CVE-2021-3563

Name	CVE-2021-3563
Description	A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3714-1
Debian Bugs	989998

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
keystone (PTS)	jessie	2014.1.3-6	vulnerable
	stretch (security), stretch (lts), stretch	2:10.0.0-9+deb9u1	vulnerable
	buster	2:14.2.0-0+deb10u1	vulnerable
	buster (security)	2:14.2.0-0+deb10u2	fixed
	bullseye	2:18.0.0-3+deb11u1	vulnerable
	bookworm	2:22.0.0-2	vulnerable
	sid, trixie	2:25.0.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
keystone	source	jessie	(unfixed)	end-of-life
keystone	source	stretch	(unfixed)	end-of-life
keystone	source	buster	2:14.2.0-0+deb10u2		DLA-3714-1
keystone	source	(unstable)	2:23.0.0-3			989998

Notes

[bookworm] - keystone <no-dsa> (Minor issue)
[bullseye] - keystone <no-dsa> (Minor issue)
[stretch] - keystone <end-of-life> (Keystone is not supported in stretch)
https://bugzilla.redhat.com/show_bug.cgi?id=1962908
https://bugs.launchpad.net/keystone/+bug/1901891