Your message dated Mon, 08 Jun 2026 19:50:22 +0000
with message-id <[email protected]>
and subject line Bug#1135645: fixed in keystone 2:22.0.2-0+deb12u3
has caused the Debian Bug report #1135645,
regarding keystone: CVE-2026-43001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135645
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:29.0.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/keystone/+bug/2149775
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for keystone.
CVE-2026-43001[0]:
| An issue was discovered in OpenStack Keystone 13 through 29. POST
| /v3/credentials did not validate that the caller-supplied project_id
| for an EC2-type credential matched the project of the authenticating
| application credential. This allowed an attacker holding an
| unrestricted application credential for project A to create an EC2
| credential targeting project B; a subsequent /v3/ec2tokens exchange
| would then issue a Keystone token scoped to project B while still
| carrying the original app_cred_id, enabling cross-project lateral
| movement within the credential owner's role footprint.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43001
https://www.cve.org/CVERecord?id=CVE-2026-43001
[1] https://bugs.launchpad.net/keystone/+bug/2149775
[2] https://review.opendev.org/c/openstack/keystone/+/985804
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:22.0.2-0+deb12u3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 16:50:52 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135645
Changes:
keystone (2:22.0.2-0+deb12u3) bookworm-security; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
b2f4ab17e9ee5999d646f92918a2e43f040c64f8 3565 keystone_22.0.2-0+deb12u3.dsc
0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
b97036089fd62033040d6f82ec86d0a5e3b490d2 74204
keystone_22.0.2-0+deb12u3.debian.tar.xz
4cdcfda16964416ac9642700aa487baed7501987 18263
keystone_22.0.2-0+deb12u3_amd64.buildinfo
Checksums-Sha256:
8f4f5c84f82e03bf4675ee00e0803f19105440a869453df4b75008cb56bac3f9 3565
keystone_22.0.2-0+deb12u3.dsc
a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220
keystone_22.0.2.orig.tar.xz
ddff9b9b1e0212d4d329b6f31af4eeb1f50fe6a2111f7d7fb72fc4c8eac4fcd2 74204
keystone_22.0.2-0+deb12u3.debian.tar.xz
7d31671dc3329779b6db7e1a0ed8a0943657354367f7d0b011f732df8d8a3b67 18263
keystone_22.0.2-0+deb12u3_amd64.buildinfo
Files:
0d2090e1a819ab2bb590cfffa5db591f 3565 net optional
keystone_22.0.2-0+deb12u3.dsc
60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional
keystone_22.0.2.orig.tar.xz
d2cbc249f0459cfcdb9358d902f1ada6 74204 net optional
keystone_22.0.2-0+deb12u3.debian.tar.xz
7a4fac3445be53c120f73488fc74b681 18263 net optional
keystone_22.0.2-0+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0QsACgkQ1BatFaxr
Q/63yQ/+LaWnRq6ayYelk2+INpi54w74rim53K05MpVA6mKhDazC4bdP7MXLyMux
UhFa+D0wKQX5uQYnGma1zvPPTaCPDbH8C+NiKjhMO/zyhkw2r9gNfthopWY+6OBu
OscI1TnhW1qwz5s7XAqbHgKjy8WX2vgSNFVE2C1v+IGEZ8fKLikOyzUcHRHSuLMa
BSGQvdCi1ZotuPpD8IOEFW6k7VbKpaAymaJTvM4Y8eitieaIVAHpdfO6oVXPWAMT
DJLmZfOyy9th9sx4RvncxRHEQ8FITEuRgUc7CmRU17Er348ywPUBlRYDa2wfTcoa
P0qJWUKjM0oN69+rkSrAHvP5+9BH4LvIMfdGgOTkkAI1pmpwIHHuchR+RESsrPzH
mISK5PVkZZVLg4nDQ8/WBpMKKqgEzQGFs9tAFw1zhmJMWB//lvH60OOs8a/RA4iX
QsPuBQ+rfPDLvL16znj6w/Cpu/tPhvXKO83xLia6HzP/UvhBnCK/FTe5ZEoIcVOr
Iht7qxtV/bGn8bVlyYZVTke6L2T/C+XDYIgo4WPho8AIK/gVSVhW8MT7obYKPN58
gHTo8Xohnq3zCQFzWWIVJUA4oll3uNK1iyFkdCQKQgNevn1RCHVKuf/5AcDp35L1
HMGlrUfK1O33T3ScngXYX9H7xaYVjEwCXfIK6HoOsG93NR3FXg0=
=vXEO
-----END PGP SIGNATURE-----
pgpws2CpYYq6S.pgp
Description: PGP signature
--- End Message ---