On 11/4/25 4:00 PM, Jeremy Stanley wrote:
========================================================================= OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization =========================================================================
:Date: November 04, 2025 :CVE: PENDING
Affects ~~~~~~~ - Keystone: <26.0.1, ==27.0.0, ==28.0.0 FYI, while I have pushed fixes for Keystone, Swift and heat, from Victoria to Flamingo, in osbpo.debian.net, the updates in Debian proper (ie: stable and old-stable, aka Bookworm and Trixie) are pending a reply from the Debian security team, and may take longer.
In the mean time (until I can push the fixed packages in Debian official), Debian users are advised to use the fixed packaged in the unofficial osbpo.debian.net repositories. Cheers, Thomas Goirand (zigo)