Accepted keystone 2:27.0.0-3+deb13u1 (source) into proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted keystone 2:27.0.0-3+deb13u1 (source) into proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 19 Nov 2025 20:33:13 +0000
Message-id: <[🔎] E1vLorZ-00Dahg-1y@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 09:26:19 +0100
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120053
Changes:
 keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Applied upstream patch (Closes: #1120053):
     - keystone-bug-2119646-stable-2025.1.patch
Checksums-Sha1:
 4152c8282356f474ffcf900f849ea23ebd38f44e 3486 keystone_27.0.0-3+deb13u1.dsc
 896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
 d88698d69d47dae18ba68ca5b4edd9a8943b27d1 46052 keystone_27.0.0-3+deb13u1.debian.tar.xz
 e5c3a3c3da63b56f1d5adb9964870de20045b9e1 18345 keystone_27.0.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
 c42fea98c4283524840695546e15a0f7b5e18cd1899791658aa8955b98965a56 3486 keystone_27.0.0-3+deb13u1.dsc
 223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz
 68dc7627f6301469f2bd7b448a614f8cdf72b279873dd1802f13d6f10071052b 46052 keystone_27.0.0-3+deb13u1.debian.tar.xz
 d0d1adfe3e33f42350f3fd31d248ce47d08b21a264742a69956fd648c7983c9c 18345 keystone_27.0.0-3+deb13u1_amd64.buildinfo
Files:
 4ae93baa72760d52a8efd5dbed87366f 3486 net optional keystone_27.0.0-3+deb13u1.dsc
 d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz
 6e50154c2164ae3d35d557c3a00bcff4 46052 net optional keystone_27.0.0-3+deb13u1.debian.tar.xz
 3a75ff70dd7ae50ae8417f977da42093 18345 net optional keystone_27.0.0-3+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS70EACgkQ1BatFaxr
Q/7hSQ//a8nmddmIid1G4wkB9DGe3aMe0Gt8kXE+PoE/2LKEYYnkeduuLgCA6Bzh
ISX5oD7311Kl6vCoT9Qxu7nB6RAZdUao+lOdJIz9X9cp8+bg8C1M2zJkn6E3E3Z8
zhjdC+nJfh9M8nKZTHNP7CFMhbKRYFITu2dLhHu4o3xpviWclgg4GmS5jTelxb3F
6juLKmD+BUy8CuXEhNJVniOge0VPIKrV+3rjTiTcvRcPic+/8sapAMrCwT3ng4fY
hGGM7Pf58xOSeEkLSE+gaMAyfxZXEQ7UPUZ+tjBdrP23ac6KLObongE5cDBFLRSa
1wQ3IOEDGN9FJ7nK8K1dJquN+FJDUq/I69p56fhh2U/v8s6jLjl34G278AovPIiZ
SlFB11Iv5czER6Ee0UqpiE4SK+HF/0x0cTa6Nu8j3AAxgHTIcwmGbC5i1L/Dc8Vy
5hGAnljndg0XaA6gtybOf4p5rVG1OY4xCu86L7hZYJ3mfyk/T8ZUkite7i8BFjLM
e1Gnljd4IfZ+N0B1GCO77oBKIXVKGwBJT0QOXBcxi4E5wR0gXgwI8cHdil+lb2es
k38sBmAXl7IP1QZkdtXxEAeF80mDeKTFV9hElpYhr85ANl5VD1SgX1ItH3wi3OpM
Z+C13xKmqzDD700qo1ZXzR3A+RrYuzNoUmnlg8DO25ovMVe8u+c=
=kUrX
-----END PGP SIGNATURE-----

Attachment: pgpVO7wWPD5g6.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted incus 6.0.4-2+deb13u2 (source) into proposed-updates
Next by Date: Accepted lasso 2.8.2-9+deb13u1 (source) into proposed-updates
Previous by thread: Accepted incus 6.0.4-2+deb13u2 (source) into proposed-updates
Next by thread: Accepted lasso 2.8.2-9+deb13u1 (source) into proposed-updates
Index(es):
- Date
- Thread