Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted heat 1:25.0.0-2 (source) into unstable
Date: Tue, 04 Nov 2025 16:48:59 +0000
Signed by: Thomas Goirand <zigo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Nov 2025 10:40:04 +0100
Source: heat
Architecture: source
Version: 1:25.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120059
Changes:
 heat (1:25.0.0-2) unstable; urgency=high
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     The heat part that is using the S3 API needs to be modified to accept the
     fix for Keystone, otherwise S3 authentication will stop working.
     Applied upstream patch (Closes: #1120059):
     Keystone_requires_authentication_when_using_the__v3_ec3token_endpoint.patch
Checksums-Sha1:
 47f3e2ee4d32e09f4b993dfcf2c14bd7b004b14c 3980 heat_25.0.0-2.dsc
 b1f49ca644235856450435130e1b5f489a433d4e 24412 heat_25.0.0-2.debian.tar.xz
 ae1c8487dc33f49ede44fbfe40966ed287382cf1 19806 heat_25.0.0-2_amd64.buildinfo
Checksums-Sha256:
 97b08c59e1e819bc27cf6e02d15b3f92b2d34fd146a8f4ed392bb7c8f56614e1 3980 heat_25.0.0-2.dsc
 43bd988bfffc75738917e786cd3ebc90c4c3cf74650da2e59d628af62bc448cb 24412 heat_25.0.0-2.debian.tar.xz
 f40c58b22643e9898377c7958e2a173610b031c201f3deff73e9868e4173f929 19806 heat_25.0.0-2_amd64.buildinfo
Files:
 b45c4ef5624130d744651b0434c3b39b 3980 web optional heat_25.0.0-2.dsc
 b5af36ca22fb54c4a707df7282ef1c5a 24412 web optional heat_25.0.0-2.debian.tar.xz
 e3c567cf971dc726e7fca0670209faca 19806 web optional heat_25.0.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkKKM4ACgkQ1BatFaxr
Q/5LvQ//VWNHsN7yOhGPke31NyH+KXf0PHMX4lSXErpEaM/Yg5SYDDKL7Dmt3O74
3QCCw0sCFbD3CudTB3Wr1C8zoSBsNoxRu+bze7S/LuLqitt1CSCoYP0H9f8d+Qor
Xig0XthlMnyOZAhS/l3Od3rYFW2/qhH9Nf2XrNTzKtgSuNMuZuCMSg+DAkV+Kedq
ZVrTdZ8Y1U+Kt6gf8AXN5ryTcCgIj7+BaMMRIfMIVEAf+nYIqe4FhNornr4PwMWJ
0qev2zNxmmqVY6uCF5KtnhgL9RzFC6mpi1swnkannkckewpL5aosm8E9GwA/ExUW
6HMt7+e2f+WV2a/0sHoudgEGct0c5pGUDVTCeQvO2kq6y4QjptBczHDg+oyzyF/r
KR/uSmI36BDkU44bTQ8RfJ0lCTj7yAR6lZP1GEzKVEjdMrt0YWwpQZMa+H/7BVvu
2+8ja7CdBdc7eNWsnnQaeB5CAsXzvFtT72tOMy+Sr/YJf/VhE7hPgblmF3iZkgMr
7HPHUvZeUZVkXLC7YUy09Hs5vjd5va0RDMkc+VzACQ21drPZkEO7o3OeyIsIJVic
1uXA1uUYekR8xJhA8UFbqfPrkIwihttG74u4zsmEkysPBsb2scjNdPsS06M4biVr
HuGHEo9R+Pg2jg6G+BNWxQTi6eUaKTTt3QV+jIlqhonFZRukOFI=
=I8xd
-----END PGP SIGNATURE-----
News for package heat
