-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 16:50:52 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135645
Changes:
 keystone (2:22.0.2-0+deb12u3) bookworm-security; urgency=medium
 .
   * Multiple vulnerabilities in Keystone's delegated authentication allow an
     authenticated user to escalate privileges to cloud admin. The most severe
     (CVE-2026-42999) requires only a valid token:
     - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
       request body, bypassing authorization on any policy-protected  endpoint.
       Allows reading all credential secrets, creating credentials for arbitrary
       users, and granting admin across domains. (LP#2148398, reported by Boris
       Bobrov, SAP SE).
     - CVE-2026-42998: Application credential authentication does not verify the
       caller owns the credential, allowing user impersonation within a shared
       project. (LP#2148477, reported by Boris Bobrov, SAP SE).
     -  CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
        with trusts to escalate from member to admin. The resulting trust
        persists independently of the original credential. (LP#2148477, reported
        by Boris Bobrov, SAP SE)
     -  CVE-2026-43001: Application credentials scoped to one project can create
        EC2 credentials for a different project. A fix for the creation-time
        path is already merged; this patch extends the check to the auth-time
        path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
     -  CVE-2026-44394: Federated users can maintain access indefinitely by
        repeatedly rescoping tokens before expiry. Each rescope issues a fresh
        full-TTL token instead of inheriting the original expiry. Only
        SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
        Institute of Computing Technology, Chinese Academy of Sciences).
     .
     The patch also addresses three related issues found during investigation:
     trust-scoped tokens accessing credentials outside the delegated project
     (LP#2149789), trust-scoped tokens creating persistent application
     credentials for impersonated users (LP#2150089), and a latent query-string
     parameter injection in policy enforcement and lack of scope boundary
     enforcement in the delegated token logic (LP#2150089). These were reported
     by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
     .
     Applied the proposed upstream patches:
     - 0001-Add-tests-for-restricted-app-cred-guard.patch
     - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
     - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
     - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
     - CVE-2026-43001-keystone-backport-stable-2025.1.patch
     .
     Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
     trust policy structure. If this policy is customized by the provider,
     failure to update it may result in issues with image upload, heat service
     functionality and potentially more.
   * Note that all the above CVE are combined into this one: CVE-2026-43001.
     (Closes: #1135645).
Checksums-Sha1:
 b2f4ab17e9ee5999d646f92918a2e43f040c64f8 3565 keystone_22.0.2-0+deb12u3.dsc
 0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
 b97036089fd62033040d6f82ec86d0a5e3b490d2 74204 keystone_22.0.2-0+deb12u3.debian.tar.xz
 4cdcfda16964416ac9642700aa487baed7501987 18263 keystone_22.0.2-0+deb12u3_amd64.buildinfo
Checksums-Sha256:
 8f4f5c84f82e03bf4675ee00e0803f19105440a869453df4b75008cb56bac3f9 3565 keystone_22.0.2-0+deb12u3.dsc
 a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 keystone_22.0.2.orig.tar.xz
 ddff9b9b1e0212d4d329b6f31af4eeb1f50fe6a2111f7d7fb72fc4c8eac4fcd2 74204 keystone_22.0.2-0+deb12u3.debian.tar.xz
 7d31671dc3329779b6db7e1a0ed8a0943657354367f7d0b011f732df8d8a3b67 18263 keystone_22.0.2-0+deb12u3_amd64.buildinfo
Files:
 0d2090e1a819ab2bb590cfffa5db591f 3565 net optional keystone_22.0.2-0+deb12u3.dsc
 60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional keystone_22.0.2.orig.tar.xz
 d2cbc249f0459cfcdb9358d902f1ada6 74204 net optional keystone_22.0.2-0+deb12u3.debian.tar.xz
 7a4fac3445be53c120f73488fc74b681 18263 net optional keystone_22.0.2-0+deb12u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0QsACgkQ1BatFaxr
Q/63yQ/+LaWnRq6ayYelk2+INpi54w74rim53K05MpVA6mKhDazC4bdP7MXLyMux
UhFa+D0wKQX5uQYnGma1zvPPTaCPDbH8C+NiKjhMO/zyhkw2r9gNfthopWY+6OBu
OscI1TnhW1qwz5s7XAqbHgKjy8WX2vgSNFVE2C1v+IGEZ8fKLikOyzUcHRHSuLMa
BSGQvdCi1ZotuPpD8IOEFW6k7VbKpaAymaJTvM4Y8eitieaIVAHpdfO6oVXPWAMT
DJLmZfOyy9th9sx4RvncxRHEQ8FITEuRgUc7CmRU17Er348ywPUBlRYDa2wfTcoa
P0qJWUKjM0oN69+rkSrAHvP5+9BH4LvIMfdGgOTkkAI1pmpwIHHuchR+RESsrPzH
mISK5PVkZZVLg4nDQ8/WBpMKKqgEzQGFs9tAFw1zhmJMWB//lvH60OOs8a/RA4iX
QsPuBQ+rfPDLvL16znj6w/Cpu/tPhvXKO83xLia6HzP/UvhBnCK/FTe5ZEoIcVOr
Iht7qxtV/bGn8bVlyYZVTke6L2T/C+XDYIgo4WPho8AIK/gVSVhW8MT7obYKPN58
gHTo8Xohnq3zCQFzWWIVJUA4oll3uNK1iyFkdCQKQgNevn1RCHVKuf/5AcDp35L1
HMGlrUfK1O33T3ScngXYX9H7xaYVjEwCXfIK6HoOsG93NR3FXg0=
=vXEO
-----END PGP SIGNATURE-----