Package: keystone Version: 2012.1.1-5 Severity: grave Title: Revoking a role does not affect existing tokens Impact: High Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom
Description: Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
