Bug#1120053: marked as done (Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization)

[Debian Bug Tracking System]

Your message dated Wed, 19 Nov 2025 20:33:13 +0000
with message-id <e1vlorz-00dahl...@fasolo.debian.org>
and subject line Bug#1120053: fixed in keystone 2:27.0.0-3+deb13u1
has caused the Debian Bug report #1120053,
regarding Unauthenticated access to EC2/S3 token endpoints can grant Keystone 
authorization
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1120053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120053
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: keystone
Version: 2:27.0.0-3
Severity: grave
Tags: patch

date: 2025-11-04
id: OSSA-2025-002
title: Unauthenticated access to EC2/S3 token endpoints can grant Keystone 
authorization
description: >
  kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By
  sending those endpoints a valid AWS Signature (e.g., from a presigned S3
  URL), an unauthenticated attacker may obtain Keystone authorization
  (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted
  by some services), resulting in unauthorized access and privilege escalation.
  Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by
  unauthenticated clients (e.g., exposed on a public API) are affected.
affected-products:
  - product: Keystone
    version: '<26.0.1, ==27.0.0, ==28.0.0'
vulnerabilities:
  - cve-id: PENDING
reporters:
  - name: kay
    reported:
      - PENDING
issues:
  links:
    - https://launchpad.net/bugs/2119646
reviews:
  2026.1/gazpacho(keystone):
    - https://review.opendev.org/966069
  2025.2/flamingo(keystone):
    - https://review.opendev.org/966070
  2025.1/epoxy(keystone):
    - https://review.opendev.org/966071
  2024.2/dalmatian(keystone):
    - https://review.opendev.org/966073
  2026.1/gazpacho(swift):
    - https://review.opendev.org/966062
  2025.2/flamingo(swift):
    - https://review.opendev.org/966063
  2025.1/epoxy(swift):
    - https://review.opendev.org/966064
  2024.2/dalmatian(swift):
    - https://review.opendev.org/966067
notes:
  - While the indicated Keystone patches are sufficient to mitigate this
    vulnerability, corresponding changes for Swift are included which keep its
    optional S3-like API working.
  - MITRE CVE Request 1930434 has been awaiting assignment since 2025-09-24,
    but once completed will result in an errata revision to this advisory
    reflecting the correct CVE ID. If any other CNA has assigned a CVE
    themselves in the meantime, please reject it so that we don't end up with
    duplicates.

--- End Message ---

--- Begin Message ---

Source: keystone
Source-Version: 2:27.0.0-3+deb13u1
Done: Thomas Goirand <z...@debian.org>

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 09:26:19 +0100
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1120053
Changes:
 keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Applied upstream patch (Closes: #1120053):
     - keystone-bug-2119646-stable-2025.1.patch
Checksums-Sha1:
 4152c8282356f474ffcf900f849ea23ebd38f44e 3486 keystone_27.0.0-3+deb13u1.dsc
 896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
 d88698d69d47dae18ba68ca5b4edd9a8943b27d1 46052 
keystone_27.0.0-3+deb13u1.debian.tar.xz
 e5c3a3c3da63b56f1d5adb9964870de20045b9e1 18345 
keystone_27.0.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
 c42fea98c4283524840695546e15a0f7b5e18cd1899791658aa8955b98965a56 3486 
keystone_27.0.0-3+deb13u1.dsc
 223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 
keystone_27.0.0.orig.tar.xz
 68dc7627f6301469f2bd7b448a614f8cdf72b279873dd1802f13d6f10071052b 46052 
keystone_27.0.0-3+deb13u1.debian.tar.xz
 d0d1adfe3e33f42350f3fd31d248ce47d08b21a264742a69956fd648c7983c9c 18345 
keystone_27.0.0-3+deb13u1_amd64.buildinfo
Files:
 4ae93baa72760d52a8efd5dbed87366f 3486 net optional 
keystone_27.0.0-3+deb13u1.dsc
 d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional 
keystone_27.0.0.orig.tar.xz
 6e50154c2164ae3d35d557c3a00bcff4 46052 net optional 
keystone_27.0.0-3+deb13u1.debian.tar.xz
 3a75ff70dd7ae50ae8417f977da42093 18345 net optional 
keystone_27.0.0-3+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS70EACgkQ1BatFaxr
Q/7hSQ//a8nmddmIid1G4wkB9DGe3aMe0Gt8kXE+PoE/2LKEYYnkeduuLgCA6Bzh
ISX5oD7311Kl6vCoT9Qxu7nB6RAZdUao+lOdJIz9X9cp8+bg8C1M2zJkn6E3E3Z8
zhjdC+nJfh9M8nKZTHNP7CFMhbKRYFITu2dLhHu4o3xpviWclgg4GmS5jTelxb3F
6juLKmD+BUy8CuXEhNJVniOge0VPIKrV+3rjTiTcvRcPic+/8sapAMrCwT3ng4fY
hGGM7Pf58xOSeEkLSE+gaMAyfxZXEQ7UPUZ+tjBdrP23ac6KLObongE5cDBFLRSa
1wQ3IOEDGN9FJ7nK8K1dJquN+FJDUq/I69p56fhh2U/v8s6jLjl34G278AovPIiZ
SlFB11Iv5czER6Ee0UqpiE4SK+HF/0x0cTa6Nu8j3AAxgHTIcwmGbC5i1L/Dc8Vy
5hGAnljndg0XaA6gtybOf4p5rVG1OY4xCu86L7hZYJ3mfyk/T8ZUkite7i8BFjLM
e1Gnljd4IfZ+N0B1GCO77oBKIXVKGwBJT0QOXBcxi4E5wR0gXgwI8cHdil+lb2es
k38sBmAXl7IP1QZkdtXxEAeF80mDeKTFV9hElpYhr85ANl5VD1SgX1ItH3wi3OpM
Z+C13xKmqzDD700qo1ZXzR3A+RrYuzNoUmnlg8DO25ovMVe8u+c=
=kUrX
-----END PGP SIGNATURE-----

pgpkhc3GQyggV.pgp
Description: PGP signature

--- End Message ---