CVE request for vulnerability in OpenStack Keystone

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

Three vulnerabilities was discovered in OpenStack (see below). In order
to ensure full traceability, we need CVE number(s) assigned that we can
attach to further notifications. These issues are already public,
although an advisory was not sent yet.

Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) and Brant Knudson (IBM)
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Description:
Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated. Brant Knudson discovered that
the MySQL token driver stores expiration dates incorrectly which
prevents manual revocation and that domain-scoped tokens don't get
revoked when the domain is disabled. Tokens impacted by one of these
bugs may allow a user to evade token revocation. Only Keystone setups
configured to use revocation events are affected.

References:
https://launchpad.net/bugs/1347961
https://launchpad.net/bugs/1348820
https://launchpad.net/bugs/1349597

Thanks in advance,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature