OpenStack Security Advisory

  1. Bug #1992183
  2. Comment #15

Comment 15 for bug 1992183

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862905
Committed: https://opendev.org/openstack/keystone/commit/8e25d823e4b73e1f3285a4ea64976cc770cb2644
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 8e25d823e4b73e1f3285a4ea64976cc770cb2644
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

    Limit token expiration to application credential expiration

    If a token is issued with an application credential we need to check
    the expiration of the application credential to ensure that the token
    does not outlive the application credential. This ensures that if the
    token expiration is greaten than that of the application credential it
    is reset to the expiration of the application credential and a warning
    is logged. Please see CVE-2022-2447 for more information.

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)