diff options
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml | 16 | ||||
-rw-r--r-- | releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml | 31 | ||||
-rw-r--r-- | releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml | 19 |
3 files changed, 66 insertions, 0 deletions
diff --git a/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml b/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml new file mode 100644 index 000000000..656822c2a --- /dev/null +++ b/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml @@ -0,0 +1,16 @@ +--- +critical: + - | + [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_] + Fixed a critical security issue in which an authenticated user could + escalate their privileges by altering a valid EC2 credential. +security: + - | + [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_] + Fixed a critical security issue in which an authenticated user could + escalate their privileges by altering a valid EC2 credential. +fixes: + - | + [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_] + Fixed a critical security issue in which an authenticated user could + escalate their privileges by altering a valid EC2 credential. diff --git a/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml new file mode 100644 index 000000000..1aed86301 --- /dev/null +++ b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml @@ -0,0 +1,31 @@ +--- +critical: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. +security: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. +fixes: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. diff --git a/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml b/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml new file mode 100644 index 000000000..a30259ffa --- /dev/null +++ b/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml @@ -0,0 +1,19 @@ +--- +security: + - | + [`bug 1872755 <https://bugs.launchpad.net/keystone/+bug/1872755>`_] + Added validation to the EC2 credentials update API to ensure the metadata + labels 'trust_id' and 'app_cred_id' are not altered by the user. These + labels are used by keystone to determine the scope allowed by the + credential, and altering these automatic labels could enable an EC2 + credential holder to elevate their access beyond what is permitted by the + application credential or trust that was used to create the EC2 credential. +fixes: + - | + [`bug 1872755 <https://bugs.launchpad.net/keystone/+bug/1872755>`_] + Added validation to the EC2 credentials update API to ensure the metadata + labels 'trust_id' and 'app_cred_id' are not altered by the user. These + labels are used by keystone to determine the scope allowed by the + credential, and altering these automatic labels could enable an EC2 + credential holder to elevate their access beyond what is permitted by the + application credential or trust that was used to create the EC2 credential. |