Your message dated Tue, 04 Nov 2025 16:48:59 +0000
with message-id <[email protected]>
and subject line Bug#1120059: fixed in heat 1:25.0.0-2
has caused the Debian Bug report #1120059,
regarding not compatible with patch for: Unauthenticated access to EC2/S3 token
endpoints can grant Keystone authorization
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120059
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: heat
Version: 1:24.0.0-2
Severity: important
Tags: patch
As per bug #1120053:
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
The heat part that is using the S3 API needs to be modified to accept the fix
for Keystone, otherwise S3 authentication will stop working.
--- End Message ---
--- Begin Message ---
Source: heat
Source-Version: 1:25.0.0-2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
heat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated heat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Nov 2025 10:40:04 +0100
Source: heat
Architecture: source
Version: 1:25.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1120059
Changes:
heat (1:25.0.0-2) unstable; urgency=high
.
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
The heat part that is using the S3 API needs to be modified to accept the
fix for Keystone, otherwise S3 authentication will stop working.
Applied upstream patch (Closes: #1120059):
Keystone_requires_authentication_when_using_the__v3_ec3token_endpoint.patch
Checksums-Sha1:
47f3e2ee4d32e09f4b993dfcf2c14bd7b004b14c 3980 heat_25.0.0-2.dsc
b1f49ca644235856450435130e1b5f489a433d4e 24412 heat_25.0.0-2.debian.tar.xz
ae1c8487dc33f49ede44fbfe40966ed287382cf1 19806 heat_25.0.0-2_amd64.buildinfo
Checksums-Sha256:
97b08c59e1e819bc27cf6e02d15b3f92b2d34fd146a8f4ed392bb7c8f56614e1 3980
heat_25.0.0-2.dsc
43bd988bfffc75738917e786cd3ebc90c4c3cf74650da2e59d628af62bc448cb 24412
heat_25.0.0-2.debian.tar.xz
f40c58b22643e9898377c7958e2a173610b031c201f3deff73e9868e4173f929 19806
heat_25.0.0-2_amd64.buildinfo
Files:
b45c4ef5624130d744651b0434c3b39b 3980 web optional heat_25.0.0-2.dsc
b5af36ca22fb54c4a707df7282ef1c5a 24412 web optional heat_25.0.0-2.debian.tar.xz
e3c567cf971dc726e7fca0670209faca 19806 web optional
heat_25.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkKKM4ACgkQ1BatFaxr
Q/5LvQ//VWNHsN7yOhGPke31NyH+KXf0PHMX4lSXErpEaM/Yg5SYDDKL7Dmt3O74
3QCCw0sCFbD3CudTB3Wr1C8zoSBsNoxRu+bze7S/LuLqitt1CSCoYP0H9f8d+Qor
Xig0XthlMnyOZAhS/l3Od3rYFW2/qhH9Nf2XrNTzKtgSuNMuZuCMSg+DAkV+Kedq
ZVrTdZ8Y1U+Kt6gf8AXN5ryTcCgIj7+BaMMRIfMIVEAf+nYIqe4FhNornr4PwMWJ
0qev2zNxmmqVY6uCF5KtnhgL9RzFC6mpi1swnkannkckewpL5aosm8E9GwA/ExUW
6HMt7+e2f+WV2a/0sHoudgEGct0c5pGUDVTCeQvO2kq6y4QjptBczHDg+oyzyF/r
KR/uSmI36BDkU44bTQ8RfJ0lCTj7yAR6lZP1GEzKVEjdMrt0YWwpQZMa+H/7BVvu
2+8ja7CdBdc7eNWsnnQaeB5CAsXzvFtT72tOMy+Sr/YJf/VhE7hPgblmF3iZkgMr
7HPHUvZeUZVkXLC7YUy09Hs5vjd5va0RDMkc+VzACQ21drPZkEO7o3OeyIsIJVic
1uXA1uUYekR8xJhA8UFbqfPrkIwihttG74u4zsmEkysPBsb2scjNdPsS06M4biVr
HuGHEo9R+Pg2jg6G+BNWxQTi6eUaKTTt3QV+jIlqhonFZRukOFI=
=I8xd
-----END PGP SIGNATURE-----
pgpzP7vQPElpq.pgp
Description: PGP signature
--- End Message ---
