[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token

Clark, Robert Graham robert.clark at hp.com
Thu Aug 8 20:14:16 UTC 2013 


On 08/08/2013 17:58, "Kurt Seifried" <kseifried at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/08/2013 10:44 AM, Chmouel Boudjnah wrote:
>> On Thu, Aug 8, 2013 at 5:53 PM, Kurt Seifried
>> <kseifried at redhat.com> wrote:
>>> http://docs.python.org/2/library/pickle.html
>>> 
>>> have a giant red warning at the top stating the security risk.
>>> Does a similar thing exist for OpenStack tokens?
>> 
>> keystone is not using pickle anywhere.
>> 
>> Chmouel.
>> 
>
>I know. My pint is that for Python pickle (an unsafe function) it is
>OBVIOUSLY documented, in fact in red, at the top of the page.
>
>Now if keystone had warning banners all over the place in giant red
>letters saying "deleting keystone tokens does not immediately cause
>usage of the token to be invalidated" I'd probably say "no CVE". But
>in this case there is no such warning about token use that I am aware
>of, hence me asking.

+1 My point exactly.

>
>- -- 
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>
>iQIcBAEBAgAGBQJSA847AAoJEBYNRVNeJnmTYvsP/RKBbOMx2QUfcO0XNYC//V50
>z6XWKYWqZOq2SjqBxUcWhgiU+rbCOJnBxkuYBLJrwwX7KbmTpxzFvTgbsRAYBFXS
>rur7Wexto1VvyUMzIxRMR6VGfMiCJr4wQsueXcqaPRSF3dqMNdjm2UY+/1r9nq/A
>P1DCAVGYoBAwJTepuUKagoo9Y6fEeTxyRmbA6uanB/LsnCm8yknBWjc5WffPvs1Q
>DxSGxFy+ZZJtZR+WIq6BOOnL2ob+5PuEdCos31fOCd4LSgIsb2YIo23SJX1/F4CM
>FEF3vDqrSrCb0DzOVtQGSLS6PrkYAKXyATqOjkN72tftVEXzmaxrN2Ji/0ZS0W2h
>XfS7PUAI/kDl7Hj/G2BCLXUikcqSkOvBiKASGRYrxpLN6TXgBeLhCxkLp7MNA54g
>A4crEg/fFCpTFKvN5YPN7FVxkvXkzxGSWma7s8FEnbFPvD97bhKHc795LUr5oTqf
>t0z8apZtZygFn/R1cPtmi7rZh4yMrovPSH3yty7YOms8Ma2VprdT0xF+s7zawfCh
>sBtK5jqcKtQQesvo/+olCbGceN4zKSwMCpLb6JmuYPWvS7WkBo9Jiohmj9EN06nO
>FmLh9uyI30f26cpkfnwuoFbg5vPf9u5fFbE+f1JMDJiIlWhf2/7Q4kfJxinrPenf
>nPbiZoIHkN7sWF8kWis1
>=mh6g
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Openstack-security mailing list
>Openstack-security at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list