diff options
Diffstat (limited to 'releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml')
-rw-r--r-- | releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml new file mode 100644 index 000000000..1aed86301 --- /dev/null +++ b/releasenotes/notes/bug-1872735-0989e51d2248ce1e.yaml @@ -0,0 +1,31 @@ +--- +critical: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. +security: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. +fixes: + - | + [`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_] + Fixed a security issue in which a trustee or an application credential user + could create an EC2 credential or an application credential that would + permit them to get a token that elevated their role assignments beyond the + subset delegated to them in the trust or application credential. A new + attribute ``app_cred_id`` is now automatically added to the access blob of + an EC2 credential and the role list in the trust or application credential + is respected. |