-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Nov 2025 09:19:08 +0100
Source: keystone
Binary: keystone keystone-doc python3-keystone
Architecture: all
Version: 2:22.0.2-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python3-keystone - OpenStack identity service - library
Changes:
 keystone (2:22.0.2-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream release.
   * Blacklist failing SAMLGenerationTests test:
     - test_sign_assertion_logs_message_if_xmlsec1_is_not_installed
   * Add xmlsec1 as build-depends.
   * kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By
     sending those endpoints a valid AWS Signature (e.g., from a presigned S3
     URL), an unauthenticated attacker may obtain Keystone authorization
     (ec2tokens can yield a fully scoped token; s3tokens can reveal scope
     accepted by some services), resulting in unauthorized access and privilege
     escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable
     by unauthenticated clients (e.g., exposed on a public API) are affected.
     Applied upstream patch (Closes: #XXXXXXX):
     - Consistent_and_Secure_RBAC_Phase_1.patch
     - Fix_policies_for_groups.patch
     - Allow_admin_to_access_tokens_and_credentials.patch
     - Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch
     - keystone-bug-2119646-stable-2024.1.patch (backported by me)
Checksums-Sha1:
 e8bc57a5d71b3e8398889bf572fc59e726707a72 2188400 keystone-doc_22.0.2-0+deb12u1_all.deb
 1e998f67b3578c96cfdd00d3f0886199795c34db 17565 keystone_22.0.2-0+deb12u1_all-buildd.buildinfo
 fb67063106a951c1ec1923c767c869e847ce918d 70756 keystone_22.0.2-0+deb12u1_all.deb
 9db3c0ca273f021fc9f1262ee7e7247b5e329a7a 699112 python3-keystone_22.0.2-0+deb12u1_all.deb
Checksums-Sha256:
 0fd5ce3264569bf25e38b70b41a36dc209167d67131944afa68c5f9acdd36062 2188400 keystone-doc_22.0.2-0+deb12u1_all.deb
 696a8a12510bdc2c796469b8be0c5da60049e012296c0bf815ec529b9d7296a3 17565 keystone_22.0.2-0+deb12u1_all-buildd.buildinfo
 91fee846bda10171e7365a9371d8ee09f6af54a38ceae1c75b197375f891d9f5 70756 keystone_22.0.2-0+deb12u1_all.deb
 a937bcb68771df59a52d9d5cb849ecdf1fdf8919d000840b88ebebb03c398fac 699112 python3-keystone_22.0.2-0+deb12u1_all.deb
Files:
 de85e6c183135fcde48a3b2ac2729477 2188400 doc optional keystone-doc_22.0.2-0+deb12u1_all.deb
 21ca148db2e5d3dd54ecfaef07fcddd5 17565 net optional keystone_22.0.2-0+deb12u1_all-buildd.buildinfo
 07954d1d25bd1ced8e2f84768bacc6cc 70756 net optional keystone_22.0.2-0+deb12u1_all.deb
 d72f77659ab2790b6ddd3d4bbb1d6fed 699112 python optional python3-keystone_22.0.2-0+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELusn8jY95Sf7obGlx30Wh8LXl/YFAmkS/K8ACgkQx30Wh8LX
l/YrMxAAqKnGrMpHO8ziXZhx54nQ3Ydrsw8F40pdUQfK13G+nYHkr1nT5vY0kZWI
DiQnSNR3bsZjWdpclT4zYnK4gn9BXT7E2vLto5UDk9IsTKWSz+Cryel5RNzZjPEe
q6dn270/hePkg/SOHjVUp8fbenXt6ONi5TcUh/K0s1G5kiCZRYSbIrv+u+Ab0MrR
+BlXfEmmx/OHuDzLofMvNnNVfSP4iLlnXkSkg/6XLUNmuwJVXttzSayJu6OwDgCI
qFmYHaIsAXzfpNX5J5D3Bl5YQLr1jmB0JjXAZxSujcW1ZevU6HA84dYQ8c2LZkGk
w/NA376oIvt2D15t9unzgtP6Wsv9+59aBCWUPiSH+sEQAV+1qz41UkBk3T9MNYKX
vqTqBYvfYfZz5p+1agjixV/qwKNnGU0L6mmpUp4/PUzhvv5DS0PzIpCQthm45S1h
WkLt0OlMaw2LyIb0D+LxJ9/GFYBZ9tobo4ubYn93wWuS/qmGD63tRQsrTbRYM6Xi
cqfOwJGqnR8qSXJmL6PDbXbDnvG7GL7f0ZhLqM5PK/74yeXYlBuVhsn0IW9sGPHU
VPu9yyrjZ0tgp08CIjCAiNrX8cqDpqorxlh6/JIXoziY5M23ldPVamR8WxX+eIhN
4iUvEJ4AwmGMmaYLukjKFK1QufNEX80kuIRSI5sMNJCUe5MRy9s=
=a8O0
-----END PGP SIGNATURE-----