is the plan going forward to announce these on friday afternoons? On Fri, Sep 28, 2012 at 4:50 PM, Russell Bryant <rbryant at redhat.com> wrote: > OpenStack Security Advisory: 2012-016 > CVE: CVE-2012-4457 > Date: September 28, 2012 > Title: Token authorization for a user in a disabled tenant is allowed > Impact: High > Reporter: Rohit Karajgi (NTT Data) > Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 > development milestone) > > Description: > Rohit Karajgi reported a vulnerability in Keystone. It was possible to > get a token that is authorized for a disabled tenant. Once the token is > established with authorization on the tenant, keystone would respond 200 > OK to token validation requests from other OpenStack services, allowing > the user to work with the tenant's resources. > > Folsom fix: (Included in 2012.2) > http://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 > > Essex fix: (Included in 2012.1.2) > http://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5 > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4457 > https://bugs.launchpad.net/keystone/+bug/988920 > > -- > Russell Bryant > OpenStack Vulnerability Management Team > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack at lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp