-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 May 2026 16:50:52 +0200 Source: keystone Binary: keystone keystone-doc python3-keystone Architecture: all Version: 2:22.0.2-0+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Thomas Goirand Description: keystone - OpenStack identity service keystone-doc - OpenStack identity service - documentation python3-keystone - OpenStack identity service - library Closes: 1135645 Changes: keystone (2:22.0.2-0+deb12u3) bookworm-security; urgency=medium . * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). Checksums-Sha1: 2e0b5b3acb9b73b0aa90e89bfdf68298fd1e7fb0 2195280 keystone-doc_22.0.2-0+deb12u3_all.deb 4ed90aa78103b413e11e7fb4c9a0c59dd59626d4 17622 keystone_22.0.2-0+deb12u3_all-buildd.buildinfo 4f02ad1fa03ef13f63ef315df0faae9368c1bf17 72912 keystone_22.0.2-0+deb12u3_all.deb e3e5ed991fe99b52ea4052c2194f4e10617811d5 707952 python3-keystone_22.0.2-0+deb12u3_all.deb Checksums-Sha256: df289f498178002ef7b14ff748ba6370e817593ad9199d6bf20f48d29598c9b2 2195280 keystone-doc_22.0.2-0+deb12u3_all.deb 7882c1ec67e65e13c09505afbe69ec59e3aa12f4b242082625b5a0b39607fc56 17622 keystone_22.0.2-0+deb12u3_all-buildd.buildinfo f043e783606b21c491835f6f56fc67a380e85a714b9ec27ccf55142fa688c6f2 72912 keystone_22.0.2-0+deb12u3_all.deb 3aa2381a7d49a7e8f296b9bcd8f5e3a74105c5aef126b84c9d7bd36b3a6a7326 707952 python3-keystone_22.0.2-0+deb12u3_all.deb Files: a082f8b9a2806ede75c10befdc806552 2195280 doc optional keystone-doc_22.0.2-0+deb12u3_all.deb cb09fd5a2e99ed10e5099fcbfca4893e 17622 net optional keystone_22.0.2-0+deb12u3_all-buildd.buildinfo 3e3c7948a60bbc6e49fa2ed404ff7f72 72912 net optional keystone_22.0.2-0+deb12u3_all.deb 52d6aa4ed945c5a5182a76611c888029 707952 python optional python3-keystone_22.0.2-0+deb12u3_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmom2EoACgkQN8Ugyu9d QiTuUg/9H1gn/cENm9VweqSCI67AQwnmqI8pRiMrGd2kxE2Lir5CygQZ9cPk/9Ap d1MFqQgectHRbzCLBkokqZUpTXLRDGlLPUvGoGXsFp8JGRT6WWK4xzJp+jMUvT3j EzdgBjR0OX5Nzrgv+HMT0WkjooEoaDr7DVJ+4QGx2gc8rFqbNRj8Eum5AVefUxtD eSyo1YN2wyTuEj+vKsZX9jTkAueD1+2lkayt/SYePtKaOgpLSSMeYBMcsq+SNoZp Mn4l5hZ3okWpkW17r1wlFHjO/sIgQjkt2VaIbqd5YqZB9IYQsjQxbfvFJrfnKAu2 HYX2wI3Ujl6UxsIj5ahWAas14t0w/kMHm8em2Dv/NK/ILPUAEmbkb/I8HfdyF5nF RIlkpLU7IN/+KBZbGTFfeCUFYJyo/N4HbgMXvHljKHLrQBuYKpshoZjuj6tkzsdM mVj1vaqIbDiOtmXdhczAD739Ffcow1rReWqx4ZBmIk4hUg3wd1yZl34xqlu7zrCQ UxuN/Tw8oyMaXzHQNwDUD0/PNotH0cpJw//78/emMZ0UdMKq19LUuc3P3iej+N1I TCBsa1ljJ3rAfBn5GhMN5mOwf3qGkg35m6jEPMBvlJJ4XZotWRMbDWWLl9H5PAfL 4sJfvvRH/aY7xHMsRxByIqYT006tza5q/iOT+YoicGtUsLiamC8= =Furi -----END PGP SIGNATURE-----