Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted keystone 2:28.0.0-2 (source) into unstable
Date: Fri, 14 Nov 2025 14:34:20 +0000
Signed by: Thomas Goirand <zigo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 09:13:13 +0100
Source: keystone
Architecture: source
Version: 2:28.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120053
Changes:
 keystone (2:28.0.0-2) unstable; urgency=high
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Applied upstream patch (Closes: #1120053):
     - keystone-bug-2119646-stable-2025.2.patch
Checksums-Sha1:
 b69dc9ad52e290bfcc34a965099f80e757bbd021 3472 keystone_28.0.0-2.dsc
 6454aa9a63df45eab86a35b9c4c284d10879dc9e 45348 keystone_28.0.0-2.debian.tar.xz
 0e081afb5fd8eab9cf37c24078d789fbf40a69c3 18179 keystone_28.0.0-2_amd64.buildinfo
Checksums-Sha256:
 595d4ff77877f8ea0c706bba341bf2b5228717978c2c3abce3cabc945a2a4f4c 3472 keystone_28.0.0-2.dsc
 b8f8408256477cc96b7904a7fb1dedc47cd1fdfd843820c699d4a059d9a97265 45348 keystone_28.0.0-2.debian.tar.xz
 8f9b8916d3ed5704fa2d8e38047718fa72e66417d4d160496f5615a6f7c732a8 18179 keystone_28.0.0-2_amd64.buildinfo
Files:
 4f86a812f0daa4bb5a796a4cd26cea06 3472 net optional keystone_28.0.0-2.dsc
 856b3dbcb60714c71047938ebd4227eb 45348 net optional keystone_28.0.0-2.debian.tar.xz
 bb366b090497ac2dbcb606844bc006a8 18179 net optional keystone_28.0.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkXOicACgkQ1BatFaxr
Q/5W5Q/+OvxjE5iE3lKo0KywhFy03pI4Y6rwkz5cSQbkeYQxS67MMEKVDfh3dSJB
VMHalx7SgLQqq2iZXAJuQVZl5B2y1o5LlpVSfj/UdBQ64xHNY26ODRpa40TvcOtR
pzEXHXx55jSAwvcuWOV1VAZRScJKxmSVMbAuR4YGpbdGqS6FPCuc37x3uiW7432v
PCpxSyZTHBcR+2oroZqF3UFECkWrjmOrgm7sLJsMSUgiY/LV1bAhw58Cwg+Qtch+
yF/KchM4/oLube3lDeLU7cA7LWKdEml/4W2Y8uR2+puFhezikOgLf3aNex1pehXC
jCTvc2CMRAk7nzuVMdLnWQ9ewXuV7A+Qj6QnWPG9amu0bOOn6Ya5TFZabTRcEzxI
utCnzT3mFAdov+QUIYdEyfNWHvjhDEup0ecuwVIjGB1CcozxHWPksXFHvdjrqsDO
VsRT/xVzUqGYGrMSfdXe5Q+g94aVx6qb0VXvqPabzvQvhcwRRM9BQ7IO5eqFNzA+
kY/ycg766F8MyTsPr/O3FUiiiqZ7Sla3SJAK/CWCwR9vA6pm9HU6KR2Cs6nlhamN
ruOzSOBieErx92+6Es2NjAkqKx+hU6ToxeKvHRcmxKj3R3VP1vbpmGfiu3kzGD8i
dpuLM1YGcwei377/Nyj4/TGVJ2anGSz1T7lsKQ7RX1NcFkSjkbQ=
=hKik
-----END PGP SIGNATURE-----

News for package keystone