-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 10:06:32 +0200 Source: keystone Architecture: source Version: 2:27.0.0-3+deb13u3 Distribution: trixie Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1133118 1133884 Changes: keystone (2:27.0.0-3+deb13u3) trixie; urgency=medium . * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Applied upstream patch: - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch (Closes: #1133884). * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). Checksums-Sha1: 8443b8b0ab7c09c8b9bb4d9202a17e588facef53 3486 keystone_27.0.0-3+deb13u3.dsc 896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz 1044ff9cb15dc3f97f725afe8ce2cccf33bcae36 47748 keystone_27.0.0-3+deb13u3.debian.tar.xz 34048062648be6d816f7aabd04beec299116142c 18660 keystone_27.0.0-3+deb13u3_amd64.buildinfo Checksums-Sha256: 42ef4900b080c94070aa91c2f71a429ceb69bf2ec0ad4b723a2c7d52b2656e54 3486 keystone_27.0.0-3+deb13u3.dsc 223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz 2446c16c806399e0fe546a76b7b866cd52159c7089d252462c6c76b0995b8768 47748 keystone_27.0.0-3+deb13u3.debian.tar.xz de9d84d22758e9425da1eb2401539e337198cd0654a5065c1f49c8e155ee2d4e 18660 keystone_27.0.0-3+deb13u3_amd64.buildinfo Files: df674a29ca9c173aa783808af2bf8d3f 3486 net optional keystone_27.0.0-3+deb13u3.dsc d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz 2ad9231f4a857a6686e235841a91ed51 47748 net optional keystone_27.0.0-3+deb13u3.debian.tar.xz 09b6351219b5354fca5cb1f8375b77b1 18660 net optional keystone_27.0.0-3+deb13u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMC/MACgkQ1BatFaxr Q/5wjA/7BrTgCvwhLKxFq3825X5wTOwjT4q6kGNYeSCbq41Lygio1rBtiWZL7UMx QRS/CS/gT112Ki4xCHCOYIvgnW5+vFe/XaSgqWpTCqjYH0EggTzrBQdZyC+hbSdx Y+pVSjY8Yv9YvgehorBvLB71MxhwzldUnqH994CbnPeDWlwooKaCYIvHIIYo/OHk xHWD8tniOYBEuwXPaaFimF9pRNAHVNWmXvfY27i70vWb1y4c4ljt+kGEd/yWfBJY UNdorIM/XdBFxp185wjiTMbZglrG+Kke+cIhd8iLTz5MSGVrmh4bwpeomUcoJTfc r/uLisZdFOB/bqddYv14odc9zd+gazHVlVGDxlT3ezsyK3YXs0mbKdJWUwEKudUn j4vxl8KxiWN7a2XEtOhYUTQZRjG2G1qOF78kUXyXGRgaW2W9ty/8DkxeanxTuDi5 uioF3geuFVeyvU+zLSsCIzJDZqSNluAl+a/jknX3lguBuDhcCDHz+XiRI1S3OLhj UYkw36ApD1vi9UW6ABIt8+5ed+B+PD6FODu3FODvseDOp6CBTe6D6CHCUJhNHj1K AgD5dueUMuwkpUHW6hzJBswfVotaDGIOte4skoS3N0jvxApw0x71ihFo+ukNud8T 8Di9MQOIc20yRg84Z9pICr2W7KRgexsfB+ZxNRtL3ZmDUmcLApQ= =z2x/ -----END PGP SIGNATURE-----