Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1135935,
regarding bookworm-pu: package keystone/2:22.0.2-0+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135935: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135935
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:keystone
User: [email protected]
Usertags: pu
Hi,
The security team asked me to go through p-u for this.
[ Reason ]
I'd like to upgrade Keystone to version 2:22.0.2-0+deb12u2,
which will contain 2 security patches.
[ Impact ]
CVE-2026-40683 and CVE-2026-33551.
[ Tests ]
The included patches contain unit tests. Also note that I've put in
production the patch CVE-2026-33551 (CVE-2026-40683 is only for LDAP which
we do not use), so I'm confident all is working.
[ Risks ]
Patches are small, and easy to understand.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload Keystone 2:22.0.2-0+deb12u2 to Bookworm p-u.
Cheers,
Thomas Goirand (zigo)
diff -Nru keystone-22.0.2/debian/changelog keystone-22.0.2/debian/changelog
--- keystone-22.0.2/debian/changelog 2025-11-11 09:19:08.000000000 +0100
+++ keystone-22.0.2/debian/changelog 2026-04-15 11:10:59.000000000 +0200
@@ -1,3 +1,20 @@
+keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium
+
+ * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
+ enabled attribute to boolean. When the user_enabled_invert configuration
+ option was False (the default), Keystone did not correctly interpret the
+ LDAP enabled attribute, causing users disabled in LDAP to be treated as
+ enabled and allowed to authenticate. Deployments using the LDAP identity
+ backend without user_enabled_invert=True or user_enabled_emulation are
+ affected. Applied upstream patch:
+ - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
+ (Closes: #1133884).
+ * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
+ create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
+ credential creation and deletion" (Closes: #1133118).
+
+ -- Thomas Goirand <[email protected]> Wed, 15 Apr 2026 11:10:59 +0200
+
keystone (2:22.0.2-0+deb12u1) bookworm-security; urgency=medium
* New upstream release.
diff -Nru
keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
---
keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
1970-01-01 01:00:00.000000000 +0100
+++
keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
2026-04-15 11:10:59.000000000 +0200
@@ -0,0 +1,70 @@
+Author: Grzegorz Grasza <[email protected]>
+Date: Thu, 26 Feb 2026 10:09:18 +0100
+Description: CVE-2026-33551 / OSSA-2026-005: Prevent unauthorized EC2
credential creation and deletion
+ A restricted application credential could be used to create EC2
+ credentials granting full user access to S3, bypassing the role
+ restriction. Add the same _check_unrestricted_application_credential
+ guard that already protects application credential create/delete
+ endpoints.
+ .
+ Additionally, tighten the ec2_create_credential and ec2_delete_credential
+ policies to require at least member role, as these are write operations
+ that should not be accessible to reader-role users regardless of whether
+ they are using an application credential.
+Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53
+Bug: https://launchpad.net/bugs/2142138
+Signed-off-by: Grzegorz Grasza <[email protected]>
+Bug-Debian: https://bugs.debian.org/1133118
+Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/983597
+Last-Update: 2026-04-10
+
+Index: keystone/keystone/api/users.py
+===================================================================
+--- keystone.orig/keystone/api/users.py
++++ keystone/keystone/api/users.py
+@@ -387,6 +387,8 @@ class UserOSEC2CredentialsResourceListCr
+ target['credential'] = {'user_id': user_id}
+ ENFORCER.enforce_call(action='identity:ec2_create_credential',
+ target_attr=target)
++ token = self.auth_context['token']
++ _check_unrestricted_application_credential(token)
+ PROVIDERS.identity_api.get_user(user_id)
+ tenant_id = self.request_body_json.get('tenant_id')
+ PROVIDERS.resource_api.get_project(tenant_id)
+Index: keystone/keystone/common/policies/base.py
+===================================================================
+--- keystone.orig/keystone/common/policies/base.py
++++ keystone/keystone/common/policies/base.py
+@@ -64,6 +64,10 @@ ADMIN_OR_CRED_OWNER = (
+ '(' + RULE_ADMIN_REQUIRED + ') '
+ 'or user_id:%(target.credential.user_id)s'
+ )
++ADMIN_OR_MEMBER_AND_CRED_OWNER = (
++ '(' + RULE_ADMIN_REQUIRED + ') or '
++ '(role:member and user_id:%(target.credential.user_id)s)'
++)
+
+ rules = [
+ policy.RuleDefault(
+Index: keystone/keystone/common/policies/ec2_credential.py
+===================================================================
+--- keystone.orig/keystone/common/policies/ec2_credential.py
++++ keystone/keystone/common/policies/ec2_credential.py
+@@ -58,7 +58,7 @@ ec2_credential_policies = [
+ ),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'ec2_list_credentials',
+- check_str=base.ADMIN_OR_SYSTEM_READER_OR_OWNER,
++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER,
+ scope_types=['system', 'project'],
+ description='List ec2 credentials.',
+ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
+@@ -67,7 +67,7 @@ ec2_credential_policies = [
+ ),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'ec2_create_credential',
+- check_str=base.RULE_ADMIN_OR_OWNER,
++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER,
+ scope_types=['system', 'project'],
+ description='Create ec2 credential.',
+ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
diff -Nru
keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
---
keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
1970-01-01 01:00:00.000000000 +0100
+++
keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
2026-04-15 11:10:59.000000000 +0200
@@ -0,0 +1,65 @@
+Author: Benedikt Trefzer <[email protected]>
+Date: Thu, 21 Aug 2025 16:11:12 +0200
+Description: CVE-2026-40683 / OSSA-2026-007: fix ldap 'enabled' setting not
interpreted as boolean
+ interpretation of the ldap enabled attribute as boolean
+ is only done if enabled_invert setting is set to true.
+ .
+ Conflicts:
+ keystone/identity/backends/ldap/core.py
+ .
+ NOTE(elod.illes): conflict is due to Blakify patch [1] that was added
+ in 2024.2 Dalmatian release.
+ .
+ [1] I832ec4c152fa58fb0088d9f880add86a20ec95fc
+Bug: https://launchpad.net/bugs/2121152
+Bug-Debian: https://bugs.debian.org/1133884
+Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c
+Signed-off-by: Benedikt Trefzer <[email protected]>
+Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/984587
+Last-Update: 2026-04-15
+
+Index: keystone/keystone/identity/backends/ldap/core.py
+===================================================================
+--- keystone.orig/keystone/identity/backends/ldap/core.py
++++ keystone/keystone/identity/backends/ldap/core.py
+@@ -254,6 +254,7 @@ class UserApi(common_ldap.EnabledEmuMixI
+ self.enabled_default = conf.ldap.user_enabled_default
+ self.enabled_invert = conf.ldap.user_enabled_invert
+ self.enabled_emulation = conf.ldap.user_enabled_emulation
++ self.attribute_ignore = conf.ldap.user_attribute_ignore
+
+ def _ldap_res_to_model(self, res):
+ obj = super(UserApi, self)._ldap_res_to_model(res)
+@@ -261,7 +262,10 @@ class UserApi(common_ldap.EnabledEmuMixI
+ enabled = int(obj.get('enabled', self.enabled_default))
+ obj['enabled'] = ((enabled & self.enabled_mask) !=
+ self.enabled_mask)
+- elif self.enabled_invert and not self.enabled_emulation:
++ elif (
++ not self.enabled_emulation
++ and 'enabled' not in self.attribute_ignore
++ ):
+ # This could be a bool or a string. If it's a string,
+ # we need to convert it so we can invert it properly.
+ enabled = obj.get('enabled', self.enabled_default)
+@@ -270,7 +274,10 @@ class UserApi(common_ldap.EnabledEmuMixI
+ enabled = True
+ else:
+ enabled = False
+- obj['enabled'] = not enabled
++ if self.enabled_invert:
++ obj['enabled'] = not enabled
++ else:
++ obj['enabled'] = enabled
+ obj['dn'] = res[0]
+
+ return obj
+Index:
keystone/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml
+===================================================================
+--- /dev/null
++++ keystone/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml
+@@ -0,0 +1,4 @@
++---
++fixes:
++ - |
++ Ldap identity backend did not interpret the enabled field as boolean.
diff -Nru keystone-22.0.2/debian/patches/series
keystone-22.0.2/debian/patches/series
--- keystone-22.0.2/debian/patches/series 2025-11-11 09:19:08.000000000
+0100
+++ keystone-22.0.2/debian/patches/series 2026-04-15 11:10:59.000000000
+0200
@@ -6,3 +6,5 @@
Allow_admin_to_access_tokens_and_credentials.patch
Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch
keystone-bug-2119646-stable-2024.1.patch
+CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
+CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
--- End Message ---
--- Begin Message ---
Version: 12.15
This update was released as part of 12.15.
--- End Message ---