Hi, On Thu, May 19, 2016 at 10:54:10AM +0200, Thomas Goirand wrote: > On 05/19/2016 06:18 AM, Salvatore Bonaccorso wrote: > > Hi Thomas, > > > > On Thu, May 19, 2016 at 12:21:28AM +0200, Thomas Goirand wrote: > >> On 05/18/2016 06:55 PM, Salvatore Bonaccorso wrote: > >>> Source: keystone > >>> Version: 2:9.0.0-1 > >>> Severity: grave > >>> Tags: security patch upstream > >>> > >>> Hi, > >>> > >>> the following vulnerability was published for keystone. > >>> > >>> CVE-2016-4911[0]: > >>> Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation > >>> bypass > >>> > >>> If you fix the vulnerability please also make sure to include the > >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > >>> > >>> For further information see: > >>> > >>> [0] https://security-tracker.debian.org/tracker/CVE-2016-4911 > >>> [1] https://bugs.launchpad.net/keystone/+bug/1577558 > >>> > >>> Regards, > >>> Salvatore > >> > >> Hi Salvatore, > >> > >> It is my view that this bug doesn't deserve Severity: grave, as Fernet > >> Tokens aren't the default in Keystone (it defaults to UUID tokens, and > >> Fernet Tokens are a very new thing). > >> > >> Your thoughts? > > > > Thanks for your feedback. Wanted to be rather safe than sorry. > > > >> Anyway, Keystone in Stable isn't affected (it doesn't have the feature), > >> and never the less, I'll update the package in Sid/Testing. > > > > I can confirm that it should only affect 9.0.0, so sid. Could you > > upload the isolated fix? I will then update the tracker information > > once it enters the archive. > > > > Thanks! > > > > Regards, > > Salvatore > > Hi Salvatore, > > I have uploaded Keystone 9.0.0-2 with the upstream patch. Upstream also > confirmed that previous version, currently in jessie-backports, isn't > affected by this issue. So, once Keystone migrates to Testing, we're > good to go.
Thanks. I have updated the security-tracker information. Regards, Salvatore
