Bug#1138172: marked as done (Neutron tagging policy bypass allows project readers to mutate tags)

Thu, 28 May 2026 12:17:29 -0700 

Your message dated Thu, 28 May 2026 19:15:57 +0000
with message-id <[email protected]>
and subject line Bug#1138172: fixed in neutron 2:28.0.0-4
has caused the Debian Bug report #1138172,
regarding Neutron tagging policy bypass allows project readers to mutate tags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138172
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: neutron
Version: 2:26.0.0-9
Severity: important
Tags: patch

As per upstream announcement:
https://security.openstack.org/ossa/OSSA-2026-016.html


OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate
tags

Date: May 28, 2026
CVE: CVE-2026-pending

Affects: Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1

Note from maintainer: I've been confirmed on IRC that only versions >= Epoxy
(so Trixie and on, so starting >= 26.0.0) are affected.

Description:

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
tagging controller. The controller enforces plural policy action names on
single-tag write operations while the defined policy rules use singular names.
The mismatched names evaluate as allowed under default policy, permitting a
project reader to create and update tags on same-project resources.
Deployments running Neutron 26.0.0 or later are affected.

Patches:
    https://review.opendev.org/989376 (2025.1/epoxy)
    https://review.opendev.org/989375 (2025.2/flamingo)
    https://review.opendev.org/989374 (2026.1/gazpacho)
    https://review.opendev.org/989099 (2026.2/hibiscus)

Credits:
    Tim Shephard from roiai.ca (CVE-2026-pending)

References:
    https://launchpad.net/bugs/2150132
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending

Notes:
    CVE assignment is pending (MITRE CAN-2026-2030611).

--- End Message ---
--- Begin Message --- 
Source: neutron
Source-Version: 2:28.0.0-4
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 May 2026 19:25:07 +0200
Source: neutron
Architecture: source
Version: 2:28.0.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138172
Changes:
 neutron (2:28.0.0-4) unstable; urgency=medium
 .
   * OSSA-2026-016: Neutron tagging policy bypass allows project readers to
     mutate tags. Added upstream patch: "Fix plural policy names in tagging
     controller and floatingip policy" (Closes: #1138172).
Checksums-Sha1:
 24e35a5f5e9dcd1316ae19b04c12a7e1d72221c8 4929 neutron_28.0.0-4.dsc
 ad1c934db6aa44a3cfbc3f0800bd5f4fd2d97a8c 52316 neutron_28.0.0-4.debian.tar.xz
 e209243d0a096f805c5eace6a2b38b679093461a 22348 neutron_28.0.0-4_amd64.buildinfo
Checksums-Sha256:
 224d17bb706465ea6f2c78e429c80ce7851ae2d76e35f0d6c9069b8151b11982 4929 
neutron_28.0.0-4.dsc
 9cb5678d6361436e9248a0ce81fb8e9774372f1b9721f7ac0650b467a701b258 52316 
neutron_28.0.0-4.debian.tar.xz
 0f757ceb038b42bcd06a63130dd285c9ee8b7c5aad95351c4f2cae823329d36c 22348 
neutron_28.0.0-4_amd64.buildinfo
Files:
 78a0b33c51a9a9c0bc745ca82dbaacf8 4929 net optional neutron_28.0.0-4.dsc
 55f2c2ef79a30657c4c67cb442a5e459 52316 net optional 
neutron_28.0.0-4.debian.tar.xz
 223478109d85f44835862b2427b250c1 22348 net optional 
neutron_28.0.0-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoYfi0ACgkQ1BatFaxr
Q/7uBQ//RsC4dTbsKKE0wJPTqHjhehKgUBAxt0uw6GkU3o4INaXWhQXs1Lx5EkjG
GdJfKlUVdQJKjqxrsYj4OWgXLU37iRVdeWrngNvXzSBnPWmZLTa4zLrvtrc9X4iP
Z9+c9vei7sSJegkTbdkRzSGOqIORyQvPxf73YLgHSWfUObsBzi8V619wbrD8pPwa
XG5A6sPc4rAqYSHES2NJvenmjxzbbcz+yXp+5CuuBLspmVWa6jaQiZRDbPZCwhg3
KMC4N0tHclO8d1sIMhN4tQBqLCTFNrkGAl7D3HJ3upZBEtqfggqs/ZVILu8O5h7f
XXpetapOaaCezvYcJ9j/uYoH88Gt8mJ6688GiBDU42hkNmvlxour1cgOjE0spNx6
NqQqcJDuL+8lSjEL+tqR1eJ9gqzkSowFbd+2GbbJrRscUuMjkpCvIZ5T75MeVBmA
WNGHEtDKNL2YLPbJfr/adr+HaFIsHuqCmrYjel9b3P6OyVx/AlD96nPEYrrC0DG2
LaSHvphgHD8fX4gcvHE6BXPwxVvCoWl4jVIa0gdb9AtmSkIOIPTGE0o5szXx9aAR
LioIcRfZjpMuO38aga3FCung8Pi4dH32rySretvqjX0v5HJbEp93MEQM+MsqogG0
NLjdBxezRRimhWsct9toId0LHNuXnX1jJn09K7x8NDVjYTbXZSs=
=wPob
-----END PGP SIGNATURE-----

Attachment: pgpoR2jqw4lCz.pgp
Description: PGP signature


--- End Message ---

Reply via email to