doc/source/conf.py | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 no intersphinx.

keystonemiddleware/external_oauth2_token.py | 7 5 + 2 - 0 !
keystonemiddleware/tests/unit/test_external_oauth2_token_middleware.py | 73 73 + 0 - 0 !
2 files changed, 78 insertions(+), 2 deletions(-)

 fix privilege escalation via spoofed identity headers
 The external_oauth2_token middleware did not sanitize incoming
 authentication headers before processing OAuth 2.0 tokens. This
 allowed an attacker to send forged identity headers (e.g.,
 X-Is-Admin-Project, X-Roles, X-User-Id) that would not be cleared
 by the middleware, potentially enabling privilege escalation.
 .
 This fix adds a call to remove_auth_headers() at the start of
 request processing to sanitize all incoming identity headers,
 matching the secure behavior of the main auth_token middleware.