Thursday, 2026-01-15

« Wednesday, 2026-01-14 Index Friday, 2026-01-16 »
*** mhen_ is now known as mhen02:52
*** croeland1 is now known as croelandt14:50
opendevreviewJeremy Stanley proposed openstack/keystonemiddleware master: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349415:03
opendevreviewJeremy Stanley proposed openstack/keystonemiddleware stable/2025.2: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349515:04
opendevreviewJeremy Stanley proposed openstack/keystonemiddleware stable/2025.1: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349615:05
opendevreviewJeremy Stanley proposed openstack/keystonemiddleware stable/2024.2: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349715:06
zigoxek: Hi there1 Do you know where in keystonemiddleware should this be patched, in version prior Caracal, as keystonemiddleware/external_oauth2_token.py doesn't exist there?15:34
gtemamost likely this didn't exist before15:35
gtemabut lemme check15:35
gtemaneah, it was just added 3 years ago15:36
zigoSo only Caracal and up are affected?15:36
zigofungi: You may want to write this in your advisory, rather than saying >= 10.0, that would be >= 10.5 or 10.6 (bobcat is 10.4).15:37
* zigo got to go15:39
fungithanks! i wouldn't normally have included a lower-bound, but xek explicitly stated "The external_oauth2_token middleware was introduced in keystonemiddleware 10.0.0." in https://bugs.launchpad.net/keystonemiddleware/+bug/2129018 (comment #11) and no other keystone folks disagreed15:42
gtemathe api has been added in 2023.1 https://docs.openstack.org/releasenotes/keystone/2023.1.html#relnotes-23-0-0-unmaintained-2023-1-new-features, the middleware RN hints it has been added in 10.1.015:42
gtemaso it is still something like 10.015:43
gtemaand it falls into the 2023.115:43
fungikeystonemiddleware 10.0.0 and 10.1.0 were both tagged in the zed cycle according to https://releases.openstack.org/teams/keystone.html#zed15:45
fungi10.2.0 was the earliest keystonemiddleware tag in 2023.115:47
gtemaok, then the RN for keystonemiddleware is a bit broken - it lists this under zed AND 2023.115:47
gtemaI stopped on the first match15:47
gtemaI see now the API (that exposes this functionality) has been added in keystone 22.0 (zed) - https://docs.openstack.org/releasenotes/keystone/zed.html#relnotes-22-0-0-unmaintained-zed15:49
gtemabut now that it was asked: I see the initial implementation was included according to gerrit starting with 10.5.0 and is earliest in unmaintained/2024.1 branch15:54
gtema(https://review.opendev.org/c/openstack/keystonemiddleware/+/868734)15:55
fungiso if we adjust the advisory, 10.5.0 is the actual earliest affected version of ksm?16:11
gtemaseems to be, yes16:12
fungithanks for digging into that!16:14
gtemawlcm16:14
fungii'll work up an errata correction to that later today, and batch it up with any other corrections anyone identifies16:17
gtemaI have identified how to "disable" the functionality if someone wants a quick workaround. You need to forcibly empty value in the keystone config (`[oauth2].oauth2_authn_methods = ''`)16:19
gtemaI have not tested it though - it is just a code based analysis. And we are talking about the keystone config16:20
*** gmaan is now known as gmaan_afk16:33
opendevreviewArtem Goncharov proposed openstack/keystonemiddleware master: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349417:31
opendevreviewArtem Goncharov proposed openstack/keystonemiddleware stable/2024.2: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349717:32
opendevreviewArtem Goncharov proposed openstack/keystonemiddleware stable/2025.1: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349617:33
opendevreviewArtem Goncharov proposed openstack/keystonemiddleware stable/2025.2: Fix privilege escalation via spoofed identity headers  https://review.opendev.org/c/openstack/keystonemiddleware/+/97349517:34
fungithanks for taking care of that, i saw it was failing on a line long enough to anger flake817:37
gtemayeah, I am glad there are no functional test failures - this is something we can never be sure in advance17:38
*** gmaan_afk is now known as gmaan17:46
opendevreviewDouglas Mendizábal proposed openstack/keystone master: Update hard-coded policy for GET /v3/limits  https://review.opendev.org/c/openstack/keystone/+/97316319:01
fungizuul came back +1 on all the ossa-2026-001 changes after gtema revised them. would be good to expedite keystone-core approval since they were already pre-reviewed as bug attachments while under embargo19:41
zigofungi: FYI, that's my understanding digging for the issue too. This commit introduces the patched file: https://review.opendev.org/c/openstack/keystonemiddleware/+/868734 which got part of 10.5.0, however, 10.5.0 was "master" during the Caracal cycle, ie when Caracal was released, keystonemiddleware was already released as 10.6.0.21:19
zigoThat's unless the security issue is also in some other files than keystonemiddleware/external_oauth2_token.py ...21:19
fungizigo: it's entirely possible that xek was mistaken or mistyped the version in the bug report, i guess it would be good to give him a chance to confirm21:22
zigoI'd love to have it confirmed too.21:22
zigoAs I wrote earlier: I don't understand how that works.21:22
« Wednesday, 2026-01-14 Index Friday, 2026-01-16 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!