- Package:
- src:keystone
- Source:
- src:keystone
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-05-22 22:35:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for keystone. I'm filling this RC to make sure it get fixed for forky, yet unclear if it needs a DSA or point release is enough. CVE-2026-33551[0]: | An issue was discovered in OpenStack Keystone 14 through 26 before | 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application | credentials can create EC2 credentials. By using a restricted | application credential to call the EC2 credential creation API, an | authenticated user with only a reader role may obtain an EC2/S3 | credential that carries the full set of the parent user's S3 | permissions, effectively bypassing the role restrictions imposed on | the application credential. Only deployments that use restricted | application credentials in combination with the EC2/S3 compatibility | API (swift3 / s3api) are affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33551 https://www.cve.org/CVERecord?id=CVE-2026-33551 [1] https://launchpad.net/bugs/2142138 [2] https://www.openwall.com/lists/oss-security/2026/04/07/12 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1133118 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/8921e4232f6a17f3155e9a00ccc1b31c36a30b70 ------------------------------------------------------------------------ * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1133118
Hello, Bug #1133118 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/1daa11efbbd32130e6f0093679e140dd32ef73b2 ------------------------------------------------------------------------ * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1133118
Hello, Bug #1133118 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/f6ec5cdcb1a25392b3a0a7fa0197e82037f92054 ------------------------------------------------------------------------ * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1133118
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1133118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Apr 2026 13:33:06 +0200
Source: keystone
Architecture: source
Version: 2:29.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1133118
Changes:
keystone (2:29.0.0-2) unstable; urgency=high
.
* CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
a64e3669733c5f0ec35ecf775112588a5bd18293 3458 keystone_29.0.0-2.dsc
644aae0f55e9d51e0134ab4f21c0f78931bcd9e1 45428 keystone_29.0.0-2.debian.tar.xz
8b2da22529eb329b1f1b6f161e71cd6650f589eb 17374 keystone_29.0.0-2_amd64.buildinfo
Checksums-Sha256:
9a7bdbf48c2ef520f5a74a20180dc039c159ab01e399d76a7ef162226b1b5184 3458 keystone_29.0.0-2.dsc
c49f9326b07bb47f27745ec9459fa0a673ac2c9225ef4a9402f181cc8ebd01f4 45428 keystone_29.0.0-2.debian.tar.xz
e6ab15fc78f148c30e4ab5838d3b6150a5f5c96181fb8207c19cdbb1d9bec129 17374 keystone_29.0.0-2_amd64.buildinfo
Files:
f43fd7eed121bdceeec640971d7921d9 3458 net optional keystone_29.0.0-2.dsc
a7dd0af39c3efe1a8c970dc065b72529 45428 net optional keystone_29.0.0-2.debian.tar.xz
7592e40a645a47a5be6566b44d3ecd4c 17374 net optional keystone_29.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmnY4lkACgkQ1BatFaxr
Q/41sg/5ARaLNVTAOy/h8q0fB9Snm8/PE87UKQKMZMd3tuDHZRCFmfolUrSfVf88
LYkxLMzByzjlNPo6tDS1Je7B/Gz4fbPxPu5Sntv59AIT9+UAsP2TBVN4Yt4+autB
XAJoa08IImK3iO3koZKSoqDvO2vAzE8tjC1xFnGeoKttkuiO/9r4VwtsXiNyAc0r
nn+akKGvSDeU7ALMzHstoQOu6b6CDmutfBvuHnhD3q8/DhxO4YyKZ+2kFcT/3EuP
ddKhnf/CZM8yz8JTzUY/DvI2Kh0hZr9jsGm+cSyXkGlxrLx9Qwcogax0T9BovYaf
WRHnI3NINPFQ5DrdmvZWefTBfdZ4dAYVsEzzzdp/CNkpY9QNVK+Kqw5HVwpt+RYV
K40Ch7WREbH6y34Io5bbXkPWhGPm+gNBlMUKlMjOGRRyDzvTps4ks+PfwyB0zLwD
7UKx7mgdvv/ilY43kVYvlkTHGcru7iA9TXzHnD5/Fhl29VNSXNeZw/n7qNnzJYtG
vUM5QH0yA5FwRDxBMWJostnfYxuDwLiU6+v2AjoQbqlEtwiKnWfupawAe3YJDE6s
GfKTTycxITBDRVHCtIEt7iUjH3hoDQK1hqC5S3ZLyyfEP3yiIJUhb2co0puaVyDQ
zFjLjbUhIAmAU+EJ32slvjasWUG3Pu6+HUHWcovJltGxA0QiZfE=
=KIlv
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
qpid-proton, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1133118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated qpid-proton package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 14 Apr 2026 10:48:33 +0200
Source: qpid-proton
Architecture: source
Version: 0.37.0-8
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1133118
Changes:
qpid-proton (0.37.0-8) unstable; urgency=medium
.
* Add export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error=unused-but-set-variable
fixing FTBFS with GCC 16 (Closes: #1133118).
Checksums-Sha1:
236893f6dff33b4e04c71d12636bef9bb7c59ed1 2795 qpid-proton_0.37.0-8.dsc
4673bb8551b18c08f7699bd10dad8bdc057b97b3 9504 qpid-proton_0.37.0-8.debian.tar.xz
1fa7629e28c51335c9985959603dc03de83ded6b 12858 qpid-proton_0.37.0-8_amd64.buildinfo
Checksums-Sha256:
f9630b18973858e4bbc9c05bb090a6e8fc5a0ac1da6fe0b4eb2ea420199e2ba5 2795 qpid-proton_0.37.0-8.dsc
f02b9b2bd7e18995498664b5a67dec5c8f36765b77cc23311b178278248ec152 9504 qpid-proton_0.37.0-8.debian.tar.xz
f1d6b6320137aa386abb2bf87dd339ef3d995c4f86a0a8858a0eb1a94fe029b1 12858 qpid-proton_0.37.0-8_amd64.buildinfo
Files:
0bd153359740aeb3644dd78b2b519e48 2795 libs optional qpid-proton_0.37.0-8.dsc
25a41011c967fdc0ea6e2c347de06e22 9504 libs optional qpid-proton_0.37.0-8.debian.tar.xz
ca4f351cd7901b05141ef7663b4fdd59 12858 libs optional qpid-proton_0.37.0-8_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmneAKIACgkQ1BatFaxr
Q/4NHQ//TNS7pdsgq/DfBoytN68eDuIhoTOzH0uPFAinRAq4y03XrfM9Rs0lWz2E
Mx+1jlkKDQYpRKXoOcoJZZF3YJrpSldTpLGPmZZ/3OMUihOhlAqYKGU2VNuSRkug
D5zVnfGI8jqigSiHyGGAFYXNjMvqI31k3DkRoiikYieLYuggSmLpEUAfZReP/rcQ
0t78/UohrG4T7XGEMIlJSJAvz+2EsNMJ0VIIXU38GEahvrimICt73t0FQlr7i/N3
pAHkKaOtju/JJv7xxsyswRW/uDRDYnZZTGGVBkP8LgynABr+YmFZpzzv3FYDs9cT
XiZa6s6mmojhAKProxzISB2ajov1GcIyg2LASFqZosdD+pOCZ0IBRDTfjKvQUs/J
o0K018VbFJfTW0qOZCtDTRDAB2tRHnwyHkUurptttPPWphtYVp2KK8zW7BgIOpla
86fFvKIXeZBZ2PRXKqMSjKIm/Gx41DoaZ97qffEQ8/pKxEZz9LYqkm6xLcw03lm+
HN/uFfEKgFBHXecJrUWqeJ/SDYGa6g/DIMSJjzVAm4bqBH6yFG1tzyN53/UQPgUY
bkB95L1KkRpnToo9AUX8SJA9DQIjdhKIznlILkS6kg+njjtXM+B/PiBlOfRnAQM8
EesaIMk4yYH1GbZcV15qoGu0yx1EJKylNiibd5qCW8mJCeAwUC4=
=HQc2
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1133118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 15 Apr 2026 10:06:32 +0200
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1133118 1133884
Changes:
keystone (2:27.0.0-3+deb13u3) trixie; urgency=medium
.
* CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
enabled attribute to boolean. When the user_enabled_invert configuration
option was False (the default), Keystone did not correctly interpret the
LDAP enabled attribute, causing users disabled in LDAP to be treated as
enabled and allowed to authenticate. Deployments using the LDAP identity
backend without user_enabled_invert=True or user_enabled_emulation are
affected. Applied upstream patch:
- OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
(Closes: #1133884).
* CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
8443b8b0ab7c09c8b9bb4d9202a17e588facef53 3486 keystone_27.0.0-3+deb13u3.dsc
896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
1044ff9cb15dc3f97f725afe8ce2cccf33bcae36 47748 keystone_27.0.0-3+deb13u3.debian.tar.xz
34048062648be6d816f7aabd04beec299116142c 18660 keystone_27.0.0-3+deb13u3_amd64.buildinfo
Checksums-Sha256:
42ef4900b080c94070aa91c2f71a429ceb69bf2ec0ad4b723a2c7d52b2656e54 3486 keystone_27.0.0-3+deb13u3.dsc
223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz
2446c16c806399e0fe546a76b7b866cd52159c7089d252462c6c76b0995b8768 47748 keystone_27.0.0-3+deb13u3.debian.tar.xz
de9d84d22758e9425da1eb2401539e337198cd0654a5065c1f49c8e155ee2d4e 18660 keystone_27.0.0-3+deb13u3_amd64.buildinfo
Files:
df674a29ca9c173aa783808af2bf8d3f 3486 net optional keystone_27.0.0-3+deb13u3.dsc
d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz
2ad9231f4a857a6686e235841a91ed51 47748 net optional keystone_27.0.0-3+deb13u3.debian.tar.xz
09b6351219b5354fca5cb1f8375b77b1 18660 net optional keystone_27.0.0-3+deb13u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMC/MACgkQ1BatFaxr
Q/5wjA/7BrTgCvwhLKxFq3825X5wTOwjT4q6kGNYeSCbq41Lygio1rBtiWZL7UMx
QRS/CS/gT112Ki4xCHCOYIvgnW5+vFe/XaSgqWpTCqjYH0EggTzrBQdZyC+hbSdx
Y+pVSjY8Yv9YvgehorBvLB71MxhwzldUnqH994CbnPeDWlwooKaCYIvHIIYo/OHk
xHWD8tniOYBEuwXPaaFimF9pRNAHVNWmXvfY27i70vWb1y4c4ljt+kGEd/yWfBJY
UNdorIM/XdBFxp185wjiTMbZglrG+Kke+cIhd8iLTz5MSGVrmh4bwpeomUcoJTfc
r/uLisZdFOB/bqddYv14odc9zd+gazHVlVGDxlT3ezsyK3YXs0mbKdJWUwEKudUn
j4vxl8KxiWN7a2XEtOhYUTQZRjG2G1qOF78kUXyXGRgaW2W9ty/8DkxeanxTuDi5
uioF3geuFVeyvU+zLSsCIzJDZqSNluAl+a/jknX3lguBuDhcCDHz+XiRI1S3OLhj
UYkw36ApD1vi9UW6ABIt8+5ed+B+PD6FODu3FODvseDOp6CBTe6D6CHCUJhNHj1K
AgD5dueUMuwkpUHW6hzJBswfVotaDGIOte4skoS3N0jvxApw0x71ihFo+ukNud8T
8Di9MQOIc20yRg84Z9pICr2W7KRgexsfB+ZxNRtL3ZmDUmcLApQ=
=z2x/
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1133118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 15 Apr 2026 11:10:59 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1133118 1133884
Changes:
keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium
.
* CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert
enabled attribute to boolean. When the user_enabled_invert configuration
option was False (the default), Keystone did not correctly interpret the
LDAP enabled attribute, causing users disabled in LDAP to be treated as
enabled and allowed to authenticate. Deployments using the LDAP identity
backend without user_enabled_invert=True or user_enabled_emulation are
affected. Applied upstream patch:
- OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
(Closes: #1133884).
* CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can
create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2
credential creation and deletion" (Closes: #1133118).
Checksums-Sha1:
1c798ca017c1ee38fefed2f982e2a1bd37e4c491 3565 keystone_22.0.2-0+deb12u2.dsc
0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
83c5402d17c3ce8dbed715c7c3aaec1cf609709d 56164 keystone_22.0.2-0+deb12u2.debian.tar.xz
8eae4333f11a57a333d0e5fd06ca86a21a68e4e5 18263 keystone_22.0.2-0+deb12u2_amd64.buildinfo
Checksums-Sha256:
4d6459de73736f0a67423e7c1d9b8ed103b69dffc409fba418cecb8204458cca 3565 keystone_22.0.2-0+deb12u2.dsc
a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 keystone_22.0.2.orig.tar.xz
67429da1f1d5fde7c4ecd1fa988200bd9212e8ccf041db5d8d40bcdf70c7fa13 56164 keystone_22.0.2-0+deb12u2.debian.tar.xz
3d1a3dba21506bba13f0ffd8459fd0f5e6bf52ec90e649cc232528f32303abf3 18263 keystone_22.0.2-0+deb12u2_amd64.buildinfo
Files:
2cfd8d5afa9af8ddbb4ef53d7d41bc65 3565 net optional keystone_22.0.2-0+deb12u2.dsc
60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional keystone_22.0.2.orig.tar.xz
d1fe72b921519ff09216c7b492c40cba 56164 net optional keystone_22.0.2-0+deb12u2.debian.tar.xz
192503c46fe115cb78ddc57fe14391ee 18263 net optional keystone_22.0.2-0+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMDnQACgkQ1BatFaxr
Q/7CRQ/8CgUVeVy/CjL+sc3CVacIh/e8wH7pXF3m/K3pQUdQy/2AgNeWeak+F8Gu
/n2+Ns7Yw6eqGsqnKzVGW1XcevmK4Dk8In0YSm69uZItbTWFuYsfansKpzohERsJ
Q3G09KG6Cp7MhGcotfHKUO3TWEZyxiN/d2KPYoTldX9zxDXFt6QW9NswCVUibhPN
ZocUpnzFkceZb5kEri2J3BYK2FDjBJkA5jyGfZWv6LTA7MGcQbOlIXWRDYRkQtKF
XZOyCSVo7doZcf/zwf/5/Bcl13tcxKZsaKowuMmveEEvTODtms1wP/m1bbTR2SzN
WvVFOit2Ut1xUBiEd7mLSK0JS+j0xlTtdIlrGWXMoQLs/AuZJnSyXXkzOX+tZijF
od5rcYboxWi+8uYbGGY1QI5vxjasx4Z3cuk8U+uzo7DCWPDdt0lfbBzyFW+dmH7P
8mHhT/81cHPpCeb9DmtU7HiK7HeGnV8p6Nbvs1FgbK2kxeYA/3tG5OL58A4lMsyi
aLU5AP8+gp0trPNwynboelUnewRD0pK+4tCN07YE1zxb/o+hraTMMH746z7+U53i
yPmVMwWgH0qjMqD52zdHPOrMAJGdVfK0qytg7Tcj2vpVOjWdeoAvlGwODLm3ONgX
EIRjuG7pdWK247u2oHKBdwOgVDThJIJNQp3d2aMSa5BNkEWxFYM=
=amVA
-----END PGP SIGNATURE-----