summaryrefslogtreecommitdiff
path: root/releasenotes
diff options
context:
space:
mode:
Diffstat (limited to 'releasenotes')
-rw-r--r--releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml16
-rw-r--r--releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml31
-rw-r--r--releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml19
3 files changed, 66 insertions, 0 deletions
diff --git a/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml b/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml
new file mode 100644
index 000000000..656822c2a
--- /dev/null
+++ b/releasenotes/notes/bug-1872733-2377f456a57ad32c.yaml
@@ -0,0 +1,16 @@
+---
+critical:
+ - |
+ [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_]
+ Fixed a critical security issue in which an authenticated user could
+ escalate their privileges by altering a valid EC2 credential.
+security:
+ - |
+ [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_]
+ Fixed a critical security issue in which an authenticated user could
+ escalate their privileges by altering a valid EC2 credential.
+fixes:
+ - |
+ [`bug 1872733 <https://bugs.launchpad.net/keystone/+bug/1872733>`_]
+ Fixed a critical security issue in which an authenticated user could
+ escalate their privileges by altering a valid EC2 credential.
diff --git a/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml
new file mode 100644
index 000000000..1aed86301
--- /dev/null
+++ b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml
@@ -0,0 +1,31 @@
+---
+critical:
+ - |
+ [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
+ Fixed a security issue in which a trustee or an application credential user
+ could create an EC2 credential or an application credential that would
+ permit them to get a token that elevated their role assignments beyond the
+ subset delegated to them in the trust or application credential. A new
+ attribute ``app_cred_id`` is now automatically added to the access blob of
+ an EC2 credential and the role list in the trust or application credential
+ is respected.
+security:
+ - |
+ [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
+ Fixed a security issue in which a trustee or an application credential user
+ could create an EC2 credential or an application credential that would
+ permit them to get a token that elevated their role assignments beyond the
+ subset delegated to them in the trust or application credential. A new
+ attribute ``app_cred_id`` is now automatically added to the access blob of
+ an EC2 credential and the role list in the trust or application credential
+ is respected.
+fixes:
+ - |
+ [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
+ Fixed a security issue in which a trustee or an application credential user
+ could create an EC2 credential or an application credential that would
+ permit them to get a token that elevated their role assignments beyond the
+ subset delegated to them in the trust or application credential. A new
+ attribute ``app_cred_id`` is now automatically added to the access blob of
+ an EC2 credential and the role list in the trust or application credential
+ is respected.
diff --git a/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml b/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml
new file mode 100644
index 000000000..a30259ffa
--- /dev/null
+++ b/releasenotes/notes/bug-1872755-2c81d3267b89f124.yaml
@@ -0,0 +1,19 @@
+---
+security:
+ - |
+ [`bug 1872755 <https://bugs.launchpad.net/keystone/+bug/1872755>`_]
+ Added validation to the EC2 credentials update API to ensure the metadata
+ labels 'trust_id' and 'app_cred_id' are not altered by the user. These
+ labels are used by keystone to determine the scope allowed by the
+ credential, and altering these automatic labels could enable an EC2
+ credential holder to elevate their access beyond what is permitted by the
+ application credential or trust that was used to create the EC2 credential.
+fixes:
+ - |
+ [`bug 1872755 <https://bugs.launchpad.net/keystone/+bug/1872755>`_]
+ Added validation to the EC2 credentials update API to ensure the metadata
+ labels 'trust_id' and 'app_cred_id' are not altered by the user. These
+ labels are used by keystone to determine the scope allowed by the
+ credential, and altering these automatic labels could enable an EC2
+ credential holder to elevate their access beyond what is permitted by the
+ application credential or trust that was used to create the EC2 credential.
View Lorry Controller Status