Package "keystone-common"
| Name: |
keystone-common
|
Description: |
OpenStack identity service - Common files
|
| Latest version: |
2:28.0.0-0ubuntu1.3 |
| Release: |
questing (25.10) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
keystone |
| Homepage: |
https://opendev.org/openstack/keystone |
Links
Download "keystone-common"
Other versions of "keystone-common" in Questing
Changelog
|
keystone (2:28.0.0-0ubuntu1.3) questing-security; urgency=medium
* SECURITY UPDATE: privilege escalation via restricted application
credentials
- debian/patches/CVE-2026-33551.patch: Restrict EC2 credential creation
when called through a restricted application credential.
- debian/patches/CVE-2026-33551-2.patch: Add tests for restricted app
cred guard
- debian/patches/CVE-2026-33551-3.patch: Block restricted app creds
from creating EC2 credentials via /credentials
- debian/patches/CVE-2026-33551-4.patch: Block app cred tokens from
authorizing OAuth1 requests
- CVE-2026-33551
* SECURITY UPDATE: authentication bypass via LDAP disabled users
- debian/patches/CVE-2026-40683.patch: Convert LDAP user enabled attribute
to boolean regardless of user_enabled_invert setting
- CVE-2026-40683
* SECURITY UPDATE: sensitive information exposure
- d/p/cve-2026-42998-fix-user-impersonation-app-creds.patch: Fix user
impersonation for application credentials to prevent credential
leaks.
- CVE-2026-42998
* SECURITY UPDATE: RBAC policy injection in JSON requests
- d/p/cve-2026-42999-prevent-rbac-policy-bypass.patch: Prevent
RBAC bypass by sanitizing JSON queries.
- CVE-2026-42999
* SECURITY UPDATE: Privilege escalation via impersonation and trusts
- d/p/cve-2026-43000-forbid-trust-ops-app-creds.patch: Forbid trust
operations with application credentials.
- CVE-2026-43000
* SECURITY UPDATE: EC2 credentials created with incorrect project scoping
- d/p/cve-2026-43001-ec2-app-cred-project-boundary.patch:
Enforce application credential EC2 project boundary.
- d/p/lp2149789-lp2150089-enforce-delegation-project-boundary.patch:
Delegation project boundary enforcement
- CVE-2026-43001
* SECURITY UPDATE: Federated users maintain access indefinitely
- d/p/cve-2026-44394-preserve-expires-at-federated-tokens.patch:
Preserve the expires_at attribute during federated token rescoping.
- CVE-2026-44394
-- Federico Quattrin <email address hidden> Thu, 11 Jun 2026 18:50:20 -0300
|
| Source diff to previous version |
| CVE-2026-33551 |
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create |
| CVE-2026-40683 |
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert |
| CVE-2026-42998 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user |
| CVE-2026-42999 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON re |
| CVE-2026-43000 |
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker wi |
| CVE-2026-43001 |
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-typ |
| CVE-2026-44394 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's |
|
|
keystone (2:28.0.0-0ubuntu1.1) questing-security; urgency=medium
* SECURITY UPDATE: Unauthenticated access to EC2/S3 token endpoints can
grant Keystone authorization (LP: 2119646)
- d/p/lp2119646.patch: Add a policy to enforce authentication with a
user in the service group.
- CVE number pending
-- Felipe Reyes <email address hidden> Sun, 02 Nov 2025 23:42:15 +0100
|
About
-
Send Feedback to @ubuntu_updates
