Accepted keystone 2:29.0.1-2 (source) into unstable

Thu, 28 May 2026 12:18:32 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 May 2026 00:10:54 +0200
Source: keystone
Architecture: source
Version: 2:29.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135645
Changes:
 keystone (2:29.0.1-2) unstable; urgency=medium
 .
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
Checksums-Sha1:
 f35d68711d95ab79730ebaba34abe13a17931a97 3458 keystone_29.0.1-2.dsc
 e565c53929e235c643dc3f5fcd6db34dd7f6e78d 67656 keystone_29.0.1-2.debian.tar.xz
 de31f82dec1070c5e43e4bcd3de65c5f7d017c1e 17424 
keystone_29.0.1-2_amd64.buildinfo
Checksums-Sha256:
 1aeafd6ba36f1f358301a6e53acd5b3cbca6fe906dc5a0db919cdc9e0c5a67ec 3458 
keystone_29.0.1-2.dsc
 1f4cebf6b41bc9997c06487803d4701aaea9ad5b5c656d2357772e552fa9c8de 67656 
keystone_29.0.1-2.debian.tar.xz
 674e5d9510ef7b238f70ee7dca7ea5e6d4af10a01274f171311b9477e7e8daef 17424 
keystone_29.0.1-2_amd64.buildinfo
Files:
 5d5aadb51a3e7464b47d0269be7a800e 3458 net optional keystone_29.0.1-2.dsc
 7b81f15216001620b9de2c6633819459 67656 net optional 
keystone_29.0.1-2.debian.tar.xz
 9e82cb396f6b6b52b781f8a3945d99a2 17424 net optional 
keystone_29.0.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoYWqoACgkQ1BatFaxr
Q/4Ayw/9EX+Qr1Ym65MlRQ1ONLiLB1KdUWN9ZbUPpQRqIFfBM3XJl2pxK3epqaBZ
mNr82qu7JPf0SvN1uj9pmmkz771ZhpZqXf2toUAkYS4M7ml6fMD10TnIIwQ7EFQr
YjlA2CFR2XEaJBd1KT/d1fV0IfKciSnsPuvcZSiVz1aR5XtSX1rSivexlXvHI7RS
dKT6gBGF11+8DCQrE4pQinZaK8nBXZSErm5Jw6HxdCH9Vyemsi8EAI7XFnUHZ16E
k1nkProqqtJdWimNtZoohq7TKdBMTe7TTdNWeSVLuMgpUBlm05F2Qy29CM/LNwHw
ooqBCsJB2tk0e+7w1Vn/1VXtYV2+XBtXlBeQ0WrRTFKG0i8/sahaqEi9h7ehBJNe
uVMwobGqss3LYldBR8uYDnp7cWHSTNda4R+RLZvGL5rE8Zm+QFRI2rycGgN8rrTY
Yj/eY/n++gvo5DaaLJ+DvKDCVQ+vjedIOo2Fcp7ZZLx3BDhqT5smwgDiNOLSkHIE
Okd2hJNuiAYnu4N1Tj1zSKPBYCiSFnYwGZkRyDhLDMvVBJJzfYmEM4E0Wp6j2a1d
BvYpPMaADutqrA+54c/HRo7gmAOYMDgsFPfL0RHtJQMsjizQ0XZ07/T+/WC6TmGj
mvXpdf7I6q4rRb4ps7HXN9zyN8sEE2zcH/DWgiJCjsNYUGrIleI=
=B+2R
-----END PGP SIGNATURE-----

Attachment: pgp6kvTsVH_fF.pgp
Description: PGP signature

Reply via email to