Sorry, uploaded wrong file. Here's the correct debdiff.
Cheers, Thomas Goirand (zigo)
diff -Nru keystone-27.0.0/debian/changelog keystone-27.0.0/debian/changelog --- keystone-27.0.0/debian/changelog 2025-10-30 09:26:19.000000000 +0100 +++ keystone-27.0.0/debian/changelog 2026-04-15 10:06:32.000000000 +0200 @@ -1,3 +1,20 @@ +keystone (2:27.0.0-3+deb13u3) trixie; urgency=medium + + * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert + enabled attribute to boolean. When the user_enabled_invert configuration + option was False (the default), Keystone did not correctly interpret the + LDAP enabled attribute, causing users disabled in LDAP to be treated as + enabled and allowed to authenticate. Deployments using the LDAP identity + backend without user_enabled_invert=True or user_enabled_emulation are + affected. Applied upstream patch: + - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch + (Closes: #1133884). + * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can + create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 + credential creation and deletion" (Closes: #1133118). + + -- Thomas Goirand <[email protected]> Wed, 15 Apr 2026 10:06:32 +0200 + keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and diff -Nru keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch --- keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 2026-04-15 10:06:32.000000000 +0200 @@ -0,0 +1,70 @@ +Author: Grzegorz Grasza <[email protected]> +Date: Thu, 26 Feb 2026 10:09:18 +0100 +Description: Prevent unauthorized EC2 credential creation and deletion + A restricted application credential could be used to create EC2 + credentials granting full user access to S3, bypassing the role + restriction. Add the same _check_unrestricted_application_credential + guard that already protects application credential create/delete + endpoints. + . + Additionally, tighten the ec2_create_credential and ec2_delete_credential + policies to require at least member role, as these are write operations + that should not be accessible to reader-role users regardless of whether + they are using an application credential. +Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53 +Bug: https://launchpad.net/bugs/2142138 +Signed-off-by: Grzegorz Grasza <[email protected]> +Bug-Debian: https://bugs.debian.org/1133118 +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/983589 +Last-Update: 2026-04-10 + +diff --git a/keystone/api/users.py b/keystone/api/users.py +index b3ec13f..f614f1c 100644 +--- a/keystone/api/users.py ++++ b/keystone/api/users.py +@@ -425,6 +425,8 @@ + ENFORCER.enforce_call( + action='identity:ec2_create_credential', target_attr=target + ) ++ token = self.auth_context['token'] ++ _check_unrestricted_application_credential(token) + PROVIDERS.identity_api.get_user(user_id) + tenant_id = self.request_body_json.get('tenant_id') + PROVIDERS.resource_api.get_project(tenant_id) +diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py +index 97970e4..5c807f1 100644 +--- a/keystone/common/policies/base.py ++++ b/keystone/common/policies/base.py +@@ -62,6 +62,10 @@ + ADMIN_OR_CRED_OWNER = ( + '(' + RULE_ADMIN_REQUIRED + ') ' 'or user_id:%(target.credential.user_id)s' + ) ++ADMIN_OR_MEMBER_AND_CRED_OWNER = ( ++ '(' + RULE_ADMIN_REQUIRED + ') or ' ++ '(role:member and user_id:%(target.credential.user_id)s)' ++) + + # This rule template is meant for restricting role assignments done by domain + # managers. It is intended to restrict the roles a domain manager can assign or +diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py +index ab4b3db..efca8c4 100644 +--- a/keystone/common/policies/ec2_credential.py ++++ b/keystone/common/policies/ec2_credential.py +@@ -73,7 +73,7 @@ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_create_credential', +- check_str=base.RULE_ADMIN_OR_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='Create ec2 credential.', + operations=[ +@@ -86,7 +86,7 @@ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_delete_credential', +- check_str=base.ADMIN_OR_CRED_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='Delete ec2 credential.', + operations=[ diff -Nru keystone-27.0.0/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch keystone-27.0.0/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch --- keystone-27.0.0/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-27.0.0/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch 2026-04-15 10:06:32.000000000 +0200 @@ -0,0 +1,58 @@ +Author: Benedikt Trefzer <[email protected]> +Date: Thu, 21 Aug 2025 16:11:12 +0200 +Description: OSSA-2026-007: fix ldap 'enabled' setting not interpreted as boolean + interpretation of the ldap enabled attribute as boolean + is only done if enabled_invert setting is set to true. +Depends-on: https://review.opendev.org/c/openstack/keystone/+/982656 +Bug: https://launchpad.net/bugs/2121152 +Bug-Debian: https://bugs.debian.org/1133884 +Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c +Signed-off-by: Benedikt Trefzer <[email protected]> +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/982408 +Last-Update: 2026-04-15 + +diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py +index 5ddf14d..fd09c7c 100644 +--- a/keystone/identity/backends/ldap/core.py ++++ b/keystone/identity/backends/ldap/core.py +@@ -263,13 +263,17 @@ + self.enabled_default = conf.ldap.user_enabled_default + self.enabled_invert = conf.ldap.user_enabled_invert + self.enabled_emulation = conf.ldap.user_enabled_emulation ++ self.attribute_ignore = conf.ldap.user_attribute_ignore + + def _ldap_res_to_model(self, res): + obj = super()._ldap_res_to_model(res) + if self.enabled_mask != 0: + enabled = int(obj.get('enabled', self.enabled_default)) + obj['enabled'] = (enabled & self.enabled_mask) != self.enabled_mask +- elif self.enabled_invert and not self.enabled_emulation: ++ elif ( ++ not self.enabled_emulation ++ and 'enabled' not in self.attribute_ignore ++ ): + # This could be a bool or a string. If it's a string, + # we need to convert it so we can invert it properly. + enabled = obj.get('enabled', self.enabled_default) +@@ -278,7 +282,10 @@ + enabled = True + else: + enabled = False +- obj['enabled'] = not enabled ++ if self.enabled_invert: ++ obj['enabled'] = not enabled ++ else: ++ obj['enabled'] = enabled + obj['dn'] = res[0] + + return obj +diff --git a/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml b/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml +new file mode 100644 +index 0000000..421abc5 +--- /dev/null ++++ b/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml +@@ -0,0 +1,4 @@ ++--- ++fixes: ++ - | ++ Ldap identity backend did not interpret the enabled field as boolean. diff -Nru keystone-27.0.0/debian/patches/series keystone-27.0.0/debian/patches/series --- keystone-27.0.0/debian/patches/series 2025-10-30 09:26:19.000000000 +0100 +++ keystone-27.0.0/debian/patches/series 2026-04-15 10:06:32.000000000 +0200 @@ -3,3 +3,5 @@ set-deprecation-warnings-to-ignore.patch api_Remove_constraints_on_user_IDs.patch keystone-bug-2119646-stable-2025.1.patch +CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch +CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
