Your message dated Tue, 02 Jun 2026 19:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1138172: fixed in neutron 2:26.0.0-9+deb13u1
has caused the Debian Bug report #1138172,
regarding Neutron tagging policy bypass allows project readers to mutate tags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138172
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: neutron
Version: 2:26.0.0-9
Severity: important
Tags: patch
As per upstream announcement:
https://security.openstack.org/ossa/OSSA-2026-016.html
OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate
tags
Date: May 28, 2026
CVE: CVE-2026-pending
Affects: Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1
Note from maintainer: I've been confirmed on IRC that only versions >= Epoxy
(so Trixie and on, so starting >= 26.0.0) are affected.
Description:
Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
tagging controller. The controller enforces plural policy action names on
single-tag write operations while the defined policy rules use singular names.
The mismatched names evaluate as allowed under default policy, permitting a
project reader to create and update tags on same-project resources.
Deployments running Neutron 26.0.0 or later are affected.
Patches:
https://review.opendev.org/989376 (2025.1/epoxy)
https://review.opendev.org/989375 (2025.2/flamingo)
https://review.opendev.org/989374 (2026.1/gazpacho)
https://review.opendev.org/989099 (2026.2/hibiscus)
Credits:
Tim Shephard from roiai.ca (CVE-2026-pending)
References:
https://launchpad.net/bugs/2150132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending
Notes:
CVE assignment is pending (MITRE CAN-2026-2030611).
--- End Message ---
--- Begin Message ---
Source: neutron
Source-Version: 2:26.0.0-9+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated neutron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 May 2026 08:24:56 +0200
Source: neutron
Architecture: source
Version: 2:26.0.0-9+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138172
Changes:
neutron (2:26.0.0-9+deb13u1) trixie; urgency=medium
.
* OSSA-2026-016: Neutron tagging policy bypass allows project readers to
mutate tags. Added upstream patch: "Fix plural policy names in tagging
controller and floatingip policy" (Closes: #1138172).
Checksums-Sha1:
7ad41ab6fcc6abd1a7b136d3254bd7c32042b802 5086 neutron_26.0.0-9+deb13u1.dsc
170e950e4cf2701527d2d78633e875e78b3903f5 10183664 neutron_26.0.0.orig.tar.xz
a3a83efa79a5722e14e663ef58b71655688eb1a3 47044
neutron_26.0.0-9+deb13u1.debian.tar.xz
b4862485298d51d7d6fc34bda1c954755bbecf92 23146
neutron_26.0.0-9+deb13u1_amd64.buildinfo
Checksums-Sha256:
a3a5ed63d9c07fc2b09b1c5520c58555f047baf57d7919acd4730308ddec66e2 5086
neutron_26.0.0-9+deb13u1.dsc
e740adbf66890f8939cdd635f7320746b4a4f07c5aa895b5418c0aad94b00d67 10183664
neutron_26.0.0.orig.tar.xz
928188d96a676794d7daa52a0d02395e1c1190ea1347f8e41ff971951447b30a 47044
neutron_26.0.0-9+deb13u1.debian.tar.xz
91291b6cbdabea31a21cd73a5e16354c8efb57f801e1c3de204c2da3f90b4df3 23146
neutron_26.0.0-9+deb13u1_amd64.buildinfo
Files:
94aa053042559fc981be6f3927173b76 5086 net optional neutron_26.0.0-9+deb13u1.dsc
204aa35040a1955fded903c3fbeacaea 10183664 net optional
neutron_26.0.0.orig.tar.xz
027402551573bcfdd8f168ee44731f58 47044 net optional
neutron_26.0.0-9+deb13u1.debian.tar.xz
0d9060f6527c26abf96501003d54e5bb 23146 net optional
neutron_26.0.0-9+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmocP5sACgkQ1BatFaxr
Q/5TyA/9E1LGdvbTM/+Ue8Kxsy1lqkg5Bh1t3t7WpsHD4PvyxvY3MwAUMtjS0ii0
WTTXla7yYRZe3nLYJl9IbKW6isM3b7Mi2mnZXUBMIEtr4vQ4y8H8skq2CzIrBQih
++LRJ0J38LIqjjg/1ZyZqlH9jREpi+i+ERD+TCPpgo6dRYPMHBf8mOY4QXKkKCp1
0OsyP1OAdSTt8bum2VgoimFb3D9KfEHMaVVXXyjJdieLSbKpfYG8dLEuG3Sf4Dgg
sUwiEKvukZistyVVeVSyjAMeqJyYDcklWTD/x6mA7gYYvl15N+nU0hJHV6h0cpAF
MeQSWkgTNAPIZdVIT+ppxdRGs/bzpjt/4YAULzNCE5I2Xf1Znq5fQ7QivhudmaTT
/WbnRKrfS+hCXlYXfj0WSCeRh31wnJ31Sqi76J6rKW8Esjm7VTqlr8IHw7FwmPOU
kqz4TRACp7zZR550jbOLAh9Uvd5/RyAxEUHkYLHvDIqGs9gRchIJZKQeKxFQ+JyS
hF2AuITyUyVhG84xzD48JiPaU4x4Ff3U8LNymdABgR4x4KeB7NHIb7iUXOcJnm4n
srb2fV1IE4WW6ROrkubNEE5FENwk2PBawFKuYsTBPwpgr3AKuxuiSWNYHwlFwYdT
K/EO2vHtZIRBaN9nhH6efJYldM5OGfusp2rSiCRGsAOVlmDF/U0=
=01ZC
-----END PGP SIGNATURE-----
pgpFpc2iQJDh3.pgp
Description: PGP signature
--- End Message ---
