Format: 1.8
Date: Fri, 29 May 2026 06:15:09 +0000
Source: keystone
Binary: keystone keystone-doc python3-keystone
Architecture: source all
Version: 2:18.1.0-5~bpo11+1
Distribution: bullseye
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Jenkins <jenkins@bullseye-victoria.infomaniak.ch>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python3-keystone - OpenStack identity service - library
Closes: 1135645
Changes:
 keystone (2:18.1.0-5~bpo11+1) UNRELEASED; urgency=medium
 .
   [ Thomas Goirand ]
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
 .
   [ Jenkins ]
   * Rebuilt by bop.
Checksums-Sha1:
 a1e32aaa11092fb2041ffcdb93abc1eb20303d5e 2752 keystone_18.1.0-5~bpo11+1.dsc
 7a692cd97cd097e44faf13a4a4d670b3780ac01e 83820 keystone_18.1.0-5~bpo11+1.debian.tar.xz
 85f38f3862cae6b7693e2f7cc9e389c52f22964e 2276600 keystone-doc_18.1.0-5~bpo11+1_all.deb
 dad88652aa14ab7260b7e2531162eb86ebb42424 80196 keystone_18.1.0-5~bpo11+1_all.deb
 c306d6021798bfc8ea4394114351840940458fc1 16464 keystone_18.1.0-5~bpo11+1_amd64.buildinfo
 c271f121363b9b339fe3e5130958d2d9d7477143 740460 python3-keystone_18.1.0-5~bpo11+1_all.deb
Checksums-Sha256:
 6c990e78f1cb6cbbeb8ff8e2e71414f2fcc423b9382d777c894715553613f106 2752 keystone_18.1.0-5~bpo11+1.dsc
 cb4c6cfbca580741218d40f400fdc0b8393b68bd469f3b3214832b81c0643d03 83820 keystone_18.1.0-5~bpo11+1.debian.tar.xz
 27197fa2949675f21f96d2079545c9bf034e78f30dfff77cdb6513be5b3b16d5 2276600 keystone-doc_18.1.0-5~bpo11+1_all.deb
 0fca49aad800e3e323baf408ded40222cd1e14700c90a206e13d658d568a1db8 80196 keystone_18.1.0-5~bpo11+1_all.deb
 e38b614065ceb0a6f3edd4326ade36ecd1c1bdfef57eeb87dd974736e71dd3c4 16464 keystone_18.1.0-5~bpo11+1_amd64.buildinfo
 fb67203e6fc1e0ffccfa191446ab2e17932d06dc44a8dd8561001e07a4006fcd 740460 python3-keystone_18.1.0-5~bpo11+1_all.deb
Files:
 884ff72275162259009a6e78e49917be 2752 net optional keystone_18.1.0-5~bpo11+1.dsc
 e5b1fe50e91cc08f1074d47d86ecdb5b 83820 net optional keystone_18.1.0-5~bpo11+1.debian.tar.xz
 f20a66691cd38b9919a30419073333d0 2276600 doc optional keystone-doc_18.1.0-5~bpo11+1_all.deb
 a6ad8ebe3a26737dcef8c9e40ae72c9e 80196 net optional keystone_18.1.0-5~bpo11+1_all.deb
 a77d074192e1d2bf41b0960fcd9749ae 16464 net optional keystone_18.1.0-5~bpo11+1_amd64.buildinfo
 41f0be8647da424cec2d4387129d6972 740460 python optional python3-keystone_18.1.0-5~bpo11+1_all.deb