Bug#1133884: marked as done (OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean (CVE-2026-40683))

Debian Bug Tracking System Fri, 22 May 2026 15:35:25 -0700

Your message dated Fri, 22 May 2026 22:33:29 +0000
with message-id <[email protected]>
and subject line Bug#1133884: fixed in keystone 2:22.0.2-0+deb12u2
has caused the Debian Bug report #1133884,
regarding OSSA-2026-007: LDAP identity backend does not convert enabled 
attribute to boolean (CVE-2026-40683)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1133884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133884
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: keystone
Version: 2:27.0.0-3+deb13u1
Severity: important
Tags: patch

Copying upstream announce.

==================================================================================
OSSA-2026-007: LDAP identity backend does not convert enabled attribute to 
boolean
==================================================================================

:Date: April 14, 2026
:CVE: CVE-2026-pending


Affects
~~~~~~~
- Keystone: >=8.0.0 <25.0.1, >=26.0.0 <26.1.1, >=27.0.0 <27.0.1, >=28.0.0 
<28.0.1


Description
~~~~~~~~~~~
Benedikt Trefzer and Andrew Bogott independently reported a vulnerability in 
the Keystone LDAP identity backend. When the user_enabled_invert configuration 
option was False (the default), Keystone did not correctly interpret the LDAP 
enabled attribute, causing users disabled in LDAP to be treated as enabled and 
allowed to authenticate. Deployments using the LDAP identity backend without 
user_enabled_invert=True or user_enabled_emulation are affected.



Patches
~~~~~~~
- https://review.opendev.org/982409 (2024.2/dalmatian)
- https://review.opendev.org/982408 (2025.1/epoxy)
- https://review.opendev.org/982407 (2025.2/flamingo)
- https://review.opendev.org/958205 (2026.1/gazpacho)


Credits
~~~~~~~
- Benedikt Trefzer from Cirrax GmbH (CVE-2026-pending)
- Andrew Bogott from Wikimedia Foundation (CVE-2026-pending)
- Grzegorz Grasza from Red Hat (CVE-2026-pending)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2121152
- https://launchpad.net/bugs/2141713


Notes
~~~~~
- To work around this vulnerability, set user_enabled_invert=True and
  use an LDAP attribute with inverted semantics such as nsAccountLock,
  or use user_enabled_emulation with group-based enabled status.
- A CVE request was filed with MITRE on 2026-04-10.
- The fix was merged on the master branch before the stable/2026.1
  branch was cut, so no specific stable/2026.1 patch exists. The fix is
  included in the gazpacho (29.0.0) release.


--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team

--- End Message ---

--- Begin Message ---

Source: keystone
Source-Version: 2:22.0.2-0+deb12u2
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 11:10:59 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1133118 1133884
Changes:
 keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium
 .
   * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
     enabled attribute to boolean. When the user_enabled_invert configuration
     option was False (the default), Keystone did not correctly interpret the
     LDAP enabled attribute, causing users disabled in LDAP to be treated as
     enabled and allowed to authenticate. Deployments using the LDAP identity
     backend without user_enabled_invert=True or user_enabled_emulation are
     affected. Applied upstream patch:
     - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
     (Closes: #1133884).
   * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
     create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
     credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
 1c798ca017c1ee38fefed2f982e2a1bd37e4c491 3565 keystone_22.0.2-0+deb12u2.dsc
 0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
 83c5402d17c3ce8dbed715c7c3aaec1cf609709d 56164 
keystone_22.0.2-0+deb12u2.debian.tar.xz
 8eae4333f11a57a333d0e5fd06ca86a21a68e4e5 18263 
keystone_22.0.2-0+deb12u2_amd64.buildinfo
Checksums-Sha256:
 4d6459de73736f0a67423e7c1d9b8ed103b69dffc409fba418cecb8204458cca 3565 
keystone_22.0.2-0+deb12u2.dsc
 a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 
keystone_22.0.2.orig.tar.xz
 67429da1f1d5fde7c4ecd1fa988200bd9212e8ccf041db5d8d40bcdf70c7fa13 56164 
keystone_22.0.2-0+deb12u2.debian.tar.xz
 3d1a3dba21506bba13f0ffd8459fd0f5e6bf52ec90e649cc232528f32303abf3 18263 
keystone_22.0.2-0+deb12u2_amd64.buildinfo
Files:
 2cfd8d5afa9af8ddbb4ef53d7d41bc65 3565 net optional 
keystone_22.0.2-0+deb12u2.dsc
 60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional 
keystone_22.0.2.orig.tar.xz
 d1fe72b921519ff09216c7b492c40cba 56164 net optional 
keystone_22.0.2-0+deb12u2.debian.tar.xz
 192503c46fe115cb78ddc57fe14391ee 18263 net optional 
keystone_22.0.2-0+deb12u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMDnQACgkQ1BatFaxr
Q/7CRQ/8CgUVeVy/CjL+sc3CVacIh/e8wH7pXF3m/K3pQUdQy/2AgNeWeak+F8Gu
/n2+Ns7Yw6eqGsqnKzVGW1XcevmK4Dk8In0YSm69uZItbTWFuYsfansKpzohERsJ
Q3G09KG6Cp7MhGcotfHKUO3TWEZyxiN/d2KPYoTldX9zxDXFt6QW9NswCVUibhPN
ZocUpnzFkceZb5kEri2J3BYK2FDjBJkA5jyGfZWv6LTA7MGcQbOlIXWRDYRkQtKF
XZOyCSVo7doZcf/zwf/5/Bcl13tcxKZsaKowuMmveEEvTODtms1wP/m1bbTR2SzN
WvVFOit2Ut1xUBiEd7mLSK0JS+j0xlTtdIlrGWXMoQLs/AuZJnSyXXkzOX+tZijF
od5rcYboxWi+8uYbGGY1QI5vxjasx4Z3cuk8U+uzo7DCWPDdt0lfbBzyFW+dmH7P
8mHhT/81cHPpCeb9DmtU7HiK7HeGnV8p6Nbvs1FgbK2kxeYA/3tG5OL58A4lMsyi
aLU5AP8+gp0trPNwynboelUnewRD0pK+4tCN07YE1zxb/o+hraTMMH746z7+U53i
yPmVMwWgH0qjMqD52zdHPOrMAJGdVfK0qytg7Tcj2vpVOjWdeoAvlGwODLm3ONgX
EIRjuG7pdWK247u2oHKBdwOgVDThJIJNQp3d2aMSa5BNkEWxFYM=
=amVA
-----END PGP SIGNATURE-----

pgph0eAmg3HDj.pgp
Description: PGP signature

--- End Message ---

Bug#1133884: marked as done (OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean (CVE-2026-40683))

Reply via email to