Package "keystone-doc"
| Name: |
keystone-doc
|
Description: |
OpenStack identity service - Documentation
|
| Latest version: |
2:21.0.1-0ubuntu2.4 |
| Release: |
jammy (22.04) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
keystone |
| Homepage: |
https://opendev.org/openstack/keystone |
Links
Download "keystone-doc"
Other versions of "keystone-doc" in Jammy
Changelog
|
keystone (2:21.0.1-0ubuntu2.4) jammy-security; urgency=medium
* SECURITY UPDATE: privilege escalation via restricted application
credentials
- debian/patches/CVE-2026-33551.patch: Restrict EC2 credential creation
when called through a restricted application credential.
- debian/patches/CVE-2026-33551-2.patch: Add tests for restricted app
cred guard
- debian/patches/CVE-2026-33551-3.patch: Block restricted app creds
from creating EC2 credentials via /credentials
- debian/patches/CVE-2026-33551-4.patch: Block app cred tokens from
authorizing OAuth1 requests
- CVE-2026-33551
* SECURITY UPDATE: authentication bypass via LDAP disabled users
- debian/patches/CVE-2026-40683.patch: Convert LDAP user enabled
attribute to boolean regardless of user_enabled_invert setting
- CVE-2026-40683
* SECURITY UPDATE: sensitive information exposure
- d/p/cve-2026-42998-fix-user-impersonation-app-creds.patch: Fix user
impersonation for application credentials to prevent credential
leaks.
- CVE-2026-42998
* SECURITY UPDATE: RBAC policy injection in JSON requests
- d/p/cve-2026-42999-prevent-rbac-bypass-json-query.patch: Prevent
RBAC bypass by sanitizing JSON queries.
- CVE-2026-42999
* SECURITY UPDATE: Privilege escalation via impersonation and trusts
- d/p/cve-2026-43000-forbid-trust-ops-app-creds.patch: Forbid trust
operations with application credentials.
- CVE-2026-43000
* SECURITY UPDATE: EC2 credentials created with incorrect project scoping
- d/p/cve-2026-43001-enforce-app-cred-ec2-project-boundary.patch:
Enforce application credential EC2 project boundary.
- CVE-2026-43001
* SECURITY UPDATE: Federated users maintain access indefinitely
- d/p/cve-2026-44394-preserve-expires-at-federated-rescope.patch:
Preserve the expires_at attribute during federated token rescoping.
- CVE-2026-44394
-- Federico Quattrin <email address hidden> Thu, 11 Jun 2026 18:45:03 -0300
|
| Source diff to previous version |
| CVE-2026-33551 |
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create |
| CVE-2026-40683 |
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert |
| CVE-2026-42998 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user |
| CVE-2026-42999 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON re |
| CVE-2026-43000 |
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker wi |
| CVE-2026-43001 |
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-typ |
| CVE-2026-44394 |
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's |
|
|
keystone (2:21.0.1-0ubuntu2.2) jammy; urgency=medium
* Fix query for all users in a group while using AD nested group searches
(LP: #2112477)
- d/p/lp2112477-Fix-AD-nested-groups-issues.patch
-- Jorge Merlino <email address hidden> Tue, 27 Jan 2026 15:21:22 -0300
|
| Source diff to previous version |
|
keystone (2:21.0.1-0ubuntu2.1) jammy-security; urgency=medium
* SECURITY UPDATE: Unauthenticated access to EC2/S3 token endpoints can
grant Keystone authorization (LP: 2119646)
- d/p/lp2119646.patch: Add a policy to enforce authentication with a
user in the service group.
- d/p/Consistent-and-Secure-RBAC-Phase-1.patch: Update system-scoped
policies to also accept project-admin tokens.
- d/p/Fix-policies-for-groups.patch: Fix policies for groups.
- d/p/Allow-admin-to-access-tokens-and-credentials.patch: Allos users
with the "admin" role to access /v3/auth/tokens and /v3/credentials.
- d/p/Dont-enforce-when-HTTP-GET-on-s3tokens-and-ec2tokens.patch:
Don't enforce when HTTP GET on s3tokens and ec2tokens.
- CVE-2025-65073
-- Felipe Reyes <email address hidden> Fri, 07 Nov 2025 16:50:55 +0100
|
| Source diff to previous version |
| CVE-2025-65073 |
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone au |
|
|
keystone (2:21.0.1-0ubuntu2) jammy; urgency=medium
* d/p/lp2115144-Improve-application-credential-validation-speed.patch:
Improve application credential validation speed by removing expensive
duplicate calls and caching results. (LP: #2115144)
-- Trent Lloyd <email address hidden> Thu, 02 Oct 2025 06:53:22 +0000
|
| Source diff to previous version |
|
keystone (2:21.0.1-0ubuntu1) jammy; urgency=medium
* d/gbp.conf: Create stable/yoga branch.
* New stable point release for OpenStack Yoga (LP: #2039176).
-- Corey Bryant <email address hidden> Thu, 12 Oct 2023 09:39:37 -0400
|
About
-
Send Feedback to @ubuntu_updates