-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 09:26:19 +0100
Source: keystone
Binary: keystone keystone-doc python3-keystone
Architecture: all
Version: 2:27.0.0-3+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python3-keystone - OpenStack identity service - library
Closes: 1120053
Changes:
 keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Applied upstream patch (Closes: #1120053):
     - keystone-bug-2119646-stable-2025.1.patch
Checksums-Sha1:
 b2eac645a46d00b33ad21f0f70e94bd05406cb68 2253200 keystone-doc_27.0.0-3+deb13u1_all.deb
 70a1dd93f0fe633513546c2b8ce57a08c1be0a9a 18059 keystone_27.0.0-3+deb13u1_all-buildd.buildinfo
 af51e2cdcc44e5c34f3df8b74abc551e82ffeb46 72244 keystone_27.0.0-3+deb13u1_all.deb
 86ac01ae88892ac78bcb2275fdaacd95317fa5d6 728312 python3-keystone_27.0.0-3+deb13u1_all.deb
Checksums-Sha256:
 985537422b91dbfbd862d044e4b71f18600e8362c30f27078b8d8cbb7c17e432 2253200 keystone-doc_27.0.0-3+deb13u1_all.deb
 b342fa66f7c95f09b8d969dd2031d410143104d898cce653e14ee19cedf8b3db 18059 keystone_27.0.0-3+deb13u1_all-buildd.buildinfo
 7f9cb8a81b8beb2394aac0b545f86e50a489379e4852c2b5ebcf4a8afa8b0fa5 72244 keystone_27.0.0-3+deb13u1_all.deb
 8730e35158f0b0fe2c5423d8a90d1c16518f3181249091db94df34d06ccbd064 728312 python3-keystone_27.0.0-3+deb13u1_all.deb
Files:
 74f2e9c31d66eefc54dc36a34b7aeb55 2253200 doc optional keystone-doc_27.0.0-3+deb13u1_all.deb
 5c61bc552bed72b7c3ee2f7cfa5d8c7f 18059 net optional keystone_27.0.0-3+deb13u1_all-buildd.buildinfo
 5e9143f77aa32c8dcc8dec1d2a8008a0 72244 net optional keystone_27.0.0-3+deb13u1_all.deb
 1298c1a084efaee62d2aa96a1464c6fd 728312 python optional python3-keystone_27.0.0-3+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEj4Fym5GgeZdPqKhrJm69HxMTN+oFAmkS9qIACgkQJm69HxMT
N+rZRhAAhcPMCJpGMUPy3bwK8+UP+v5dktCteVeKdgx0Wn8uvaEVBzN8cfFR6HV6
Pb0tb2S8Fp3uj04Om9d4HgPPHGLNKa9QZm+cCcKaqXBO15Q/pnESnUM6XWWtcfiW
ePV3OAX9AY4GHGl4uLSQvnWDXvPC3f/pI90Cnho8yGwxGYxGQGsp26d6VpAa5cs0
z8tLf2We74EQCKVxIJa0Ic4JiHsRf04Umem7rOo2BPOREiKr2Mfc2mAuC6G7fa1k
nn1J0f2Warr5Op43nOixY/b7QGi6tT8jDZCFGRWAFOo+BAxv6aLsDvmuMCGEj4wu
mxR24i2aeGWzu6IGbtQlj4xx9rOIfCcLQujDMvWA6Kjx3GFq8U7r9aIaeO1HlT0A
FhF8obxcQtduzFrlNvymyIybqszGCEFjz5uokw7B5zmi1CZDnLzezmYInPKu4kdX
L2N7/p+uQdrGc8wBn1DPuKP9KNnbb3bAG8ZsihGkzNPvj9Xs53kxMW7bEDeVw2rV
mRklyv7/joa4aZcCMA/0k9yeR+oGYrh2Uhj/0OTFqZov+Pfbu+z/ht7u1VXOkG/O
vTAxZhEBzYhQRiq6vzmSv6rOv4sJVXLhlxH3ChaWQz/tHCUlZAAO/yEitIGiOTpb
kCfqo6wfgJCL7OqNsp4yPCAafr7REiBon2rMJ61sQKmVHTBP67M=
=QhhD
-----END PGP SIGNATURE-----