)]}'
{"id":"openstack%2Fkeystonemiddleware~973495","triplet_id":"openstack%2Fkeystonemiddleware~stable%2F2025.2~Idd4fe1d17a25b3064b31f454d9830242f345e018","project":"openstack/keystonemiddleware","branch":"stable/2025.2","attention_set":{},"removed_from_attention_set":{"27900":{"account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"last_update":"2026-01-16 15:27:17.000000000","reason":"Change was submitted"},"5263":{"account":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"last_update":"2026-01-16 15:27:17.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Idd4fe1d17a25b3064b31f454d9830242f345e018","subject":"Fix privilege escalation via spoofed identity headers","status":"MERGED","created":"2026-01-15 15:04:37.000000000","updated":"2026-01-16 15:28:45.000000000","submitted":"2026-01-16 15:27:17.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":1,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"973495","meta_rev_id":"1cd1455459d3b8f602d06a2e8cafdbb1eba87e34","_number":973495,"virtual_id_number":973495,"owner":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-01-16 15:27:16.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":2,"date":"2026-01-15 19:43:40.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2026-01-16 14:18:49.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"all":[{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2026-01-16 14:18:49.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-01-15 15:04:37.000000000","updated_by":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"CC"},{"updated":"2026-01-15 15:33:22.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-01-15 16:43:28.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-01-16 14:18:49.000000000","updated_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"}],"messages":[{"id":"cdc934ac5c9f1b7b686c969386226bd19be7933a","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"date":"2026-01-15 15:04:37.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"7f7d610d33b076c5df6a89d4897b03900f71cf80","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-01-15 15:33:22.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"a044a851596f9f29bb8c9e7666414275b8f41f74","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-15 16:43:28.000000000","message":"Patch Set 1: Verified-1\n\n(1 comment)\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/7d5089e10ae94e76a8b8c64191136065\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/c590f54899e04a5aab00f0106fab70d0 : SUCCESS in 3m 40s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/dfb2ed8313744dc9be3119aafbfdf461 : FAILURE in 1m 56s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/ae5bc9f2bbfb412a97ff02594c4bd80d : SUCCESS in 1m 56s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/cfc7e3b7409b4efba112794e403108a1 : SUCCESS in 3m 23s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/467582111999497c8521eb905d0b2f28 : SUCCESS in 3m 23s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/3cc05f0296254da1b4e7af2e587686bf : SUCCESS in 6m 00s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/b16da38a8fc94247a83e0c7f951ddfc4 : SUCCESS in 1h 37m 12s","accounts_in_message":[],"_revision_number":1},{"id":"7375193af91d4f1013c64da691eafcfef460d115","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-01-15 17:34:40.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Code-Review+2 (copy condition: \"changekind:TRIVIAL_REBASE OR is:MIN\")\n* Verified-1\n","accounts_in_message":[],"_revision_number":2},{"id":"c6671408ecaf840d7a466d0d6a6ae841aac4c0a6","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-15 19:10:00.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/4c4463a282294e61a27553c0f89e0106\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/bcdfa44d159c47b380cc3a8758116fbf : SUCCESS in 5m 24s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/cc12a7306293454fa36e55314eddfa37 : SUCCESS in 3m 06s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/d7b67753fc05481a9df5ac0586886482 : SUCCESS in 3m 04s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/a8325b783e064533827a401b54dfe01b : SUCCESS in 5m 04s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/d67ff87207be4ac799712f9d9bd1ad79 : SUCCESS in 7m 52s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/fad6362e8df545b79a642ef99add5983 : SUCCESS in 6m 41s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/c6e6aeb1d24744c0a82704289b90243d : SUCCESS in 1h 33m 13s","accounts_in_message":[],"_revision_number":2},{"id":"70ba301730730e7b4b5722f39678b844202e91e7","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-01-15 19:43:40.000000000","message":"Patch Set 2: Code-Review+2","accounts_in_message":[],"_revision_number":2},{"id":"9c32692d8ce644758fc685c9e9aa5d919f931513","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-01-16 14:18:49.000000000","message":"Patch Set 2: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":2},{"id":"4baacb368427c13b46b360ae539e5d144b2aed79","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-16 14:19:12.000000000","message":"Patch Set 2: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":2},{"id":"9372233f094ab05cbc15e734b6eb7cb5268327c4","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-16 15:27:16.000000000","message":"Patch Set 2: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/173907e86e1841e9b6aed1739bebea02\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/f12caec5229f458281dbe1838d8864cb : SUCCESS in 3m 45s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/8dc57f03a448413e9299e6c4d562b635 : SUCCESS in 3m 14s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/1107ca927ece43d0b4299b4d00d92ab6 : SUCCESS in 3m 59s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/5ff5e99c995645318ba9f483a841a6d7 : SUCCESS in 6m 42s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/41f0c9f17ed9476a94b26ee2c72be88f : SUCCESS in 59m 40s","accounts_in_message":[],"_revision_number":2},{"id":"ae737874a1808a9a40add8b2472781c2bbd0e5c7","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-16 15:27:17.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":2},{"id":"1cd1455459d3b8f602d06a2e8cafdbb1eba87e34","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-01-16 15:28:45.000000000","message":"Patch Set 2:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/d2c4e23fe6d6491fa5c10c39da1cb943\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/f1551b27ed4c4e6a9961df8511ab6b8e : SUCCESS in 1m 07s","accounts_in_message":[],"_revision_number":2}],"current_revision_number":2,"current_revision":"a44297c88e9d30231e707262ef9dd96187dee9fe","revisions":{"3dbe67b5cda653293db84a2c919104e11ad67e35":{"kind":"REWORK","_number":1,"created":"2026-01-15 15:04:37.000000000","uploader":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"ref":"refs/changes/95/973495/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystonemiddleware","ref":"refs/changes/95/973495/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/1"}}},"commit":{"parents":[{"commit":"3b9736ac1952e1a8f941b1f1249e51b5bdb140e2","subject":"Update TOX_CONSTRAINTS_FILE for stable/2025.2","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/3b9736ac1952e1a8f941b1f1249e51b5bdb140e2"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-01-08 13:46:19.000000000","tz":60},"committer":{"name":"Jeremy Stanley","email":"fungi@yuggoth.org","date":"2026-01-15 15:04:27.000000000","tz":0},"subject":"Fix privilege escalation via spoofed identity headers","message":"Fix privilege escalation via spoofed identity headers\n\nThe external_oauth2_token middleware did not sanitize incoming\nauthentication headers before processing OAuth 2.0 tokens. This\nallowed an attacker to send forged identity headers (e.g.,\nX-Is-Admin-Project, X-Roles, X-User-Id) that would not be cleared\nby the middleware, potentially enabling privilege escalation.\n\nThis fix adds a call to remove_auth_headers() at the start of\nrequest processing to sanitize all incoming identity headers,\nmatching the secure behavior of the main auth_token middleware.\n\nCloses-Bug: #2129018\nChange-Id: Idd4fe1d17a25b3064b31f454d9830242f345e018\n(cherry picked from commit b473c0ed1467b70c74c8a82cb4d15ccf8424b27b)\nSigned-off-by: Jeremy Stanley \u003cfungi@yuggoth.org\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/3dbe67b5cda653293db84a2c919104e11ad67e35"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/3dbe67b5cda653293db84a2c919104e11ad67e35"}]},"branch":"refs/heads/stable/2025.2"},"a44297c88e9d30231e707262ef9dd96187dee9fe":{"kind":"REWORK","_number":2,"created":"2026-01-15 17:34:40.000000000","uploader":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"ref":"refs/changes/95/973495/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystonemiddleware","ref":"refs/changes/95/973495/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystonemiddleware refs/changes/95/973495/2"}}},"commit":{"parents":[{"commit":"3b9736ac1952e1a8f941b1f1249e51b5bdb140e2","subject":"Update TOX_CONSTRAINTS_FILE for stable/2025.2","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/3b9736ac1952e1a8f941b1f1249e51b5bdb140e2"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-01-08 13:46:19.000000000","tz":60},"committer":{"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","date":"2026-01-15 17:34:36.000000000","tz":60},"subject":"Fix privilege escalation via spoofed identity headers","message":"Fix privilege escalation via spoofed identity headers\n\nThe external_oauth2_token middleware did not sanitize incoming\nauthentication headers before processing OAuth 2.0 tokens. This\nallowed an attacker to send forged identity headers (e.g.,\nX-Is-Admin-Project, X-Roles, X-User-Id) that would not be cleared\nby the middleware, potentially enabling privilege escalation.\n\nThis fix adds a call to remove_auth_headers() at the start of\nrequest processing to sanitize all incoming identity headers,\nmatching the secure behavior of the main auth_token middleware.\n\nCloses-Bug: #2129018\nChange-Id: Idd4fe1d17a25b3064b31f454d9830242f345e018\n(cherry picked from commit b473c0ed1467b70c74c8a82cb4d15ccf8424b27b)\nSigned-off-by: Jeremy Stanley \u003cfungi@yuggoth.org\u003e\nSigned-off-by: Artem Goncharov \u003cartem.goncharov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/a44297c88e9d30231e707262ef9dd96187dee9fe"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystonemiddleware/commit/a44297c88e9d30231e707262ef9dd96187dee9fe"}]},"branch":"refs/heads/stable/2025.2"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{}}}]}