Comment 3 for bug 1050025
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Potential problem with fix for "Revoking a role does not affect existing tokens (CVE-2012-4413)" | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
I'm not quite sure what Soren means by "everyone's tokens," but I can confirm that all tokens for the specific user are revoked -- revocation is **not** limited to the specific tenant. While not 100% desirable, I don't see how it's a security vulnerability..?
I would definitely prefer to limit token revocation to the specific tenant, however.