Candidate: CVE-2015-7546 PublicDate: 2016-02-03 18:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546 https://wiki.openstack.org/wiki/OSSN/OSSN-0062 Description: The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. Ubuntu-Description: Notes: mdeslaur> we will not be fixing this in Ubuntu 14.04 LTS. Users are mdeslaur> encouraged to migrate to a different token provider as described mdeslaur> in the upstream advisory. Bugs: https://bugs.launchpad.net/keystone/+bug/1490804 Priority: medium Discovered-by: Liu Sheng Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH] nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH] Patches_python-keystonemiddleware: upstream: https://review.openstack.org/#/c/258143/ upstream_python-keystonemiddleware: needs-triage precise_python-keystonemiddleware: DNE precise/esm_python-keystonemiddleware: DNE trusty_python-keystonemiddleware: DNE trusty/esm_python-keystonemiddleware: DNE vivid_python-keystonemiddleware: ignored (reached end-of-life) vivid/stable-phone-overlay_python-keystonemiddleware: DNE vivid/ubuntu-core_python-keystonemiddleware: DNE wily_python-keystonemiddleware: ignored (reached end-of-life) xenial_python-keystonemiddleware: not-affected (4.4.0-3) esm-infra/xenial_python-keystonemiddleware: not-affected (4.4.0-3) yakkety_python-keystonemiddleware: not-affected (4.4.0-3) zesty_python-keystonemiddleware: not-affected (4.4.0-3) devel_python-keystonemiddleware: not-affected (4.4.0-3) Patches_keystone: upstream: https://review.openstack.org/#/c/258141/ upstream_keystone: needs-triage precise_keystone: ignored (reached end-of-life) precise/esm_keystone: DNE (precise was needed) trusty_keystone: ignored trusty/esm_keystone: DNE (trusty was ignored) vivid_keystone: ignored (reached end-of-life) vivid/stable-phone-overlay_keystone: DNE vivid/ubuntu-core_keystone: DNE wily_keystone: not-affected (2:8.1.0-0ubuntu1) xenial_keystone: not-affected (2:9.0.0-0ubuntu1) esm-infra/xenial_keystone: not-affected (2:9.0.0-0ubuntu1) yakkety_keystone: not-affected (2:9.0.0-0ubuntu1) zesty_keystone: not-affected (2:9.0.0-0ubuntu1) devel_keystone: not-affected (2:9.0.0-0ubuntu1)