-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 May 2026 17:24:30 +0200 Source: keystone Architecture: source Version: 2:18.1.0-1+deb11u3 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <team+openstack@tracker.debian.org> Changed-By: Thomas Goirand <zigo@debian.org> Closes: 1133118 1133884 1135645 Changes: keystone (2:18.1.0-1+deb11u3) bullseye-security; urgency=medium . * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Applied upstream patch: - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch (Closes: #1133884). * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). Checksums-Sha1: 68b36e090ecf574877861c44ef6c7493f4907184 3635 keystone_18.1.0-1+deb11u3.dsc eb3c10eefbd5c66bb04ab2ea297023ffd7080486 83740 keystone_18.1.0-1+deb11u3.debian.tar.xz 7d788a71ba1be35cab335769f0d689788f749b39 17624 keystone_18.1.0-1+deb11u3_amd64.buildinfo Checksums-Sha256: 4497f3f27516bf67b237942ca09a2ca0fc3b898eef81be4f2ac6501750f67ba2 3635 keystone_18.1.0-1+deb11u3.dsc 1859410730ebd7c03ddba87e6217361635831de1e6e0b03984cb48b16de1b9f8 83740 keystone_18.1.0-1+deb11u3.debian.tar.xz 52d982a649e8cbd368c86083bea075a82f7bea083fd07044ca9df7d799e0e0a3 17624 keystone_18.1.0-1+deb11u3_amd64.buildinfo Files: 3457c4ba49adc7f7f71e26ec7c6705bd 3635 net optional keystone_18.1.0-1+deb11u3.dsc 94138fdd3091685aaf257493f9e85c5e 83740 net optional keystone_18.1.0-1+deb11u3.debian.tar.xz 10e15be2a3eb915879f06f1e52c18f17 17624 net optional keystone_18.1.0-1+deb11u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoYYOUACgkQ1BatFaxr Q/4iEA/9GJVLkVs+YOLiwuMHC0fSAvrj1RZFsvu09tKfKi9NtRlnsf1uxcD+cQNg UbgZqtILRrD2pK3WhRZNzxXSi4Kaiu+NNG3d6CAs/qThd+o2b3PovRHIpyCneg8C pM1rkr6VEo2ZqQJGvdd+dwf8v2NYtLrJQKGNy0YTgP1MKDWo9z/RuFkXZWgmbxtB x3aXyyYCXDIBH38uV1Zxvqsaooch/YxXzDMYrh5+q6D14IzP6y6vym4oKVl9E3f/ mXHc/y/nT8GLYa9uCdEQnSBlaawIyJAIVNxFgyoBjiC+5G9r0DiFPWiMpr6Y5Z20 /CGJhLbR31lq3a7JqFFJi1phsq1cggIHPnfQJ9gp5Qayg1d2J0vAkpPwu+X4j/9Q o8/HTo0XIkjTEGbtdt36a9DWWZD0tCFX+Qq7tgV8Rbj9a6p6EDsWvwtP3y/CmZMA wlc30YmMI8KXAnJcg58XkedNY7fqVC5UYYg+x7w7Af6bizo/cY5gV9aYsI0ZvAnj px6RXicKvDISc4VEAzeeqfajfR5d/RMgEFAr+QR/P051jc9pH3wUKNHWqEaywcJD yvuLfrK7yus0nwY1TP2ls6Q0ciGw10MysYSXiSXpGCSvRp5gfWHF+RnNjk7wFvHR iW/OWMsMYtdxkVzcwkH51oaf8WsYcEUPGck6Iu2VKad/3voCbC4= =fM8M -----END PGP SIGNATURE-----
