Adds OSSA 2016-008 (CVE-2016-4911)

Change-Id: I35ae3174ce88363c1a2b0b3f8c5beb0a3054d928 Related-Bug: #1577558
2016-05-23 20:48:44 -07:00 · 2016-05-23 20:48:44 -07:00 · c6db6d9d4a
parent 1cf9b0671f
commit c6db6d9d4a
1 changed files with 46 additions and 0 deletions
--- a/ossa/OSSA-2016-008.yaml
+++ b/ossa/OSSA-2016-008.yaml
@ -0,0 +1,46 @@
+date: 2016-05-23
+
+id: OSSA-2016-008
+
+title: 'Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass'
+
+description: 'Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
+    Fernet Token Provider. By rescoping a token a user will receive a new token
+    without correct audit_ids, these incorrect audit_ids will prevent the entire
+    chain of tokens from being revoked properly. This vulnerability does not impact
+    revoking a token by its individual audit_id. Only deployments with Keystone
+    configured to use Fernet tokens are impacted.'
+
+affected-products:
+
+  - product: keystone
+    version: "==9.0.0"
+
+vulnerabilities:
+
+  - cve-id: CVE-2016-4911
+
+reporters:
+
+  - name: 'Lance Bragstad'
+    affiliation: Rackspace
+    reported:
+      - CVE-2016-4911
+
+issues:
+
+  links:
+    - https://bugs.launchpad.net/bugs/1577558
+
+reviews:
+
+  newton:
+    - https://review.openstack.org/#/c/311886/
+
+  mitaka:
+    - https://review.openstack.org/#/c/312582/
+
+type: gerrit
+
+notes:
+  - 'This fix was included in the openstack/keystone 9.0.1 (mitaka) release.'