From c6db6d9d4ab7193fc4d48cd5eaca3c8a0c56a024 Mon Sep 17 00:00:00 2001
From: Morgan Fainberg <morgan.fainberg@gmail.com>
Date: Mon, 23 May 2016 20:48:44 -0700
Subject: [PATCH] Adds OSSA 2016-008 (CVE-2016-4911)

Change-Id: I35ae3174ce88363c1a2b0b3f8c5beb0a3054d928
Related-Bug: #1577558
---
 ossa/OSSA-2016-008.yaml | 46 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 ossa/OSSA-2016-008.yaml

diff --git a/ossa/OSSA-2016-008.yaml b/ossa/OSSA-2016-008.yaml
new file mode 100644
index 0000000..5c50dee
--- /dev/null
+++ b/ossa/OSSA-2016-008.yaml
@@ -0,0 +1,46 @@
+date: 2016-05-23
+
+id: OSSA-2016-008
+
+title: 'Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass'
+
+description: 'Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
+    Fernet Token Provider. By rescoping a token a user will receive a new token
+    without correct audit_ids, these incorrect audit_ids will prevent the entire
+    chain of tokens from being revoked properly. This vulnerability does not impact
+    revoking a token by its individual audit_id. Only deployments with Keystone
+    configured to use Fernet tokens are impacted.'
+
+affected-products:
+
+  - product: keystone
+    version: "==9.0.0"
+
+vulnerabilities:
+
+  - cve-id: CVE-2016-4911
+
+reporters:
+
+  - name: 'Lance Bragstad'
+    affiliation: Rackspace
+    reported:
+      - CVE-2016-4911
+
+issues:
+
+  links:
+    - https://bugs.launchpad.net/bugs/1577558
+
+reviews:
+
+  newton:
+    - https://review.openstack.org/#/c/311886/
+
+  mitaka:
+    - https://review.openstack.org/#/c/312582/
+
+type: gerrit
+
+notes:
+  - 'This fix was included in the openstack/keystone 9.0.1 (mitaka) release.'