573660 – (CVE-2015-7546) <dev-python/keystonemiddleware-{2.3.1-r1,2.3.2-r1}: Potential reuse of revoked Identity tokens (CVE-2015-7546)

Bug 573660 (CVE-2015-7546) - <dev-python/keystonemiddleware-{2.3.1-r1,2.3.2-r1}: Potential reuse of revoked Identity tokens (CVE-2015-7546)

Summary: <dev-python/keystonemiddleware-{2.3.1-r1,2.3.2-r1}: Potential reuse of revoke...

Status:	RESOLVED FIXED

Alias:	CVE-2015-7546

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-02-02 11:19 UTC by Agostino Sarubbo
Modified:	2016-07-24 02:21 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-02-02 11:19:01 UTC

From ${URL} :

=========================================================
OSSA-2016-005: Potential reuse of revoked Identity tokens
=========================================================

:Date: January 29, 2016
:CVE: CVE-2015-7546


Affects
~~~~~~
- Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1
- Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2


Description
~~~~~~~~~~
Liu Sheng reported a vulnerability in Keystone. By manipulating a
token content, an authenticated user may prevent its revocation. This
can allow unauthorized access to cloud resources if a revoked token is
intercepted by an attacker. Only keystone setups using PKI or PKIZ
token are affected


Patches
~~~~~~
- https://review.openstack.org/266045 (keystone) (Kilo)
- https://review.openstack.org/266607 (keystonemiddleware) (Kilo)
- https://review.openstack.org/266022 (keystone) (Liberty)
- https://review.openstack.org/265988 (keystonemiddleware) (Liberty)
- https://review.openstack.org/258141 (keystone) (Mitaka)
- https://review.openstack.org/258143 (keystonemiddleware) (Mitaka)


Credits
~~~~~~
- Liu Sheng from Huawei (CVE-2015-7546)


References
~~~~~~~~~
- https://bugs.launchpad.net/bugs/1490804
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546


Notes
~~~~
- The keystone fix is included in 2015.1.3 (Kilo) and will be included
  in a future 8.0.2 (Liberty) releases.
- The keystonemiddleware fix will be included in future 1.5.4 (Kilo)
  and 2.3.3 (Liberty) releases.
- Both keystone and keystonemiddleware needs to be updated



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2016-02-02 16:09:07 UTC

fixed in:

=dev-python/keystonemiddleware-2.3.1-r1
=dev-python/keystonemiddleware-2.3.2-r1

arches, please stabilize both

Comment 2 Agostino Sarubbo gentoo-dev

2016-02-03 16:53:52 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2016-02-03 16:55:30 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-08 20:30:41 UTC

GLSA Vote: No

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2016-06-13 10:57:00 UTC

@maintainer(s), what is the intention for 1.5.x branch?  1.5.4 is still not out with the proper fix.  Thanks

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 10:40:58 UTC

Can we clean 1.5.x and 2.2.0?

Comment 7 Matthew Thode ( prometheanfire ) archtester

2016-07-24 02:20:28 UTC

cleaned up