Hi Thomas, On Fri, Jun 18, 2021 at 12:25:54AM +0200, Thomas Goirand wrote: > On 6/17/21 3:46 PM, Salvatore Bonaccorso wrote: > > Source: keystone > > Version: 2:18.0.0-3 > > Severity: important > > Tags: security upstream > > Forwarded: https://bugs.launchpad.net/keystone/+bug/1901891 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for keystone. > > > > CVE-2021-3563[0]. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-3563 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3563 > > [1] https://bugs.launchpad.net/keystone/+bug/1901891 > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1962908 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > Hi, > > Reading the but report, I'd be for lowering the severity to "normal". > Your thoughts?
To summarize: From the three issues, the CVE is for the 'truncation' issue to 72 characters before comparing. There is no fix so far, and it is believed to be impractical (for now) to brute force credentials up to that length. That said, personally I would leave it as important, but I will not object if you feel strongly otherwise and want to lover because of the above reasoning. Though still, we usually use important for most security related bugs, when they are not release critical level. Regards, Salvatore
