[release-announce] keystone 22.0.1 (zed)

no-reply at openstack.org no-reply at openstack.org
Mon Oct 9 06:31:15 UTC 2023 

We are jazzed to announce the release of:

keystone 22.0.1: OpenStack Identity

This release is part of the zed stable release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

22.0.1
^^^^^^


Security Issues
***************

* Passwords will now be automatically truncated if the
  max_password_length is greater than the allowed length for the
  selected password hashing algorithm. Currently only bcrypt has fixed
  allowed lengths defined which is 54 characters. A warning will be
  generated in the log if a password is truncated.  This will not
  affect existing passwords, however only the first 54 characters of
  existing bcrypt passwords will be validated.

* [bug 1992183 (https://bugs.launchpad.net/keystone/+bug/1992183)]
  [CVE-2022-2447 (http://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2022-2447)] Tokens issued with application
  credentials will now have their expiration validated against that of
  the application credential. If the application credential expires
  before the token the token's expiration will be set to the same
  expiration as the application credential.  Otherwise the token will
  use the configured value.


Bug Fixes
*********

* Passwords that are hashed using bcrypt are now truncated properly
  to the maximum allowed length by the algorythm. This solves
  regression, when passwords longer then 54 symbols are getting
  invalidated after the Keystone upgrade.

Changes in keystone 22.0.0..22.0.1
----------------------------------

65f1fb6b4 Properly trimm bcrypt hashed passwords
a62c18ec6 fix(federation): allow using numerical group names
1b3536a7a Force algo specific maximum length
7c30c9e00 [PooledLDAPHandler] Ensure result3() invokes message.clean()
e4e097c5b Limit token expiration to application credential expiration
cdf4107b0 Update TOX_CONSTRAINTS_FILE for stable/zed
5994dc23a Update .gitreview for stable/zed


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |   1 +
keystone/common/password_hashing.py                |  35 ++++--
keystone/conf/identity.py                          |   6 +-
keystone/federation/utils.py                       |  38 ++++---
keystone/identity/backends/ldap/common.py          |  21 +++-
keystone/token/provider.py                         |  17 +++
.../bcrypt_truncation_fix-674dc5d7f1e776f2.yaml    |   7 ++
...th-truncation-and-warning-bd69090315ec18a7.yaml |   9 ++
...ch_application_credential-56d058355a9f240d.yaml |  10 ++
tox.ini                                            |  11 +-
16 files changed, 296 insertions(+), 40 deletions(-)

More information about the Release-announce mailing list