCbGceN4zKSwMCpLb6JmuYPWvS7WkBo9Jiohmj9EN06nO
FmLh9uyI30f26cpkfnwuoFbg5vPf9u5fFbE+f1JMDJiIlWhf2/7Q4kfJxinrPenf
nPbiZoIHkN7sWF8kWis1
=mh6g
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list