Adds OSSA-2016-005 (CVE-2015-7546)

This change also remove issues 'type' which isn't used and can't
be extended to support other type such as OSSN.

Change-Id: I037c8e808466bbdceac38d6cf10a3f98703ad99f
Related-Bug: #1490804
This commit is contained in:
Tristan Cacqueray 2016-01-28 12:24:15 -05:00
parent 606a18e718
commit 1e03c88750
2 changed files with 59 additions and 2 deletions

View File

@ -465,8 +465,6 @@ project using this template::
links:
- https://launchpad.net/bugs/$BUG
type: launchpad
reviews:
kilo:

59
ossa/OSSA-2016-005.yaml Normal file
View File

@ -0,0 +1,59 @@
date: 2016-01-29
id: OSSA-2016-005
title: 'Potential reuse of revoked Identity tokens'
description: 'Liu Sheng reported a vulnerability in Keystone. By manipulating a token
content, an authenticated user may prevent its revocation. This can allow
unauthorized access to cloud resources if a revoked token is
intercepted by an attacker. Only keystone setups using PKI or PKIZ token
are affected'
affected-products:
- product: keystone
version: "<= 2015.1.2, >= 8.0.0 <= 8.0.1"
- product: keystonemiddleware
version: ">= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2"
vulnerabilities:
- cve-id: CVE-2015-7546
reporters:
- name: 'Liu Sheng'
affiliation: Huawei
reported:
- CVE-2015-7546
issues:
links:
- https://bugs.launchpad.net/bugs/1490804
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
reviews:
mitaka:
- https://review.openstack.org/258141 (keystone)
- https://review.openstack.org/258143 (keystonemiddleware)
liberty:
- https://review.openstack.org/266022 (keystone)
- https://review.openstack.org/265988 (keystonemiddleware)
kilo:
- https://review.openstack.org/266045 (keystone)
- https://review.openstack.org/266607 (keystonemiddleware)
type: gerrit
notes:
- 'The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future
8.0.2 (Liberty) releases.'
- 'The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3
(Liberty) releases.'
- 'Both keystone and keystonemiddleware needs to be updated'