Format: 1.8 Date: Tue, 04 Nov 2025 15:49:58 +0000 Source: keystone Binary: keystone keystone-doc python3-keystone Architecture: source all Version: 2:18.1.0-2~bpo11+1 Distribution: bullseye Urgency: medium Maintainer: Debian OpenStack Changed-By: Jenkins Description: keystone - OpenStack identity service keystone-doc - OpenStack identity service - documentation python3-keystone - OpenStack identity service - library Closes: 1120053 Changes: keystone (2:18.1.0-2~bpo11+1) UNRELEASED; urgency=medium . [ Thomas Goirand ] * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected. Applied upstream patch (Closes: #1120053): - Fix_oslo_policy_DeprecatedRule_warnings.patch - Consistent_and_Secure_RBAC_Phase_1.patch - Fix_policies_for_groups.patch - Allow_admin_to_access_tokens_and_credentials.patch - Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch - keystone-bug-2119646-stable-2024.1.patch (backported by me) - compat-with-oslo.policy-3.5.0.patch . [ Jenkins ] * Rebuilt by bop. Checksums-Sha1: df62988881d81f76b247b497dfadad68964de74a 2752 keystone_18.1.0-2~bpo11+1.dsc d5cc86b91eedb8ad35f7faa14eb7f8e4cf10c30d 64156 keystone_18.1.0-2~bpo11+1.debian.tar.xz 7686d9f7529de33fcfd74f3290bce635182b9f39 2270948 keystone-doc_18.1.0-2~bpo11+1_all.deb 227d14dc29137c6b9eaa1dd0d5edb7f858289fea 78180 keystone_18.1.0-2~bpo11+1_all.deb 10a4f37988c0b28f95814df7548f7f0ed2d98a8a 16446 keystone_18.1.0-2~bpo11+1_amd64.buildinfo 011a1145dadb6a833f2593be00f6c158d486a781 731900 python3-keystone_18.1.0-2~bpo11+1_all.deb Checksums-Sha256: 895411a8d3e9e0bca0079befa9cd4f51bdd839f1b32a23f3aa4adeef54a5bd53 2752 keystone_18.1.0-2~bpo11+1.dsc 9688494e61c64ba48a3811568020bcda5eb81cdab2161e5685a5c78225a63317 64156 keystone_18.1.0-2~bpo11+1.debian.tar.xz e274940760ed058cac2806f253f721680eb4dc8eb3fdce0dd2bb2c67368fadc2 2270948 keystone-doc_18.1.0-2~bpo11+1_all.deb 0740407d9d8ca2205e6c0060141442ab4524cf821377cdd1479c7980f1a8ebc9 78180 keystone_18.1.0-2~bpo11+1_all.deb 07aae654e0e02becea37bcb34ebcf729106c40f85e782483e78bf56446087b80 16446 keystone_18.1.0-2~bpo11+1_amd64.buildinfo 5ae6df9464aaa02e295b72b9fab1a4abd54c1dd8205df6a45169711fb2dccdaf 731900 python3-keystone_18.1.0-2~bpo11+1_all.deb Files: 9468ea806c896ad313ef30eb31650b07 2752 net optional keystone_18.1.0-2~bpo11+1.dsc 3d97547f9d8e08dd987f0cba3e99f1f8 64156 net optional keystone_18.1.0-2~bpo11+1.debian.tar.xz 8cf645c77831cf461e6006afc066ac31 2270948 doc optional keystone-doc_18.1.0-2~bpo11+1_all.deb 6f8c2c41f6afb462b18330609f1b112f 78180 net optional keystone_18.1.0-2~bpo11+1_all.deb fbe165af0ae5d045f38e5923586b5beb 16446 net optional keystone_18.1.0-2~bpo11+1_amd64.buildinfo 316960b84efa6caee1061e6ac6efeec4 731900 python optional python3-keystone_18.1.0-2~bpo11+1_all.deb