-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 16:39:48 +0200
Source: keystone
Binary: keystone keystone-doc python3-keystone
Architecture: all
Version: 2:27.0.0-3+deb13u4
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python3-keystone - OpenStack identity service - library
Closes: 1135645
Changes:
 keystone (2:27.0.0-3+deb13u4) trixie-security; urgency=medium
 .
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
Checksums-Sha1:
 5067c5fd9c30c55610cc1da90da0ed683ed11a5c 2258308 keystone-doc_27.0.0-3+deb13u4_all.deb
 bb9793efbb3b2a46d493f9d94b133a3dd9cad2ac 18415 keystone_27.0.0-3+deb13u4_all-buildd.buildinfo
 d2ad9325826d5cfa61764832fc3f51b8d549b107 74376 keystone_27.0.0-3+deb13u4_all.deb
 6aca15e226a553df3106bd34961166d21e70d57a 737312 python3-keystone_27.0.0-3+deb13u4_all.deb
Checksums-Sha256:
 f20dc545bff57a61769bb56354e3d9f714e183bb4cf6e27a9c8552475d5862a8 2258308 keystone-doc_27.0.0-3+deb13u4_all.deb
 8b6a7279c30d42b48b3ab07a659c9b8611ff386117ffd92cf99a205a55677f4c 18415 keystone_27.0.0-3+deb13u4_all-buildd.buildinfo
 9dea8b3cfa5dd9ccffb387ee4143e8c1c517418ceba1f4038a3b34238cfc189e 74376 keystone_27.0.0-3+deb13u4_all.deb
 931bc93b231eddd5b7327f29b788274c8cf44e5e74386a291374bf8776b41c77 737312 python3-keystone_27.0.0-3+deb13u4_all.deb
Files:
 7b65ca2a256e23406e48d3834a1ab818 2258308 doc optional keystone-doc_27.0.0-3+deb13u4_all.deb
 f52b4234fa83f260a9d420d2115fb38e 18415 net optional keystone_27.0.0-3+deb13u4_all-buildd.buildinfo
 38a82421ea1b6de4b3484ab4a847d076 74376 net optional keystone_27.0.0-3+deb13u4_all.deb
 b70660a5da8b4f7fe854466f5ccac965 737312 python optional python3-keystone_27.0.0-3+deb13u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmom2vYACgkQN8Ugyu9d
QiQ9iA/9GY5z/at4TGQbrCJgHb/YA3nHOTayrAsvhq6sEsZPaJk/JuAWmMEkIU7D
FMX1DPDuvDamCjOC2jcw2fbGGSXCiLLbQnMeyunMO+2iFCojSAUjVX5sOwbtE8ed
iO2qYsQrnv+M1Gj75PfCF2ShsfVtSZ4QDtAWffA3yWdmGr3YtweCEDnafA6m/haJ
gH2J2EkVF2Glw7DfxxUNU6uH/H91VcaH6tdTiY1jjleyPqOYKSLW3NUmTJCVxkmx
fBa4aNVVkPIbHkPvbibkJdbNqKlc5wJc2EUG90ztGWBhB8jhg929z1vjxlCUwrMV
XMSAaktUFnngc5fxzAuca+RvNkOwePooMFywBur1aOkGV5pNCY5cToyvLJLfOrNE
muzR+Eto+gzN0i/ndgzcMEa5Fi2rchSLg06vLAS0EhwXEgKrx5YV1F20DuTeFlQW
qpCCRS/xBODLxDYWO2sYk+RLs7xM8MD9qRRQIKrGaalRHKs1W294qJdVrIXwuCVT
bUk0DdV9N9EfFEkHAFwxf0W6vCyQjyUF+un8brJO3Ew27pf65NtUnDMDDJRESxsC
gPSHmeeF1HIVYb0AvG7qTkZ+a9YBvhOAztk1+Wek8iaVUUSALDl+WhNB14HlzitI
Q+6ztP/Ws8HzyX9YfNN8CUVz+v4vwTtWptNtG7bz2IDvprNIEEI=
=sCnV
-----END PGP SIGNATURE-----