Your message dated Thu, 28 May 2026 19:18:14 +0000
with message-id <[email protected]>
and subject line Bug#1135645: fixed in keystone 2:29.0.1-2
has caused the Debian Bug report #1135645,
regarding keystone: CVE-2026-43001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135645
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:29.0.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/keystone/+bug/2149775
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for keystone.
CVE-2026-43001[0]:
| An issue was discovered in OpenStack Keystone 13 through 29. POST
| /v3/credentials did not validate that the caller-supplied project_id
| for an EC2-type credential matched the project of the authenticating
| application credential. This allowed an attacker holding an
| unrestricted application credential for project A to create an EC2
| credential targeting project B; a subsequent /v3/ec2tokens exchange
| would then issue a Keystone token scoped to project B while still
| carrying the original app_cred_id, enabling cross-project lateral
| movement within the credential owner's role footprint.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43001
https://www.cve.org/CVERecord?id=CVE-2026-43001
[1] https://bugs.launchpad.net/keystone/+bug/2149775
[2] https://review.opendev.org/c/openstack/keystone/+/985804
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:29.0.1-2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 00:10:54 +0200
Source: keystone
Architecture: source
Version: 2:29.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135645
Changes:
keystone (2:29.0.1-2) unstable; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
f35d68711d95ab79730ebaba34abe13a17931a97 3458 keystone_29.0.1-2.dsc
e565c53929e235c643dc3f5fcd6db34dd7f6e78d 67656 keystone_29.0.1-2.debian.tar.xz
de31f82dec1070c5e43e4bcd3de65c5f7d017c1e 17424
keystone_29.0.1-2_amd64.buildinfo
Checksums-Sha256:
1aeafd6ba36f1f358301a6e53acd5b3cbca6fe906dc5a0db919cdc9e0c5a67ec 3458
keystone_29.0.1-2.dsc
1f4cebf6b41bc9997c06487803d4701aaea9ad5b5c656d2357772e552fa9c8de 67656
keystone_29.0.1-2.debian.tar.xz
674e5d9510ef7b238f70ee7dca7ea5e6d4af10a01274f171311b9477e7e8daef 17424
keystone_29.0.1-2_amd64.buildinfo
Files:
5d5aadb51a3e7464b47d0269be7a800e 3458 net optional keystone_29.0.1-2.dsc
7b81f15216001620b9de2c6633819459 67656 net optional
keystone_29.0.1-2.debian.tar.xz
9e82cb396f6b6b52b781f8a3945d99a2 17424 net optional
keystone_29.0.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoYWqoACgkQ1BatFaxr
Q/4Ayw/9EX+Qr1Ym65MlRQ1ONLiLB1KdUWN9ZbUPpQRqIFfBM3XJl2pxK3epqaBZ
mNr82qu7JPf0SvN1uj9pmmkz771ZhpZqXf2toUAkYS4M7ml6fMD10TnIIwQ7EFQr
YjlA2CFR2XEaJBd1KT/d1fV0IfKciSnsPuvcZSiVz1aR5XtSX1rSivexlXvHI7RS
dKT6gBGF11+8DCQrE4pQinZaK8nBXZSErm5Jw6HxdCH9Vyemsi8EAI7XFnUHZ16E
k1nkProqqtJdWimNtZoohq7TKdBMTe7TTdNWeSVLuMgpUBlm05F2Qy29CM/LNwHw
ooqBCsJB2tk0e+7w1Vn/1VXtYV2+XBtXlBeQ0WrRTFKG0i8/sahaqEi9h7ehBJNe
uVMwobGqss3LYldBR8uYDnp7cWHSTNda4R+RLZvGL5rE8Zm+QFRI2rycGgN8rrTY
Yj/eY/n++gvo5DaaLJ+DvKDCVQ+vjedIOo2Fcp7ZZLx3BDhqT5smwgDiNOLSkHIE
Okd2hJNuiAYnu4N1Tj1zSKPBYCiSFnYwGZkRyDhLDMvVBJJzfYmEM4E0Wp6j2a1d
BvYpPMaADutqrA+54c/HRo7gmAOYMDgsFPfL0RHtJQMsjizQ0XZ07/T+/WC6TmGj
mvXpdf7I6q4rRb4ps7HXN9zyN8sEE2zcH/DWgiJCjsNYUGrIleI=
=B+2R
-----END PGP SIGNATURE-----
pgpPOlhFpO5YJ.pgp
Description: PGP signature
--- End Message ---
