-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 16:39:48 +0200
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u4
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135645
Changes:
 keystone (2:27.0.0-3+deb13u4) trixie-security; urgency=medium
 .
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
Checksums-Sha1:
 8d387eeb98ad17d55e05e0e98865daae736ace33 3486 keystone_27.0.0-3+deb13u4.dsc
 896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
 04094d63b500a14d3778ab16f902da19682f6920 68048 keystone_27.0.0-3+deb13u4.debian.tar.xz
 24466e8594942b22b16e25d06cfe1809d80447fd 18660 keystone_27.0.0-3+deb13u4_amd64.buildinfo
Checksums-Sha256:
 8542741120f778bef0c9192b25c737dd0e232e1ae7baee71c030d76931dfbe95 3486 keystone_27.0.0-3+deb13u4.dsc
 223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz
 6919c85e4612d17804ffc1aca27a1c157572280e1b141cd2d14dbbe36b7c5c4c 68048 keystone_27.0.0-3+deb13u4.debian.tar.xz
 70f1f5ec3f082a8082a5f9fdf3323e343932f38fb6655601e6e257c4ef36e4b3 18660 keystone_27.0.0-3+deb13u4_amd64.buildinfo
Files:
 55984bbcd57c7315ab2135b44190e341 3486 net optional keystone_27.0.0-3+deb13u4.dsc
 d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz
 5d6c15866a71d2a32c6378e353bdcbf2 68048 net optional keystone_27.0.0-3+deb13u4.debian.tar.xz
 087d87a7764cd58ea159b7ca0e7280f2 18660 net optional keystone_27.0.0-3+deb13u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0tkACgkQ1BatFaxr
Q/7sJw//UKYUL5xG+UeNI1vKy9qzqcALlo9W4wwc2MHmIHe2m+LeDcYwLaxdaIuc
keROcX4KgDYzcxUnnJCs2QwFhWI2Nly4iFY7uxd3oo/sOcDhZM1PVj2FCtHO3h/L
Ih0o95UgkF8PEn/A1dcHJ4jmen3z/hl1I7PiWK+521F0PzbzDG8M4L8/C9n4hzmR
1npTLYhKTPwtpxYvLcny7VkSsMGH8ZKtEP/QfEJVeQmGS/giboj6TX7ZnIgBmgkb
pQWvFCOlpCfVgsNeEJVe4NC4sns/wpGQkZ5iCIB3N78URrbKeBijNAAcNeGG7Mho
FACznU89L2OrexPiSBExRJhrcIhqiq4wNysz6tfAXEBUuTNy4hjOFuCi2HsPYztY
tb+iCmaa8FCWpm1HPOVtYi1tjaH+YvfTUgSSgzKWqEqSz/W0IyosfooxASR3NBn2
DXdXtXu9WQLm5llmgsO7ewD9fgKOi3TfAVwhCWIdGzXPaOROJoFm5MqcBCmron9Q
szcfzyzgr8kZMPhe+Z+dEqMj9yioxNdiqf34Q6r5mvuL9wh6+tcV8Y63/TY/YEMj
gHlPHnoyK1o3I8r5v/6OZ8Edz8eupE8epFo9SuUjMT1Sx8NTK0O6esZajzkFYZ6g
DjIbIUjRz2G03KXnVXYYVlGQeTTd+XX5hskuGyrFn6+YTgXu8Yw=
=CwAK
-----END PGP SIGNATURE-----