-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Nov 2025 09:19:08 +0100
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Changes:
 keystone (2:22.0.2-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream release.
   * Blacklist failing SAMLGenerationTests test:
     - test_sign_assertion_logs_message_if_xmlsec1_is_not_installed
   * Add xmlsec1 as build-depends.
   * kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By
     sending those endpoints a valid AWS Signature (e.g., from a presigned S3
     URL), an unauthenticated attacker may obtain Keystone authorization
     (ec2tokens can yield a fully scoped token; s3tokens can reveal scope
     accepted by some services), resulting in unauthorized access and privilege
     escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable
     by unauthenticated clients (e.g., exposed on a public API) are affected.
     Applied upstream patch (Closes: #XXXXXXX):
     - Consistent_and_Secure_RBAC_Phase_1.patch
     - Fix_policies_for_groups.patch
     - Allow_admin_to_access_tokens_and_credentials.patch
     - Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch
     - keystone-bug-2119646-stable-2024.1.patch (backported by me)
Checksums-Sha1:
 0dbf43f96b99cdd729e97afd68868860ec77754f 3565 keystone_22.0.2-0+deb12u1.dsc
 0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
 d1538763ff5ea660da9d4afd3ae6f27f380da681 54560 keystone_22.0.2-0+deb12u1.debian.tar.xz
 2644bbfe991b6500984748d962a87ccd1c48f919 18206 keystone_22.0.2-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 c4ffe21c1893f16a6027b1cc0de4f59f38716380c09445966157a98071afd812 3565 keystone_22.0.2-0+deb12u1.dsc
 a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 keystone_22.0.2.orig.tar.xz
 121449386907f98af2357341b5e190529e92f2465e4a79f2600ff57ea8ed65d7 54560 keystone_22.0.2-0+deb12u1.debian.tar.xz
 21a37894ce7ac3645e0981630bbded230a1830c285a86af5af7031af03a3dc70 18206 keystone_22.0.2-0+deb12u1_amd64.buildinfo
Files:
 a92dc26e6e4040c70affd18da3a7a9b7 3565 net optional keystone_22.0.2-0+deb12u1.dsc
 60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional keystone_22.0.2.orig.tar.xz
 cfc06833ba07339f3eb95fe981f29b57 54560 net optional keystone_22.0.2-0+deb12u1.debian.tar.xz
 c3bfb0f0c57b3858d8c30423d5774701 18206 net optional keystone_22.0.2-0+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS9QYACgkQ1BatFaxr
Q/6GlQ//UZnV3t/fH0rUHRk8TdzTd4Kr94KS0r0gGNrwuFk6sgfgEdOPiSkKv+Ee
oR2XpZojjeCi1k5zgKARsmfWBXEnw2HuNUEch5IDM0kpr73QAJDSfXpQrdUwcclI
Gg6wZuEhf8/DEvHRKeAjrkrikrqS4pUSN9o0ICd1tR1oDmKjypWheJTLHvhZQ3jF
FBAB8gsQPnQDwL7UwRRPdJi5gcks0DxtjUeAgsIrie4EX9ioMGGS3ny6KUDIFwuw
043v12IM+ENZv3FCeiFUCukiH/fveXn6cn4UPhQvNpW+B+BvuXcJCiRhe27iMrYB
daUWjbUiev6bwNIc1HPI7HyDRuk9Z2Xg054H1VJLL2oZgzXeVk+1qJ3Y2QxHYtcJ
Nk4PK4W1cRiDsOeERq5zEro9ejVXRhV7DHX5RqTrezJ2KdA2fqWa7cdkhuomRKku
cwy9aF+GXCVyKS/8IM8iWl/P+o+MJGWodB4XCQZVn5HPn845U3c5GpJYiFLoWAa5
S6i4HkO9GHlBFBl5tT/+7nCnld36Hsie/dtvxmYkbW03AdIiqzA99xKGXzkRfqkf
88p1qGmnRJaQvZiaDs3g4a/1Z3/UJPRrc8y+IdoHErHAhKt+W0eM5H6t6TVKChW6
+LB9bbSNiFcuG1ad3uFtYE+BydD/K9Zm3EPOIY0pXXq9l1yf3dM=
=55Ep
-----END PGP SIGNATURE-----