UbuntuUpdates.org

Package "keystone"

Name: keystone

Description:

OpenStack identity service - Daemons
Latest version: 2:29.0.0-0ubuntu1.2
Release: resolute (26.04)
Level: security
Repository: main
Homepage: https://opendev.org/openstack/keystone

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "keystone"

All arch deb package
APT INSTALL

Other versions of "keystone" in Resolute

Repository Area Version
base main 2:29.0.0-0ubuntu1
updates main 2:29.0.0-0ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2:29.0.0-0ubuntu1.2 2026-06-16 20:07:45 UTC

  keystone (2:29.0.0-0ubuntu1.2) resolute-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via restricted application
    credentials
    - debian/patches/CVE-2026-33551.patch: Restrict EC2 credential creation
      when called through a restricted application credential.
    - debian/patches/CVE-2026-33551-2.patch: Add tests for restricted app
      cred guard
    - debian/patches/CVE-2026-33551-3.patch: Block restricted app creds
      from creating EC2 credentials via /credentials
    - debian/patches/CVE-2026-33551-4.patch: Block app cred tokens from
      authorizing OAuth1 requests
    - CVE-2026-33551
  * SECURITY UPDATE: sensitive information exposure
    - d/p/cve-2026-42998-fix-user-impersonation-app-creds.patch: Fix user
      impersonation for application credentials to prevent credential
      leaks.
    - CVE-2026-42998
  * SECURITY UPDATE: RBAC policy injection in JSON requests
    - d/p/cve-2026-42999-prevent-rbac-policy-bypass.patch: Prevent
      RBAC bypass by sanitizing JSON queries.
    - CVE-2026-42999
  * SECURITY UPDATE: Privilege escalation via impersonation and trusts
    - d/p/cve-2026-43000-forbid-trust-ops-app-creds.patch: Forbid trust
      operations with application credentials.
    - CVE-2026-43000
  * SECURITY UPDATE: EC2 credentials created with incorrect project scoping
    - d/p/cve-2026-43001-ec2-app-cred-project-boundary.patch: Enforce
      application credential EC2 project boundary.
    - CVE-2026-43001
  * SECURITY UPDATE: Federated users maintain access indefinitely
    - d/p/cve-2026-44394-preserve-expires-at-federated-tokens.patch:
      Preserve the expires_at attribute during federated token rescoping.
    - CVE-2026-44394

 -- Federico Quattrin <email address hidden> Thu, 11 Jun 2026 18:52:50 -0300
CVE-2026-33551 An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create
CVE-2026-42998 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user
CVE-2026-42999 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON re
CVE-2026-43000 An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker wi
CVE-2026-43001 An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-typ
CVE-2026-44394 An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's


About   -   Send Feedback to @ubuntu_updates