Debian alert DLA-4611-1 (keystone)
| From: | Santiago Ruano Rincón <santiagorr@riseup.net> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4611-1] keystone security update | |
| Date: | Sun, 31 May 2026 23:36:35 -0300 | |
| Message-ID: | <ahzwM03n3hlmsIVS@voleno> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4611-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón May 31, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : keystone Version : 2:18.1.0-1+deb11u3 CVE ID : CVE-2026-33551 CVE-2026-40683 CVE-2026-42998 CVE-2026-42999 CVE-2026-43000 CVE-2026-43001 CVE-2026-44394 Debian Bug : 1133118 1133884 1135645 Multiple vulnerabilities have been found in Keystone, the OpenStack identity service, including privilege escalation and authorization and access control flaws. CVE-2026-33551 An authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3/s3api) are affected. Reported by Maxence Bornecque, from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team. CVE-2026-40683 LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Independently reported by Benedikt Trefzer and Andrew Bogott. CVE-2026-42998 Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. Reported by Boris Bobrov, from SAP SE. CVE-2026-42999 An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. Reported by Boris Bobrov, from SAP SE. CVE-2026-43000 The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. Reported by Boris Bobrov, from SAP SE. CVE-2026-43001 Application credentials scoped to one project can create EC2 credentials for a different project. Reported by Tim Shepherd, roiai.ca. CVE-2026-44394 Federated users can maintain access indefinitely by repeatedly re-scoping tokens before expiry. Each re-scope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. Reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences. For Debian 11 bullseye, these problems have been fixed in version 2:18.1.0-1+deb11u3. We recommend that you upgrade your keystone packages. For the detailed security status of keystone please refer to its security tracker page at: https://security-tracker.debian.org/tracker/keystone Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCahzwMAAKCRAn3j1FEEiG 71r0AP9b9ujyou2ZzzaaIvsFSv9sYSUOrHS520FPqi2jEXqnfQD+LJUSalumutZu k6utNEtKCUd3hDBLgZ5+vl6j+e5KUAI= =Pj6g -----END PGP SIGNATURE-----