[Bug 2130629] Re: OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization

Edward Hope-Morley 2130629 at bugs.launchpad.net
Mon Nov 17 10:28:22 UTC 2025 

Verified Jammy Caracal UCA:

# apt-cache policy keystone-common
keystone-common:
  Installed: 2:25.0.0-0ubuntu1.1~cloud0
  Candidate: 2:25.0.0-0ubuntu1.1~cloud0
  Version table:
 *** 2:25.0.0-0ubuntu1.1~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-proposed/caracal/main amd64 Packages
        100 /var/lib/dpkg/status
     2:21.0.1-0ubuntu2 500
        500 http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     2:21.0.0-0ubuntu1 500
        500 http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

======
Totals
======
Ran: 482 tests in 4292.1640 sec.
 - Passed: 405
 - Skipped: 73
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 4
Sum of execute time for each test: 5245.0840 sec.

The four test failures are not related to this patch:

{1} setUpClass (octavia_tempest_plugin.tests.scenario.v2.test_traffic_ops.TrafficOperationsScenarioTest) [0.000000s] ... FAILED
{1} heat_tempest_plugin.tests.api.test_heat_api.resources_delete_stack_with_resources.test_request [0.169135s] ... FAILED
{1} heat_tempest_plugin.tests.api.test_heat_api.stacks_delete_stack.test_request [4.317548s] ... FAILED
{0} heat_tempest_plugin.tests.api.test_heat_api.environments_delete_envstack.test_request [0.052737s] ... FAILED

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2130629

Title:
  OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can
  grant Keystone authorization

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive epoxy series:
  New
Status in Ubuntu Cloud Archive flamingo series:
  New
Status in Ubuntu Cloud Archive yoga series:
  New
Status in keystone package in Ubuntu:
  Fix Released

Bug description:
  This is a placeholder bug for the Nov 2025 Keystone security issue as
  there is no CVE assigned to it yet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2130629/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list