Adds OSSA-2016-005 (CVE-2015-7546)
This change also remove issues 'type' which isn't used and can't be extended to support other type such as OSSN. Change-Id: I037c8e808466bbdceac38d6cf10a3f98703ad99f Related-Bug: #1490804
This commit is contained in:
parent
606a18e718
commit
1e03c88750
|
@ -465,8 +465,6 @@ project using this template::
|
|||
links:
|
||||
- https://launchpad.net/bugs/$BUG
|
||||
|
||||
type: launchpad
|
||||
|
||||
reviews:
|
||||
|
||||
kilo:
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
date: 2016-01-29
|
||||
|
||||
id: OSSA-2016-005
|
||||
|
||||
title: 'Potential reuse of revoked Identity tokens'
|
||||
|
||||
description: 'Liu Sheng reported a vulnerability in Keystone. By manipulating a token
|
||||
content, an authenticated user may prevent its revocation. This can allow
|
||||
unauthorized access to cloud resources if a revoked token is
|
||||
intercepted by an attacker. Only keystone setups using PKI or PKIZ token
|
||||
are affected'
|
||||
|
||||
affected-products:
|
||||
|
||||
- product: keystone
|
||||
version: "<= 2015.1.2, >= 8.0.0 <= 8.0.1"
|
||||
|
||||
- product: keystonemiddleware
|
||||
version: ">= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2"
|
||||
|
||||
vulnerabilities:
|
||||
|
||||
- cve-id: CVE-2015-7546
|
||||
|
||||
reporters:
|
||||
|
||||
- name: 'Liu Sheng'
|
||||
affiliation: Huawei
|
||||
reported:
|
||||
- CVE-2015-7546
|
||||
|
||||
issues:
|
||||
|
||||
links:
|
||||
- https://bugs.launchpad.net/bugs/1490804
|
||||
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
|
||||
|
||||
reviews:
|
||||
|
||||
mitaka:
|
||||
- https://review.openstack.org/258141 (keystone)
|
||||
- https://review.openstack.org/258143 (keystonemiddleware)
|
||||
|
||||
liberty:
|
||||
- https://review.openstack.org/266022 (keystone)
|
||||
- https://review.openstack.org/265988 (keystonemiddleware)
|
||||
|
||||
kilo:
|
||||
- https://review.openstack.org/266045 (keystone)
|
||||
- https://review.openstack.org/266607 (keystonemiddleware)
|
||||
|
||||
type: gerrit
|
||||
|
||||
notes:
|
||||
- 'The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future
|
||||
8.0.2 (Liberty) releases.'
|
||||
- 'The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3
|
||||
(Liberty) releases.'
|
||||
- 'Both keystone and keystonemiddleware needs to be updated'
|
Loading…
Reference in New Issue