Your message dated Fri, 14 Nov 2025 14:34:20 +0000
with message-id <[email protected]>
and subject line Bug#1120053: fixed in keystone 2:28.0.0-2
has caused the Debian Bug report #1120053,
regarding Unauthenticated access to EC2/S3 token endpoints can grant Keystone
authorization
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120053
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:27.0.0-3
Severity: grave
Tags: patch
date: 2025-11-04
id: OSSA-2025-002
title: Unauthenticated access to EC2/S3 token endpoints can grant Keystone
authorization
description: >
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By
sending those endpoints a valid AWS Signature (e.g., from a presigned S3
URL), an unauthenticated attacker may obtain Keystone authorization
(ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted
by some services), resulting in unauthorized access and privilege escalation.
Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by
unauthenticated clients (e.g., exposed on a public API) are affected.
affected-products:
- product: Keystone
version: '<26.0.1, ==27.0.0, ==28.0.0'
vulnerabilities:
- cve-id: PENDING
reporters:
- name: kay
reported:
- PENDING
issues:
links:
- https://launchpad.net/bugs/2119646
reviews:
2026.1/gazpacho(keystone):
- https://review.opendev.org/966069
2025.2/flamingo(keystone):
- https://review.opendev.org/966070
2025.1/epoxy(keystone):
- https://review.opendev.org/966071
2024.2/dalmatian(keystone):
- https://review.opendev.org/966073
2026.1/gazpacho(swift):
- https://review.opendev.org/966062
2025.2/flamingo(swift):
- https://review.opendev.org/966063
2025.1/epoxy(swift):
- https://review.opendev.org/966064
2024.2/dalmatian(swift):
- https://review.opendev.org/966067
notes:
- While the indicated Keystone patches are sufficient to mitigate this
vulnerability, corresponding changes for Swift are included which keep its
optional S3-like API working.
- MITRE CVE Request 1930434 has been awaiting assignment since 2025-09-24,
but once completed will result in an errata revision to this advisory
reflecting the correct CVE ID. If any other CNA has assigned a CVE
themselves in the meantime, please reject it so that we don't end up with
duplicates.
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:28.0.0-2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Oct 2025 09:13:13 +0100
Source: keystone
Architecture: source
Version: 2:28.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1120053
Changes:
keystone (2:28.0.0-2) unstable; urgency=high
.
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Applied upstream patch (Closes: #1120053):
- keystone-bug-2119646-stable-2025.2.patch
Checksums-Sha1:
b69dc9ad52e290bfcc34a965099f80e757bbd021 3472 keystone_28.0.0-2.dsc
6454aa9a63df45eab86a35b9c4c284d10879dc9e 45348 keystone_28.0.0-2.debian.tar.xz
0e081afb5fd8eab9cf37c24078d789fbf40a69c3 18179
keystone_28.0.0-2_amd64.buildinfo
Checksums-Sha256:
595d4ff77877f8ea0c706bba341bf2b5228717978c2c3abce3cabc945a2a4f4c 3472
keystone_28.0.0-2.dsc
b8f8408256477cc96b7904a7fb1dedc47cd1fdfd843820c699d4a059d9a97265 45348
keystone_28.0.0-2.debian.tar.xz
8f9b8916d3ed5704fa2d8e38047718fa72e66417d4d160496f5615a6f7c732a8 18179
keystone_28.0.0-2_amd64.buildinfo
Files:
4f86a812f0daa4bb5a796a4cd26cea06 3472 net optional keystone_28.0.0-2.dsc
856b3dbcb60714c71047938ebd4227eb 45348 net optional
keystone_28.0.0-2.debian.tar.xz
bb366b090497ac2dbcb606844bc006a8 18179 net optional
keystone_28.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkXOicACgkQ1BatFaxr
Q/5W5Q/+OvxjE5iE3lKo0KywhFy03pI4Y6rwkz5cSQbkeYQxS67MMEKVDfh3dSJB
VMHalx7SgLQqq2iZXAJuQVZl5B2y1o5LlpVSfj/UdBQ64xHNY26ODRpa40TvcOtR
pzEXHXx55jSAwvcuWOV1VAZRScJKxmSVMbAuR4YGpbdGqS6FPCuc37x3uiW7432v
PCpxSyZTHBcR+2oroZqF3UFECkWrjmOrgm7sLJsMSUgiY/LV1bAhw58Cwg+Qtch+
yF/KchM4/oLube3lDeLU7cA7LWKdEml/4W2Y8uR2+puFhezikOgLf3aNex1pehXC
jCTvc2CMRAk7nzuVMdLnWQ9ewXuV7A+Qj6QnWPG9amu0bOOn6Ya5TFZabTRcEzxI
utCnzT3mFAdov+QUIYdEyfNWHvjhDEup0ecuwVIjGB1CcozxHWPksXFHvdjrqsDO
VsRT/xVzUqGYGrMSfdXe5Q+g94aVx6qb0VXvqPabzvQvhcwRRM9BQ7IO5eqFNzA+
kY/ycg766F8MyTsPr/O3FUiiiqZ7Sla3SJAK/CWCwR9vA6pm9HU6KR2Cs6nlhamN
ruOzSOBieErx92+6Es2NjAkqKx+hU6ToxeKvHRcmxKj3R3VP1vbpmGfiu3kzGD8i
dpuLM1YGcwei377/Nyj4/TGVJ2anGSz1T7lsKQ7RX1NcFkSjkbQ=
=hKik
-----END PGP SIGNATURE-----
pgpR84lxqCr7f.pgp
Description: PGP signature
--- End Message ---
