Your message dated Fri, 22 May 2026 22:33:29 +0000
with message-id <[email protected]>
and subject line Bug#1133118: fixed in keystone 2:22.0.2-0+deb12u2
has caused the Debian Bug report #1133118,
regarding keystone: CVE-2026-33551
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: keystone
Version: 2:29.0.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for keystone.
I'm filling this RC to make sure it get fixed for forky, yet unclear
if it needs a DSA or point release is enough.
CVE-2026-33551[0]:
| An issue was discovered in OpenStack Keystone 14 through 26 before
| 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application
| credentials can create EC2 credentials. By using a restricted
| application credential to call the EC2 credential creation API, an
| authenticated user with only a reader role may obtain an EC2/S3
| credential that carries the full set of the parent user's S3
| permissions, effectively bypassing the role restrictions imposed on
| the application credential. Only deployments that use restricted
| application credentials in combination with the EC2/S3 compatibility
| API (swift3 / s3api) are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33551
https://www.cve.org/CVERecord?id=CVE-2026-33551
[1] https://launchpad.net/bugs/2142138
[2] https://www.openwall.com/lists/oss-security/2026/04/07/12
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: keystone
Source-Version: 2:22.0.2-0+deb12u2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 11:10:59 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1133118 1133884
Changes:
keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium
.
* CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
enabled attribute to boolean. When the user_enabled_invert configuration
option was False (the default), Keystone did not correctly interpret the
LDAP enabled attribute, causing users disabled in LDAP to be treated as
enabled and allowed to authenticate. Deployments using the LDAP identity
backend without user_enabled_invert=True or user_enabled_emulation are
affected. Applied upstream patch:
- OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
(Closes: #1133884).
* CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
1c798ca017c1ee38fefed2f982e2a1bd37e4c491 3565 keystone_22.0.2-0+deb12u2.dsc
0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
83c5402d17c3ce8dbed715c7c3aaec1cf609709d 56164
keystone_22.0.2-0+deb12u2.debian.tar.xz
8eae4333f11a57a333d0e5fd06ca86a21a68e4e5 18263
keystone_22.0.2-0+deb12u2_amd64.buildinfo
Checksums-Sha256:
4d6459de73736f0a67423e7c1d9b8ed103b69dffc409fba418cecb8204458cca 3565
keystone_22.0.2-0+deb12u2.dsc
a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220
keystone_22.0.2.orig.tar.xz
67429da1f1d5fde7c4ecd1fa988200bd9212e8ccf041db5d8d40bcdf70c7fa13 56164
keystone_22.0.2-0+deb12u2.debian.tar.xz
3d1a3dba21506bba13f0ffd8459fd0f5e6bf52ec90e649cc232528f32303abf3 18263
keystone_22.0.2-0+deb12u2_amd64.buildinfo
Files:
2cfd8d5afa9af8ddbb4ef53d7d41bc65 3565 net optional
keystone_22.0.2-0+deb12u2.dsc
60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional
keystone_22.0.2.orig.tar.xz
d1fe72b921519ff09216c7b492c40cba 56164 net optional
keystone_22.0.2-0+deb12u2.debian.tar.xz
192503c46fe115cb78ddc57fe14391ee 18263 net optional
keystone_22.0.2-0+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMDnQACgkQ1BatFaxr
Q/7CRQ/8CgUVeVy/CjL+sc3CVacIh/e8wH7pXF3m/K3pQUdQy/2AgNeWeak+F8Gu
/n2+Ns7Yw6eqGsqnKzVGW1XcevmK4Dk8In0YSm69uZItbTWFuYsfansKpzohERsJ
Q3G09KG6Cp7MhGcotfHKUO3TWEZyxiN/d2KPYoTldX9zxDXFt6QW9NswCVUibhPN
ZocUpnzFkceZb5kEri2J3BYK2FDjBJkA5jyGfZWv6LTA7MGcQbOlIXWRDYRkQtKF
XZOyCSVo7doZcf/zwf/5/Bcl13tcxKZsaKowuMmveEEvTODtms1wP/m1bbTR2SzN
WvVFOit2Ut1xUBiEd7mLSK0JS+j0xlTtdIlrGWXMoQLs/AuZJnSyXXkzOX+tZijF
od5rcYboxWi+8uYbGGY1QI5vxjasx4Z3cuk8U+uzo7DCWPDdt0lfbBzyFW+dmH7P
8mHhT/81cHPpCeb9DmtU7HiK7HeGnV8p6Nbvs1FgbK2kxeYA/3tG5OL58A4lMsyi
aLU5AP8+gp0trPNwynboelUnewRD0pK+4tCN07YE1zxb/o+hraTMMH746z7+U53i
yPmVMwWgH0qjMqD52zdHPOrMAJGdVfK0qytg7Tcj2vpVOjWdeoAvlGwODLm3ONgX
EIRjuG7pdWK247u2oHKBdwOgVDThJIJNQp3d2aMSa5BNkEWxFYM=
=amVA
-----END PGP SIGNATURE-----
pgp2jTbU1Q5dN.pgp
Description: PGP signature
--- End Message ---
