From: ftpmaster@ftp-master.debian.org   
      
   -----BEGIN PGP SIGNED MESSAGE-----   
   Hash: SHA512   
      
   Format: 1.8   
   Date: Thu, 30 Oct 2025 09:26:19 +0100   
   Source: keystone   
   Architecture: source   
   Version: 2:27.0.0-3+deb13u1   
   Distribution: trixie-security   
   Urgency: high   
   Maintainer: Debian OpenStack    
   Changed-By: Thomas Goirand    
   Closes: 1120053   
   Changes:   
    keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high   
    .   
      * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and   
        s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g.,   
   from   
        a presigned S3 URL), an unauthenticated attacker may obtain Keystone   
        authorization (ec2tokens can yield a fully scoped token; s3tokens can   
        reveal scope accepted by some services), resulting in unauthorized access   
        and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens   
        are reachable by unauthenticated clients (e.g., exposed on a public API)   
        are affected.   
        Applied upstream patch (Closes: #1120053):   
        - keystone-bug-2119646-stable-2025.1.patch   
   Checksums-Sha1:   
    4152c8282356f474ffcf900f849ea23ebd38f44e 3486 keystone_27.0.0-3+deb13u1.dsc   
    896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz   
    d88698d69d47dae18ba68ca5b4edd9a8943b27d1 46052 keystone_27.0.0-   
   +deb13u1.debian.tar.xz   
    e5c3a3c3da63b56f1d5adb9964870de20045b9e1 18345 keystone_27.0.0-   
   +deb13u1_amd64.buildinfo   
   Checksums-Sha256:   
    c42fea98c4283524840695546e15a0f7b5e18cd1899791658aa8955b98965a56 3486   
   keystone_27.0.0-3+deb13u1.dsc   
    223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444   
   keystone_27.0.0.orig.tar.xz   
    68dc7627f6301469f2bd7b448a614f8cdf72b279873dd1802f13d6f10071052b 46052   
   keystone_27.0.0-3+deb13u1.debian.tar.xz   
    d0d1adfe3e33f42350f3fd31d248ce47d08b21a264742a69956fd648c7983c9c 18345   
   keystone_27.0.0-3+deb13u1_amd64.buildinfo   
   Files:   
    4ae93baa72760d52a8efd5dbed87366f 3486 net optional keystone_27.   
   .0-3+deb13u1.dsc   
    d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_   
   7.0.0.orig.tar.xz   
    6e50154c2164ae3d35d557c3a00bcff4 46052 net optional keystone_27   
   0.0-3+deb13u1.debian.tar.xz   
    3a75ff70dd7ae50ae8417f977da42093 18345 net optional keystone_27   
   0.0-3+deb13u1_amd64.buildinfo   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS70EACgkQ1BatFaxr   
   Q/7hSQ//a8nmddmIid1G4wkB9DGe3aMe0Gt8kXE+PoE/2LKEYYnkeduuLgCA6Bzh   
   ISX5oD7311Kl6vCoT9Qxu7nB6RAZdUao+lOdJIz9X9cp8+bg8C1M2zJkn6E3E3Z8   
   zhjdC+nJfh9M8nKZTHNP7CFMhbKRYFITu2dLhHu4o3xpviWclgg4GmS5jTelxb3F   
   6juLKmD+BUy8CuXEhNJVniOge0VPIKrV+3rjTiTcvRcPic+/8sapAMrCwT3ng4fY   
   hGGM7Pf58xOSeEkLSE+gaMAyfxZXEQ7UPUZ+tjBdrP23ac6KLObongE5cDBFLRSa   
   1wQ3IOEDGN9FJ7nK8K1dJquN+FJDUq/I69p56fhh2U/v8s6jLjl34G278AovPIiZ   
   SlFB11Iv5czER6Ee0UqpiE4SK+HF/0x0cTa6Nu8j3AAxgHTIcwmGbC5i1L/Dc8Vy   
   5hGAnljndg0XaA6gtybOf4p5rVG1OY4xCu86L7hZYJ3mfyk/T8ZUkite7i8BFjLM   
   e1Gnljd4IfZ+N0B1GCO77oBKIXVKGwBJT0QOXBcxi4E5wR0gXgwI8cHdil+lb2es   
   k38sBmAXl7IP1QZkdtXxEAeF80mDeKTFV9hElpYhr85ANl5VD1SgX1ItH3wi3OpM   
   Z+C13xKmqzDD700qo1ZXzR3A+RrYuzNoUmnlg8DO25ovMVe8u+c=   
   =kUrX   
   -----END PGP SIGNATURE-----   
      
      
   --==============ˆ92644282227132374=Content-Type: application/pgp-signature   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaR4piQAKCRCb9qggYcy5   
   IYTMAP4vMM0YFxuehpTRO5TIw9+lgvtAvSkr+m3GOysId3Fm8wEAi5smCxvchJLm   
   tKpH6H2lLIvwhKObVyZ7aNj/wnyxNAI=V4LG   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)