Your message dated Thu, 7 May 2026 13:40:35 +0200
with message-id <[email protected]>
and subject line Closing, follow-up on #1135936
has caused the Debian Bug report #1133720,
regarding trixie-pu: package keystone/2:27.0.0-3+deb13u1 (CVE-2026-33551 /
https://bugs.debian.org/1133118)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:keystone
User: [email protected]
Usertags: pu
Hi,
As comment from last time, filling one bug for Trixie p-u, and one
for Bookworm p-u.
[ Reason ]
As per: https://bugs.launchpad.net/swift/+bug/2142138
with an app credential (that's supposed to be a restricted access
to part of the OpenStack API, to be used by an app/script), it is
currently possible to create a valid read/write access S3 token.
[ Tests ]
The usual unit tests when building the package, plus upstream CI.
[ Risks ]
The patch is very small, and only adds new API policy rules, so
kind of easy to understand.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload Keystone 27.0.0-3+deb13u2 to Trixie p-u.
Cheers,
Thomas Goirand (zigo)
diff -Nru keystone-27.0.0/debian/changelog keystone-27.0.0/debian/changelog
--- keystone-27.0.0/debian/changelog 2025-10-30 09:26:19.000000000 +0100
+++ keystone-27.0.0/debian/changelog 2026-04-10 13:49:40.000000000 +0200
@@ -1,3 +1,11 @@
+keystone (2:27.0.0-3+deb13u2) trixie-security; urgency=medium
+
+ * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
+ create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
+ credential creation and deletion" (Closes: #1133118).
+
+ -- Thomas Goirand <[email protected]> Fri, 10 Apr 2026 13:49:40 +0200
+
keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
diff -Nru
keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
---
keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
1970-01-01 01:00:00.000000000 +0100
+++
keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
2026-04-10 13:49:40.000000000 +0200
@@ -0,0 +1,70 @@
+Author: Grzegorz Grasza <[email protected]>
+Date: Thu, 26 Feb 2026 10:09:18 +0100
+Description: Prevent unauthorized EC2 credential creation and deletion
+ A restricted application credential could be used to create EC2
+ credentials granting full user access to S3, bypassing the role
+ restriction. Add the same _check_unrestricted_application_credential
+ guard that already protects application credential create/delete
+ endpoints.
+ .
+ Additionally, tighten the ec2_create_credential and ec2_delete_credential
+ policies to require at least member role, as these are write operations
+ that should not be accessible to reader-role users regardless of whether
+ they are using an application credential.
+Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53
+Bug: https://launchpad.net/bugs/2142138
+Signed-off-by: Grzegorz Grasza <[email protected]>
+Bug-Debian: https://bugs.debian.org/1133118
+Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/983589
+Last-Update: 2026-04-10
+
+diff --git a/keystone/api/users.py b/keystone/api/users.py
+index b3ec13f..f614f1c 100644
+--- a/keystone/api/users.py
++++ b/keystone/api/users.py
+@@ -425,6 +425,8 @@
+ ENFORCER.enforce_call(
+ action='identity:ec2_create_credential', target_attr=target
+ )
++ token = self.auth_context['token']
++ _check_unrestricted_application_credential(token)
+ PROVIDERS.identity_api.get_user(user_id)
+ tenant_id = self.request_body_json.get('tenant_id')
+ PROVIDERS.resource_api.get_project(tenant_id)
+diff --git a/keystone/common/policies/base.py
b/keystone/common/policies/base.py
+index 97970e4..5c807f1 100644
+--- a/keystone/common/policies/base.py
++++ b/keystone/common/policies/base.py
+@@ -62,6 +62,10 @@
+ ADMIN_OR_CRED_OWNER = (
+ '(' + RULE_ADMIN_REQUIRED + ') ' 'or
user_id:%(target.credential.user_id)s'
+ )
++ADMIN_OR_MEMBER_AND_CRED_OWNER = (
++ '(' + RULE_ADMIN_REQUIRED + ') or '
++ '(role:member and user_id:%(target.credential.user_id)s)'
++)
+
+ # This rule template is meant for restricting role assignments done by domain
+ # managers. It is intended to restrict the roles a domain manager can assign
or
+diff --git a/keystone/common/policies/ec2_credential.py
b/keystone/common/policies/ec2_credential.py
+index ab4b3db..efca8c4 100644
+--- a/keystone/common/policies/ec2_credential.py
++++ b/keystone/common/policies/ec2_credential.py
+@@ -73,7 +73,7 @@
+ ),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'ec2_create_credential',
+- check_str=base.RULE_ADMIN_OR_OWNER,
++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER,
+ scope_types=['system', 'project'],
+ description='Create ec2 credential.',
+ operations=[
+@@ -86,7 +86,7 @@
+ ),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'ec2_delete_credential',
+- check_str=base.ADMIN_OR_CRED_OWNER,
++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER,
+ scope_types=['system', 'project'],
+ description='Delete ec2 credential.',
+ operations=[
diff -Nru keystone-27.0.0/debian/patches/series
keystone-27.0.0/debian/patches/series
--- keystone-27.0.0/debian/patches/series 2025-10-30 09:26:19.000000000
+0100
+++ keystone-27.0.0/debian/patches/series 2026-04-10 13:49:40.000000000
+0200
@@ -3,3 +3,4 @@
set-deprecation-warnings-to-ignore.patch
api_Remove_constraints_on_user_IDs.patch
keystone-bug-2119646-stable-2025.1.patch
+CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
--- End Message ---
--- Begin Message ---
Hi,
I've opened a new bug at: #1135936
Reason: this now includes another CVE fix.
Cheers,
Thomas Goirand (zigo)
--- End Message ---
