Debian Patches
Status for keystone/2:22.0.2-0+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fixes-keystone-default-catalog.patch | Fix default keystone catalog Fix default catalog so that it matches the region name which is set by default by debconf in all of the Openstack Debian packages. diff --git a/etc/default_catalog.templates b/etc/default_catalog.templates index e885b52..936be8b 100644 |
Thomas Goirand <zigo@debian.org> | no | 2016-03-03 | ||
| install-missing-files.patch | install missing files | Thomas Goirand <zigo@debian.org> | not-needed | 2019-08-18 | ||
| Consistent_and_Secure_RBAC_Phase_1.patch | Consistent and Secure RBAC (Phase 1) This patch updates system-scoped policies to also accept project-admin tokens so that operators can continue to use the "admin" role to access system level APIs. The protection test job is marked non-voting since tempest does not yet expect these policy changes. A follow-up patch will make it voting again after the test changes have merged into tempest. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1 (cherry picked from commit f2f1a5c38847ddc5aa28eec9722885d9c64c6e7b) (cherry picked from commit 991662c666b6dcb410a622c9ec32e18a094757b2) |
Douglas Mendizábal <dmendiza@redhat.com> | no | 2023-12-05 | ||
| Fix_policies_for_groups.patch | Fix policies for groups This patch fixes a couple of broken policies in the groups resource. diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index 024ee65..8c8293c 100644 |
Douglas Mendizábal <dmendiza@redhat.com> | no | upstream, https://review.opendev.org/c/openstack/keystone/+/906892 | 2025-10-30 | |
| Allow_admin_to_access_tokens_and_credentials.patch | Allow admin to access tokens and credentials This patch modifies a few policies to allow users with the "admin" role to access /v3/auth/tokens and /v3/credentials. These policies were missed when we implemented Phase 1 of Secure RBAC. (cherry picked from commit b31007e1b2ecbea5e1268d3e28d6230d0f5d09b2) (cherry picked from commit 0dcc423a2621943ab9188cff3edb9bc488339fe0) (cherry picked from commit 570c19e91bc3212f748221bdab5f2976f479fa13) |
Douglas Mendizábal <dmendiza@redhat.com> | no | 2024-03-27 | ||
| Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch | Dont enforce when HTTP GET on s3tokens and ec2tokens When calling the s3tokens or ec2tokens API with a HTTP GET we should get a 405 Method Not Allowed but we get a 500 Internal Server Error because we enforce that method. diff --git a/keystone/api/_shared/EC2_S3_Resource.py b/keystone/api/_shared/EC2_S3_Resource.py index ff94286..7b2fc21 100644 |
Tobias Urdin <tobias.urdin@binero.se> | yes | upstream | upstream, https://review.opendev.org/c/openstack/keystone/+/908760 | 2025-10-30 |
| keystone-bug-2119646-stable-2024.1.patch | Add service user authentication to ec2 and s3 endpoints Add a policy to enforce authentication with a user in the service group. This maintains AWS compatibility with the added security layer. (cherry picked from commit 69d299eab04a1e1bab25eb89e0fdf7f0106b8ee5) |
Grzegorz Grasza <xek@redhat.com> | no | 2025-09-19 | ||
| CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch | CVE-2026-33551 / OSSA-2026-005: Prevent unauthorized EC2 credential creation and deletion A restricted application credential could be used to create EC2 credentials granting full user access to S3, bypassing the role restriction. Add the same _check_unrestricted_application_credential guard that already protects application credential create/delete endpoints. . Additionally, tighten the ec2_create_credential and ec2_delete_credential policies to require at least member role, as these are write operations that should not be accessible to reader-role users regardless of whether they are using an application credential. =================================================================== |
Grzegorz Grasza <xek@redhat.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/keystone/+/983597 | 2026-04-10 |
| CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch | CVE-2026-40683 / OSSA-2026-007: fix ldap 'enabled' setting not interpreted as boolean interpretation of the ldap enabled attribute as boolean is only done if enabled_invert setting is set to true. . Conflicts: keystone/identity/backends/ldap/core.py . NOTE(elod.illes): conflict is due to Blakify patch [1] that was added in 2024.2 Dalmatian release. . [1] I832ec4c152fa58fb0088d9f880add86a20ec95fc =================================================================== |
Benedikt Trefzer <benedikt.trefzer@cirrax.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/keystone/+/984587 | 2026-04-15 |
All known versions for source package 'keystone'
- 2:29.0.1-2 (sid, forky)
- 2:27.0.0-3+deb13u3 (trixie-proposed-updates)
- 2:27.0.0-3+deb13u1 (trixie-security, trixie)
- 2:22.0.2-0+deb12u2 (bookworm-proposed-updates)
- 2:22.0.2-0+deb12u1 (bookworm, bookworm-security)