UbuntuUpdates.org

Package "keystone-doc"

Name: keystone-doc

Description:

OpenStack identity service - Documentation

Latest version: 2:21.0.1-0ubuntu2.4
Release: jammy (22.04)
Level: updates
Repository: main
Head package: keystone
Homepage: https://opendev.org/openstack/keystone

Links


Download "keystone-doc"


Other versions of "keystone-doc" in Jammy

Repository Area Version
base main 2:21.0.0-0ubuntu1
security main 2:21.0.1-0ubuntu2.4

Changelog

Version: 2:21.0.1-0ubuntu2.4 2026-06-16 22:07:25 UTC

  keystone (2:21.0.1-0ubuntu2.4) jammy-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via restricted application
    credentials
    - debian/patches/CVE-2026-33551.patch: Restrict EC2 credential creation
      when called through a restricted application credential.
    - debian/patches/CVE-2026-33551-2.patch: Add tests for restricted app
      cred guard
    - debian/patches/CVE-2026-33551-3.patch: Block restricted app creds
      from creating EC2 credentials via /credentials
    - debian/patches/CVE-2026-33551-4.patch: Block app cred tokens from
      authorizing OAuth1 requests
    - CVE-2026-33551
  * SECURITY UPDATE: authentication bypass via LDAP disabled users
    - debian/patches/CVE-2026-40683.patch: Convert LDAP user enabled
      attribute to boolean regardless of user_enabled_invert setting
    - CVE-2026-40683
  * SECURITY UPDATE: sensitive information exposure
    - d/p/cve-2026-42998-fix-user-impersonation-app-creds.patch: Fix user
      impersonation for application credentials to prevent credential
      leaks.
    - CVE-2026-42998
  * SECURITY UPDATE: RBAC policy injection in JSON requests
    - d/p/cve-2026-42999-prevent-rbac-bypass-json-query.patch: Prevent
      RBAC bypass by sanitizing JSON queries.
    - CVE-2026-42999
  * SECURITY UPDATE: Privilege escalation via impersonation and trusts
    - d/p/cve-2026-43000-forbid-trust-ops-app-creds.patch: Forbid trust
      operations with application credentials.
    - CVE-2026-43000
  * SECURITY UPDATE: EC2 credentials created with incorrect project scoping
    - d/p/cve-2026-43001-enforce-app-cred-ec2-project-boundary.patch:
      Enforce application credential EC2 project boundary.
    - CVE-2026-43001
  * SECURITY UPDATE: Federated users maintain access indefinitely
    - d/p/cve-2026-44394-preserve-expires-at-federated-rescope.patch:
      Preserve the expires_at attribute during federated token rescoping.
    - CVE-2026-44394

 -- Federico Quattrin <email address hidden> Thu, 11 Jun 2026 18:45:03 -0300

Source diff to previous version
CVE-2026-33551 An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create
CVE-2026-40683 In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert
CVE-2026-42998 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user
CVE-2026-42999 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON re
CVE-2026-43000 An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker wi
CVE-2026-43001 An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-typ
CVE-2026-44394 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's

Version: 2:21.0.1-0ubuntu2.2 2026-02-10 09:07:54 UTC

  keystone (2:21.0.1-0ubuntu2.2) jammy; urgency=medium

  * Fix query for all users in a group while using AD nested group searches
    (LP: #2112477)
    - d/p/lp2112477-Fix-AD-nested-groups-issues.patch

 -- Jorge Merlino <email address hidden> Tue, 27 Jan 2026 15:21:22 -0300

Source diff to previous version

Version: 2:21.0.1-0ubuntu2.1 2025-12-12 01:08:24 UTC

  keystone (2:21.0.1-0ubuntu2.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthenticated access to EC2/S3 token endpoints can
    grant Keystone authorization (LP: 2119646)
    - d/p/lp2119646.patch: Add a policy to enforce authentication with a
      user in the service group.
    - d/p/Consistent-and-Secure-RBAC-Phase-1.patch: Update system-scoped
      policies to also accept project-admin tokens.
    - d/p/Fix-policies-for-groups.patch: Fix policies for groups.
    - d/p/Allow-admin-to-access-tokens-and-credentials.patch: Allos users
      with the "admin" role to access /v3/auth/tokens and /v3/credentials.
    - d/p/Dont-enforce-when-HTTP-GET-on-s3tokens-and-ec2tokens.patch:
      Don't enforce when HTTP GET on s3tokens and ec2tokens.
    - CVE-2025-65073

 -- Felipe Reyes <email address hidden> Fri, 07 Nov 2025 16:50:55 +0100

Source diff to previous version
CVE-2025-65073 OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone au

Version: 2:21.0.1-0ubuntu2 2025-11-11 12:07:08 UTC

  keystone (2:21.0.1-0ubuntu2) jammy; urgency=medium

  * d/p/lp2115144-Improve-application-credential-validation-speed.patch:
    Improve application credential validation speed by removing expensive
    duplicate calls and caching results. (LP: #2115144)

 -- Trent Lloyd <email address hidden> Thu, 02 Oct 2025 06:53:22 +0000

Source diff to previous version

Version: 2:21.0.1-0ubuntu1 2023-10-26 21:07:13 UTC

  keystone (2:21.0.1-0ubuntu1) jammy; urgency=medium

  * d/gbp.conf: Create stable/yoga branch.
  * New stable point release for OpenStack Yoga (LP: #2039176).

 -- Corey Bryant <email address hidden> Thu, 12 Oct 2023 09:39:37 -0400




About   -   Send Feedback to @ubuntu_updates