Comment 48 for bug 1324592
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Trust scope can be circumvented by chaining trusts (CVE-2014-3476) | #48 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
The fix is actually over-restrictive. It's not delegated auth in general that should cause these operations to be denied, but specifically just impersonation. Regardless, the fix is certainly effective at closing the vulnerability.
+1 for master patch in #26
+1 for stable/icehouse patch in #27
+1 for stable/havana patch in #43
I have a few small nits on the request context stuff, but I'll save those for a subsequent patch to master :)