openstack/keystonemiddleware
Code Issues Proposed changes
825f026448
keystonemiddleware/releasenotes/notes/bug-1490804-87c0ff8e764945c1.yaml
Brant Knudson 96ab58e686 auth_token verify revocation by audit_id 
If the revocation list includes audit_ids, then when doing offline
validation also validate the token isn't revoked by audit_id.

Closes-Bug: 1490804
Change-Id: I483bc57bd38eb81a0905bcaf94e4ea82604919d6
2015-12-17 10:55:58 -06:00

16 lines
677 B
YAML
Raw Blame History

---
features:
- >
[`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_]
The auth_token middleware validates the token's audit IDs during offline
token validation if the Identity server includes audit IDs in the token
revocation list.
security:
- >
[`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_]
[`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_]
A bug is fixed where an attacker could avoid token revocation when the PKI
or PKIZ token provider is used. The complete remediation for this
vulnerability requires the corresponding fix in the Identity (keystone)
project.
View Git Blame Copy Permalink