heat (1:25.0.0-2) [PTS] [DDPO]

OK: VCS matches the version in the archive

Git: https://salsa.debian.org/openstack-team/services/heat.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/flamingo
Path: debian/changelog
Repo size: 21929984
Browser: https://salsa.debian.org/openstack-team/services/heat
Last scan: 2025-12-04 16:28:08+00
Next scan: 2025-12-13 14:07:00+00
CI pipeline status: failed

Debian changelog in Git:

heat (1:25.0.0-2) unstable; urgency=high

  * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
    s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
    a presigned S3 URL), an unauthenticated attacker may obtain Keystone
    authorization (ec2tokens can yield a fully scoped token; s3tokens can
    reveal scope accepted by some services), resulting in unauthorized access
    and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
    are reachable by unauthenticated clients (e.g., exposed on a public API)
    are affected.
    The heat part that is using the S3 API needs to be modified to accept the
    fix for Keystone, otherwise S3 authentication will stop working.
    Applied upstream patch (Closes: #1120059):
    Keystone_requires_authentication_when_using_the__v3_ec3token_endpoint.patch

 -- Thomas Goirand <zigo@debian.org>  Tue, 04 Nov 2025 10:40:04 +0100

This branch is even with tag debian/25.0.0-2