Your message dated Fri, 22 May 2026 22:32:15 +0000
with message-id <[email protected]>
and subject line Bug#1133118: fixed in keystone 2:27.0.0-3+deb13u3
has caused the Debian Bug report #1133118,
regarding keystone: CVE-2026-33551
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:29.0.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for keystone.
I'm filling this RC to make sure it get fixed for forky, yet unclear
if it needs a DSA or point release is enough.
CVE-2026-33551[0]:
| An issue was discovered in OpenStack Keystone 14 through 26 before
| 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application
| credentials can create EC2 credentials. By using a restricted
| application credential to call the EC2 credential creation API, an
| authenticated user with only a reader role may obtain an EC2/S3
| credential that carries the full set of the parent user's S3
| permissions, effectively bypassing the role restrictions imposed on
| the application credential. Only deployments that use restricted
| application credentials in combination with the EC2/S3 compatibility
| API (swift3 / s3api) are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33551
https://www.cve.org/CVERecord?id=CVE-2026-33551
[1] https://launchpad.net/bugs/2142138
[2] https://www.openwall.com/lists/oss-security/2026/04/07/12
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:27.0.0-3+deb13u3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 10:06:32 +0200
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1133118 1133884
Changes:
keystone (2:27.0.0-3+deb13u3) trixie; urgency=medium
.
* CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
enabled attribute to boolean. When the user_enabled_invert configuration
option was False (the default), Keystone did not correctly interpret the
LDAP enabled attribute, causing users disabled in LDAP to be treated as
enabled and allowed to authenticate. Deployments using the LDAP identity
backend without user_enabled_invert=True or user_enabled_emulation are
affected. Applied upstream patch:
- OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
(Closes: #1133884).
* CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
8443b8b0ab7c09c8b9bb4d9202a17e588facef53 3486 keystone_27.0.0-3+deb13u3.dsc
896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
1044ff9cb15dc3f97f725afe8ce2cccf33bcae36 47748
keystone_27.0.0-3+deb13u3.debian.tar.xz
34048062648be6d816f7aabd04beec299116142c 18660
keystone_27.0.0-3+deb13u3_amd64.buildinfo
Checksums-Sha256:
42ef4900b080c94070aa91c2f71a429ceb69bf2ec0ad4b723a2c7d52b2656e54 3486
keystone_27.0.0-3+deb13u3.dsc
223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444
keystone_27.0.0.orig.tar.xz
2446c16c806399e0fe546a76b7b866cd52159c7089d252462c6c76b0995b8768 47748
keystone_27.0.0-3+deb13u3.debian.tar.xz
de9d84d22758e9425da1eb2401539e337198cd0654a5065c1f49c8e155ee2d4e 18660
keystone_27.0.0-3+deb13u3_amd64.buildinfo
Files:
df674a29ca9c173aa783808af2bf8d3f 3486 net optional
keystone_27.0.0-3+deb13u3.dsc
d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional
keystone_27.0.0.orig.tar.xz
2ad9231f4a857a6686e235841a91ed51 47748 net optional
keystone_27.0.0-3+deb13u3.debian.tar.xz
09b6351219b5354fca5cb1f8375b77b1 18660 net optional
keystone_27.0.0-3+deb13u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMC/MACgkQ1BatFaxr
Q/5wjA/7BrTgCvwhLKxFq3825X5wTOwjT4q6kGNYeSCbq41Lygio1rBtiWZL7UMx
QRS/CS/gT112Ki4xCHCOYIvgnW5+vFe/XaSgqWpTCqjYH0EggTzrBQdZyC+hbSdx
Y+pVSjY8Yv9YvgehorBvLB71MxhwzldUnqH994CbnPeDWlwooKaCYIvHIIYo/OHk
xHWD8tniOYBEuwXPaaFimF9pRNAHVNWmXvfY27i70vWb1y4c4ljt+kGEd/yWfBJY
UNdorIM/XdBFxp185wjiTMbZglrG+Kke+cIhd8iLTz5MSGVrmh4bwpeomUcoJTfc
r/uLisZdFOB/bqddYv14odc9zd+gazHVlVGDxlT3ezsyK3YXs0mbKdJWUwEKudUn
j4vxl8KxiWN7a2XEtOhYUTQZRjG2G1qOF78kUXyXGRgaW2W9ty/8DkxeanxTuDi5
uioF3geuFVeyvU+zLSsCIzJDZqSNluAl+a/jknX3lguBuDhcCDHz+XiRI1S3OLhj
UYkw36ApD1vi9UW6ABIt8+5ed+B+PD6FODu3FODvseDOp6CBTe6D6CHCUJhNHj1K
AgD5dueUMuwkpUHW6hzJBswfVotaDGIOte4skoS3N0jvxApw0x71ihFo+ukNud8T
8Di9MQOIc20yRg84Z9pICr2W7KRgexsfB+ZxNRtL3ZmDUmcLApQ=
=z2x/
-----END PGP SIGNATURE-----
pgpnWM27Joe2P.pgp
Description: PGP signature
--- End Message ---
