-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 16:50:52 +0200
Source: keystone
Binary: keystone keystone-doc python3-keystone
Architecture: all
Version: 2:22.0.2-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python3-keystone - OpenStack identity service - library
Closes: 1135645
Changes:
 keystone (2:22.0.2-0+deb12u3) bookworm-security; urgency=medium
 .
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
Checksums-Sha1:
 2e0b5b3acb9b73b0aa90e89bfdf68298fd1e7fb0 2195280 keystone-doc_22.0.2-0+deb12u3_all.deb
 4ed90aa78103b413e11e7fb4c9a0c59dd59626d4 17622 keystone_22.0.2-0+deb12u3_all-buildd.buildinfo
 4f02ad1fa03ef13f63ef315df0faae9368c1bf17 72912 keystone_22.0.2-0+deb12u3_all.deb
 e3e5ed991fe99b52ea4052c2194f4e10617811d5 707952 python3-keystone_22.0.2-0+deb12u3_all.deb
Checksums-Sha256:
 df289f498178002ef7b14ff748ba6370e817593ad9199d6bf20f48d29598c9b2 2195280 keystone-doc_22.0.2-0+deb12u3_all.deb
 7882c1ec67e65e13c09505afbe69ec59e3aa12f4b242082625b5a0b39607fc56 17622 keystone_22.0.2-0+deb12u3_all-buildd.buildinfo
 f043e783606b21c491835f6f56fc67a380e85a714b9ec27ccf55142fa688c6f2 72912 keystone_22.0.2-0+deb12u3_all.deb
 3aa2381a7d49a7e8f296b9bcd8f5e3a74105c5aef126b84c9d7bd36b3a6a7326 707952 python3-keystone_22.0.2-0+deb12u3_all.deb
Files:
 a082f8b9a2806ede75c10befdc806552 2195280 doc optional keystone-doc_22.0.2-0+deb12u3_all.deb
 cb09fd5a2e99ed10e5099fcbfca4893e 17622 net optional keystone_22.0.2-0+deb12u3_all-buildd.buildinfo
 3e3c7948a60bbc6e49fa2ed404ff7f72 72912 net optional keystone_22.0.2-0+deb12u3_all.deb
 52d6aa4ed945c5a5182a76611c888029 707952 python optional python3-keystone_22.0.2-0+deb12u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmom2EoACgkQN8Ugyu9d
QiTuUg/9H1gn/cENm9VweqSCI67AQwnmqI8pRiMrGd2kxE2Lir5CygQZ9cPk/9Ap
d1MFqQgectHRbzCLBkokqZUpTXLRDGlLPUvGoGXsFp8JGRT6WWK4xzJp+jMUvT3j
EzdgBjR0OX5Nzrgv+HMT0WkjooEoaDr7DVJ+4QGx2gc8rFqbNRj8Eum5AVefUxtD
eSyo1YN2wyTuEj+vKsZX9jTkAueD1+2lkayt/SYePtKaOgpLSSMeYBMcsq+SNoZp
Mn4l5hZ3okWpkW17r1wlFHjO/sIgQjkt2VaIbqd5YqZB9IYQsjQxbfvFJrfnKAu2
HYX2wI3Ujl6UxsIj5ahWAas14t0w/kMHm8em2Dv/NK/ILPUAEmbkb/I8HfdyF5nF
RIlkpLU7IN/+KBZbGTFfeCUFYJyo/N4HbgMXvHljKHLrQBuYKpshoZjuj6tkzsdM
mVj1vaqIbDiOtmXdhczAD739Ffcow1rReWqx4ZBmIk4hUg3wd1yZl34xqlu7zrCQ
UxuN/Tw8oyMaXzHQNwDUD0/PNotH0cpJw//78/emMZ0UdMKq19LUuc3P3iej+N1I
TCBsa1ljJ3rAfBn5GhMN5mOwf3qGkg35m6jEPMBvlJJ4XZotWRMbDWWLl9H5PAfL
4sJfvvRH/aY7xHMsRxByIqYT006tza5q/iOT+YoicGtUsLiamC8=
=Furi
-----END PGP SIGNATURE-----
