Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted keystone 2:18.1.0-1+deb11u2 (source) into oldoldstable-security
Date: Thu, 06 Nov 2025 14:20:24 +0000
Signed by: Thomas Goirand <zigo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 31 Oct 2025 00:56:54 +0100
Source: keystone
Architecture: source
Version: 2:18.1.0-1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120053
Changes:
 keystone (2:18.1.0-1+deb11u2) bullseye-security; urgency=medium
 .
   * New upstream release.
   * Removed CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
     now upstreamed.
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Applied upstream patch (Closes: #1120053):
     - Fix_oslo_policy_DeprecatedRule_warnings.patch
     - Consistent_and_Secure_RBAC_Phase_1.patch
     - Fix_policies_for_groups.patch
     - Allow_admin_to_access_tokens_and_credentials.patch
     - Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch
     - keystone-bug-2119646-stable-2024.1.patch (backported by me)
     - compat-with-oslo.policy-3.5.0.patch
Checksums-Sha1:
 3da3a3427e828d0d36115c4ccb2fc3981ff091e6 3635 keystone_18.1.0-1+deb11u2.dsc
 1830ea306eb207ef120d4d14d3dac07eeecc9bb3 1072716 keystone_18.1.0.orig.tar.xz
 b6462b263821ffcaad05d3334089b6465f845ece 64116 keystone_18.1.0-1+deb11u2.debian.tar.xz
 e68bf47463a7c7be98e6b5f36ca7a4dd5eab4b76 17551 keystone_18.1.0-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 5c99fa4cd47d987d344ec5d7e8b6cfd4ada05d265cc1e0256a8c6c0daebb0cf3 3635 keystone_18.1.0-1+deb11u2.dsc
 d1509347f8686179c78e347718754b81f882adc2efe8296bb4d18b0c3dc9336e 1072716 keystone_18.1.0.orig.tar.xz
 38962e460daee25affca32c445d82067f04896135e8ff97fe71a9602471fce0e 64116 keystone_18.1.0-1+deb11u2.debian.tar.xz
 85b72faea86ba63c66fee9b9f81158a08688fc37164719171a39b5c74f4d5bce 17551 keystone_18.1.0-1+deb11u2_amd64.buildinfo
Files:
 e271bd81c995e17cf7334feafcc05255 3635 net optional keystone_18.1.0-1+deb11u2.dsc
 4de2704a30c410082685052e5b508b1c 1072716 net optional keystone_18.1.0.orig.tar.xz
 929f7dad13cfae565be1e898acb7f4a0 64116 net optional keystone_18.1.0-1+deb11u2.debian.tar.xz
 cbda147bc13848c704b8ee101b780292 17551 net optional keystone_18.1.0-1+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkMqk0ACgkQ1BatFaxr
Q/7zGhAAilvL84YTWljT+7AtowptlfacRbyaK+lX8/16ziDlkQlg68hHkIPW/sQ7
KaJlMBe5iyVyVjT9avFCk6PUMrdf14XwDdDPI/kxV15S5M7BW0XNesJYp6XQO79y
6Mn5T/xlnv5HVVmojvlY7YMsJjW/3pym9ioImSWz8rrBZtvIoQ7tj0b0YLd1WY3U
GiZNM47W0tih3WU+0nA9HiDhWxRQl+is1TdVwy1rTMYAXVFmuI1QeD9u0+6DfouT
ncNmJFkoib7CaUwskBSGEcaWStsl14mTR+xFNvgqPTAitUiS3DsPROHOHHtMH8MU
dT5EGqXiDQokKXsiqTRf6y9F22vXfLZNyuStzsrhLq3HLdp6QqlH7RthEdACd0lX
TQmLdAgVr5dvmV6jNmXgQTrgrnMNHlozv1axErBagMBrbsRR9Fbh02FFzWI2WCGE
ZbC3sLGc932CxSx7Q9VSmtVdLBDOhsinMU9tnEN6dyKuELuAf8/nGiDS8OaSg7zL
FCO1Ba+DRIYrzfuqCf3+fkbd7qzCk5A8/kX6ZTIa43GuWjp69btlJdNosuR4e11R
MI0cDm9sE4IZBNGjesfa2IKefPK7uksBsSexbHiLQ8BC/nZMH4uu8o3FUkbMVCwI
Y0Sx/Q5J73iDkPgR1bqanFrgevuoY22oHIWD06W+ZWTOd0mmhTM=
=PCev
-----END PGP SIGNATURE-----
News for package keystone
