Security release for confidant v1.0 (current stable release)
17 views
Skip to first unread message
Ryan Lane
Jun 17, 2016, 7:59:09 PM6/17/16
to confidant-users, confidant...@googlegroups.com
Through internal review and testing Lyft discovered a security vulnerability in version 1.0 (current stable release) of confidant that affects the expiration checking of KMS authentication tokens. This vulnerability does not affect version 1.1, which had refactored this portion of the code.
The expiration checking of KMS authentication tokens was improperly checking the not_after portion of the token, causing tokens to never expire. If a token was exfiltrated from a host, the token would be valid indefinitely. After applying the fix, tokens will be correctly validated and any old tokens will fail authentication.
The specific fix was: https://github.com/lyft/confidant/pull/85/files#diff-929092871d7658f82a1785ab913e6e47R166
To upgrade using docker:
docker pull lyft/confidant
<restart confidant container>
To upgrade using pip:
source venv/activate
pip install -U requirements.txt
<restart confidant service>
If upgrade instructions aren't working for you, you can either manually apply the patch, or you can go back through the installation instructions again.
If you have any questions, feel free to reach out to me directly on IRC (Ryan_Lane in #confidant on Freenode), or email me directly.
- Ryan Lane
Security Engineer
Lyft
Reply all
Reply to author
Forward
0 new messages