[release-announce] keystone 21.0.1 (yoga)

no-reply at openstack.org no-reply at openstack.org
Mon Oct 9 06:42:44 UTC 2023 

We high-spiritedly announce the release of:

keystone 21.0.1: OpenStack Identity

This release is part of the yoga stable release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

21.0.1
^^^^^^


Security Issues
***************

* Passwords will now be automatically truncated if the
  max_password_length is greater than the allowed length for the
  selected password hashing algorithm. Currently only bcrypt has fixed
  allowed lengths defined which is 54 characters. A warning will be
  generated in the log if a password is truncated.  This will not
  affect existing passwords, however only the first 54 characters of
  existing bcrypt passwords will be validated.

* [bug 1992183 (https://bugs.launchpad.net/keystone/+bug/1992183)]
  [CVE-2022-2447 (http://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2022-2447)] Tokens issued with application
  credentials will now have their expiration validated against that of
  the application credential. If the application credential expires
  before the token the token's expiration will be set to the same
  expiration as the application credential.  Otherwise the token will
  use the configured value.


Bug Fixes
*********

* Passwords that are hashed using bcrypt are now truncated properly
  to the maximum allowed length by the algorythm. This solves
  regression, when passwords longer then 54 symbols are getting
  invalidated after the Keystone upgrade.

* [bug 1926483 (https://bugs.launchpad.net/keystone/+bug/1926483)]
  Keystone will only log warnings about token length for Fernet tokens
  when the token length exceeds the value of *keystone.conf [DEFAULT]
  max_token_size*.

Changes in keystone 21.0.0..21.0.1
----------------------------------

7852ca24a Force algo specific maximum length & Properly trimm bcrypt hashed passwords
7c9628055 [PooledLDAPHandler] Ensure result3() invokes message.clean()
164d9522b Limit token expiration to application credential expiration
d39790ac4 Fix host:port handling
1daa8e70c Move fips job to centos-9
aaff84323 Only log warnings about token length when length exceeds max_token_size
86557d285 Yoga-only: Fix wrong python job template used
d8d7bc8cf Remove the note of training-labs
ae0b0a17b Update TOX_CONSTRAINTS_FILE for stable/yoga
392294b25 Update .gitreview for stable/yoga


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |   1 +
.zuul.yaml                                         |   8 +-
keystone/api/ec2tokens.py                          |   6 +-
keystone/common/password_hashing.py                |  35 ++++--
keystone/conf/identity.py                          |   6 +-
keystone/identity/backends/ldap/common.py          |  21 +++-
keystone/token/provider.py                         |  17 +++
keystone/token/token_formatters.py                 |   9 +-
.../bcrypt_truncation_fix-674dc5d7f1e776f2.yaml    |   7 ++
.../notes/bug-1926483-a77ab887e0e7f5c9.yaml        |   7 ++
...th-truncation-and-warning-bd69090315ec18a7.yaml |   9 ++
...ch_application_credential-56d058355a9f240d.yaml |  10 ++
tox.ini                                            |  11 +-
21 files changed, 326 insertions(+), 58 deletions(-)

More information about the Release-announce mailing list