From cdd88606a91ad68eac67bddcbd3f5654d46d3083 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Wed, 23 Sep 2015 12:24:59 -0700 Subject: [PATCH] Fix formatting errors in OSSN-0053 Some of the section headers in OSSN-0053 don't match the header style from the template. This can cause problems with any tools designed to parse an OSSN. In addition, one of the references needed to be capitalized. Change-Id: Ia12f85d659e685fb217b51dcb4b29f215632835c --- security-notes/OSSN-0053 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security-notes/OSSN-0053 b/security-notes/OSSN-0053 index e48251cf..b67baf01 100644 --- a/security-notes/OSSN-0053 +++ b/security-notes/OSSN-0053 @@ -9,10 +9,10 @@ With a valid token an attacker will be able to issue new tokens that may be used to create trusts between the originating user and a new user. -#### Affected Services / Software ### +### Affected Services / Software ### Keystone, Grizzly, Havana, Icehouse, Juno, Kilo -#### Discussion ### +### Discussion ### If a service node is compromised, an attacker now has access to every token that passes through that node. By default, a Keystone token can be exchanged for another token, and there is no restriction on scoping @@ -35,7 +35,7 @@ from trusts created through intercepted tokens. This behavior is intrinsic to the bearer token model used within Keystone / OpenStack. -#### Recommended Actions ### +### Recommended Actions ### The following steps are recommended to reduce exposure, based on the granularity and accepted level of risk in a given environment: @@ -55,12 +55,12 @@ a single token for the whole workload, and take more than one hour, so installations have increased token lifespans back to the old value of 24 hours - increasing their exposure to this issue. -#### Contacts / References ### +### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0053 Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1455582 OpenStack Security ML : openstack-security@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg Hierarchical Roles : https://review.openstack.org/#/c/125704 Policy by URL : https://review.openstack.org/#/c/192422 -unified policy file : https://review.openstack.org/#/c/134656 +Unified policy file : https://review.openstack.org/#/c/134656 Endpoint_ID from URL : https://review.openstack.org/#/c/199844