-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 11:10:59 +0200 Source: keystone Architecture: source Version: 2:22.0.2-0+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1133118 1133884 Changes: keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium . * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Applied upstream patch: - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch (Closes: #1133884). * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). Checksums-Sha1: 1c798ca017c1ee38fefed2f982e2a1bd37e4c491 3565 keystone_22.0.2-0+deb12u2.dsc 0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz 83c5402d17c3ce8dbed715c7c3aaec1cf609709d 56164 keystone_22.0.2-0+deb12u2.debian.tar.xz 8eae4333f11a57a333d0e5fd06ca86a21a68e4e5 18263 keystone_22.0.2-0+deb12u2_amd64.buildinfo Checksums-Sha256: 4d6459de73736f0a67423e7c1d9b8ed103b69dffc409fba418cecb8204458cca 3565 keystone_22.0.2-0+deb12u2.dsc a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 keystone_22.0.2.orig.tar.xz 67429da1f1d5fde7c4ecd1fa988200bd9212e8ccf041db5d8d40bcdf70c7fa13 56164 keystone_22.0.2-0+deb12u2.debian.tar.xz 3d1a3dba21506bba13f0ffd8459fd0f5e6bf52ec90e649cc232528f32303abf3 18263 keystone_22.0.2-0+deb12u2_amd64.buildinfo Files: 2cfd8d5afa9af8ddbb4ef53d7d41bc65 3565 net optional keystone_22.0.2-0+deb12u2.dsc 60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional keystone_22.0.2.orig.tar.xz d1fe72b921519ff09216c7b492c40cba 56164 net optional keystone_22.0.2-0+deb12u2.debian.tar.xz 192503c46fe115cb78ddc57fe14391ee 18263 net optional keystone_22.0.2-0+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMDnQACgkQ1BatFaxr Q/7CRQ/8CgUVeVy/CjL+sc3CVacIh/e8wH7pXF3m/K3pQUdQy/2AgNeWeak+F8Gu /n2+Ns7Yw6eqGsqnKzVGW1XcevmK4Dk8In0YSm69uZItbTWFuYsfansKpzohERsJ Q3G09KG6Cp7MhGcotfHKUO3TWEZyxiN/d2KPYoTldX9zxDXFt6QW9NswCVUibhPN ZocUpnzFkceZb5kEri2J3BYK2FDjBJkA5jyGfZWv6LTA7MGcQbOlIXWRDYRkQtKF XZOyCSVo7doZcf/zwf/5/Bcl13tcxKZsaKowuMmveEEvTODtms1wP/m1bbTR2SzN WvVFOit2Ut1xUBiEd7mLSK0JS+j0xlTtdIlrGWXMoQLs/AuZJnSyXXkzOX+tZijF od5rcYboxWi+8uYbGGY1QI5vxjasx4Z3cuk8U+uzo7DCWPDdt0lfbBzyFW+dmH7P 8mHhT/81cHPpCeb9DmtU7HiK7HeGnV8p6Nbvs1FgbK2kxeYA/3tG5OL58A4lMsyi aLU5AP8+gp0trPNwynboelUnewRD0pK+4tCN07YE1zxb/o+hraTMMH746z7+U53i yPmVMwWgH0qjMqD52zdHPOrMAJGdVfK0qytg7Tcj2vpVOjWdeoAvlGwODLm3ONgX EIRjuG7pdWK247u2oHKBdwOgVDThJIJNQp3d2aMSa5BNkEWxFYM= =amVA -----END PGP SIGNATURE-----