Your message dated Mon, 08 Jun 2026 20:23:12 +0000
with message-id <[email protected]>
and subject line Bug#1135645: fixed in keystone 2:27.0.0-3+deb13u4
has caused the Debian Bug report #1135645,
regarding keystone: CVE-2026-43001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135645
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:29.0.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/keystone/+bug/2149775
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for keystone.
CVE-2026-43001[0]:
| An issue was discovered in OpenStack Keystone 13 through 29. POST
| /v3/credentials did not validate that the caller-supplied project_id
| for an EC2-type credential matched the project of the authenticating
| application credential. This allowed an attacker holding an
| unrestricted application credential for project A to create an EC2
| credential targeting project B; a subsequent /v3/ec2tokens exchange
| would then issue a Keystone token scoped to project B while still
| carrying the original app_cred_id, enabling cross-project lateral
| movement within the credential owner's role footprint.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43001
https://www.cve.org/CVERecord?id=CVE-2026-43001
[1] https://bugs.launchpad.net/keystone/+bug/2149775
[2] https://review.opendev.org/c/openstack/keystone/+/985804
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:27.0.0-3+deb13u4
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 16:39:48 +0200
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u4
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135645
Changes:
keystone (2:27.0.0-3+deb13u4) trixie-security; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
8d387eeb98ad17d55e05e0e98865daae736ace33 3486 keystone_27.0.0-3+deb13u4.dsc
896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
04094d63b500a14d3778ab16f902da19682f6920 68048
keystone_27.0.0-3+deb13u4.debian.tar.xz
24466e8594942b22b16e25d06cfe1809d80447fd 18660
keystone_27.0.0-3+deb13u4_amd64.buildinfo
Checksums-Sha256:
8542741120f778bef0c9192b25c737dd0e232e1ae7baee71c030d76931dfbe95 3486
keystone_27.0.0-3+deb13u4.dsc
223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444
keystone_27.0.0.orig.tar.xz
6919c85e4612d17804ffc1aca27a1c157572280e1b141cd2d14dbbe36b7c5c4c 68048
keystone_27.0.0-3+deb13u4.debian.tar.xz
70f1f5ec3f082a8082a5f9fdf3323e343932f38fb6655601e6e257c4ef36e4b3 18660
keystone_27.0.0-3+deb13u4_amd64.buildinfo
Files:
55984bbcd57c7315ab2135b44190e341 3486 net optional
keystone_27.0.0-3+deb13u4.dsc
d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional
keystone_27.0.0.orig.tar.xz
5d6c15866a71d2a32c6378e353bdcbf2 68048 net optional
keystone_27.0.0-3+deb13u4.debian.tar.xz
087d87a7764cd58ea159b7ca0e7280f2 18660 net optional
keystone_27.0.0-3+deb13u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0tkACgkQ1BatFaxr
Q/7sJw//UKYUL5xG+UeNI1vKy9qzqcALlo9W4wwc2MHmIHe2m+LeDcYwLaxdaIuc
keROcX4KgDYzcxUnnJCs2QwFhWI2Nly4iFY7uxd3oo/sOcDhZM1PVj2FCtHO3h/L
Ih0o95UgkF8PEn/A1dcHJ4jmen3z/hl1I7PiWK+521F0PzbzDG8M4L8/C9n4hzmR
1npTLYhKTPwtpxYvLcny7VkSsMGH8ZKtEP/QfEJVeQmGS/giboj6TX7ZnIgBmgkb
pQWvFCOlpCfVgsNeEJVe4NC4sns/wpGQkZ5iCIB3N78URrbKeBijNAAcNeGG7Mho
FACznU89L2OrexPiSBExRJhrcIhqiq4wNysz6tfAXEBUuTNy4hjOFuCi2HsPYztY
tb+iCmaa8FCWpm1HPOVtYi1tjaH+YvfTUgSSgzKWqEqSz/W0IyosfooxASR3NBn2
DXdXtXu9WQLm5llmgsO7ewD9fgKOi3TfAVwhCWIdGzXPaOROJoFm5MqcBCmron9Q
szcfzyzgr8kZMPhe+Z+dEqMj9yioxNdiqf34Q6r5mvuL9wh6+tcV8Y63/TY/YEMj
gHlPHnoyK1o3I8r5v/6OZ8Edz8eupE8epFo9SuUjMT1Sx8NTK0O6esZajzkFYZ6g
DjIbIUjRz2G03KXnVXYYVlGQeTTd+XX5hskuGyrFn6+YTgXu8Yw=
=CwAK
-----END PGP SIGNATURE-----
pgpKQNH6CWRNs.pgp
Description: PGP signature
--- End Message ---