Debian Patches
Status for python-keystonemiddleware/10.12.0-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| no-intersphinx.patch | No intersphinx. =================================================================== |
Thomas Goirand <zigo@debian.org> | not-needed | 2017-10-05 | ||
| CVE-2026-22797-OSSA-2026-001-Fix_privilege_escalation_via_spoofed_identity_headers.patch | CVE-2026-22797: Fix privilege escalation via spoofed identity headers The external_oauth2_token middleware did not sanitize incoming authentication headers before processing OAuth 2.0 tokens. This allowed an attacker to send forged identity headers (e.g., X-Is-Admin-Project, X-Roles, X-User-Id) that would not be cleared by the middleware, potentially enabling privilege escalation. . This fix adds a call to remove_auth_headers() at the start of request processing to sanitize all incoming identity headers, matching the secure behavior of the main auth_token middleware. diff --git a/keystonemiddleware/external_oauth2_token.py b/keystonemiddleware/external_oauth2_token.py index c02cace..32fd4e4 100644 |
Grzegorz Grasza <xek@redhat.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/keystonemiddleware/+/973495 | 2026-01-15 |