-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Oct 2025 09:26:19 +0100 Source: keystone Architecture: source Version: 2:27.0.0-3+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian OpenStack <team+openstack@tracker.debian.org> Changed-By: Thomas Goirand <zigo@debian.org> Closes: 1120053 Changes: keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high . * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected. Applied upstream patch (Closes: #1120053): - keystone-bug-2119646-stable-2025.1.patch Checksums-Sha1: 4152c8282356f474ffcf900f849ea23ebd38f44e 3486 keystone_27.0.0-3+deb13u1.dsc 896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz d88698d69d47dae18ba68ca5b4edd9a8943b27d1 46052 keystone_27.0.0-3+deb13u1.debian.tar.xz e5c3a3c3da63b56f1d5adb9964870de20045b9e1 18345 keystone_27.0.0-3+deb13u1_amd64.buildinfo Checksums-Sha256: c42fea98c4283524840695546e15a0f7b5e18cd1899791658aa8955b98965a56 3486 keystone_27.0.0-3+deb13u1.dsc 223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz 68dc7627f6301469f2bd7b448a614f8cdf72b279873dd1802f13d6f10071052b 46052 keystone_27.0.0-3+deb13u1.debian.tar.xz d0d1adfe3e33f42350f3fd31d248ce47d08b21a264742a69956fd648c7983c9c 18345 keystone_27.0.0-3+deb13u1_amd64.buildinfo Files: 4ae93baa72760d52a8efd5dbed87366f 3486 net optional keystone_27.0.0-3+deb13u1.dsc d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz 6e50154c2164ae3d35d557c3a00bcff4 46052 net optional keystone_27.0.0-3+deb13u1.debian.tar.xz 3a75ff70dd7ae50ae8417f977da42093 18345 net optional keystone_27.0.0-3+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS70EACgkQ1BatFaxr Q/7hSQ//a8nmddmIid1G4wkB9DGe3aMe0Gt8kXE+PoE/2LKEYYnkeduuLgCA6Bzh ISX5oD7311Kl6vCoT9Qxu7nB6RAZdUao+lOdJIz9X9cp8+bg8C1M2zJkn6E3E3Z8 zhjdC+nJfh9M8nKZTHNP7CFMhbKRYFITu2dLhHu4o3xpviWclgg4GmS5jTelxb3F 6juLKmD+BUy8CuXEhNJVniOge0VPIKrV+3rjTiTcvRcPic+/8sapAMrCwT3ng4fY hGGM7Pf58xOSeEkLSE+gaMAyfxZXEQ7UPUZ+tjBdrP23ac6KLObongE5cDBFLRSa 1wQ3IOEDGN9FJ7nK8K1dJquN+FJDUq/I69p56fhh2U/v8s6jLjl34G278AovPIiZ SlFB11Iv5czER6Ee0UqpiE4SK+HF/0x0cTa6Nu8j3AAxgHTIcwmGbC5i1L/Dc8Vy 5hGAnljndg0XaA6gtybOf4p5rVG1OY4xCu86L7hZYJ3mfyk/T8ZUkite7i8BFjLM e1Gnljd4IfZ+N0B1GCO77oBKIXVKGwBJT0QOXBcxi4E5wR0gXgwI8cHdil+lb2es k38sBmAXl7IP1QZkdtXxEAeF80mDeKTFV9hElpYhr85ANl5VD1SgX1ItH3wi3OpM Z+C13xKmqzDD700qo1ZXzR3A+RrYuzNoUmnlg8DO25ovMVe8u+c= =kUrX -----END PGP SIGNATURE-----
