Hi Thomas, On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote: > On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote: > > Source: keystone > > Version: 2:9.0.0-1 > > Severity: grave > > Tags: security patch upstream > > > > Hi, > > > > the following vulnerability was published for keystone. > > > > CVE-2016-4911[0]: > > Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation > > bypass > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2016-4911 > > [1] https://bugs.launchpad.net/keystone/+bug/1577558 > > > > Regards, > > Salvatore > > Hi Salvatore, > > It is my view that this bug doesn't deserve Severity: grave, as Fernet > Tokens aren't the default in Keystone (it defaults to UUID tokens, and > Fernet Tokens are a very new thing). > > Your thoughts?
Thanks for your feedback. Wanted to be rather safe than sorry. > Anyway, Keystone in Stable isn't affected (it doesn't have the feature), > and never the less, I'll update the package in Sid/Testing. I can confirm that it should only affect 9.0.0, so sid. Could you upload the isolated fix? I will then update the tracker information once it enters the archive. Thanks! Regards, Salvatore
