Bug#1138844: marked as done (OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks)

Thu, 04 Jun 2026 09:07:26 -0700 

Your message dated Thu, 04 Jun 2026 16:05:21 +0000
with message-id <[email protected]>
and subject line Bug#1138844: fixed in neutron 2:28.0.0-7
has caused the Debian Bug report #1138844,
regarding OSSA-2026-021: Neutron port RBAC policy bypass allows project 
managers to set trusted device owners on shared networks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: neutron
Version: 2:26.0.0-9
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

Copying upstream announce form here:
https://security.openstack.org/ossa/OSSA-2026-021.html


Date: June 04, 2026
CVE: CVE-2026-pending
Affects: Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0
Note from packaging maintainer: Only Trixie Sid/Testing.
Description:

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
default port RBAC rules. A project manager can create or update a port on a
shared network owned by another project and set device_owner to a trusted
network-service value such as network:dhcp. Depending on backend and
deployment, this can bypass anti-spoofing and security group protections. This
is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager
role support change. Deployments running Neutron 25.0.0 or later are affected.

Patches:
    https://review.opendev.org/991523 (2025.1/epoxy)
    https://review.opendev.org/990356 (2025.2/flamingo)
    https://review.opendev.org/990353 (2026.1/gazpacho)
    https://review.opendev.org/990273 (2026.2/hibiscus)

Credits:
    Tim Shephard from roiai.ca (CVE-2026-pending)

References:
    https://launchpad.net/bugs/2152115
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending

Notes:
    A CVE request has been filed with MITRE (CAN-2026-2030702).
    This is a regression of CVE-2015-5240 (OSSA-2015-018).

--- End Message ---
--- Begin Message --- 
Source: neutron
Source-Version: 2:28.0.0-7
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Jun 2026 13:37:21 +0200
Source: neutron
Architecture: source
Version: 2:28.0.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138844
Changes:
 neutron (2:28.0.0-7) unstable; urgency=medium
 .
   * Updated neutron-keepalived-state-change_as_dash_script.patch.
   * OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to
     set trusted device owners on shared networks. Added upstream patch: Fix
     port RBAC policies to require network ownership (Closes: #1138844).
Checksums-Sha1:
 395e723359106677ceb19610e95a4dc078d1f05d 4929 neutron_28.0.0-7.dsc
 828746e8ecbbe2aeefdb2048f12d270d7f9c2f2a 54932 neutron_28.0.0-7.debian.tar.xz
 b165ed161422728bd88941afb89f2b97d17dca49 22359 neutron_28.0.0-7_amd64.buildinfo
Checksums-Sha256:
 c4bd87d2e7de388e4c1cff46168a088c31a64787365fba8fb3c4663fb964a892 4929 
neutron_28.0.0-7.dsc
 3f0f0b5b60ec99165365265e6224555388ff34aab6413c11d8153b15d3b5e233 54932 
neutron_28.0.0-7.debian.tar.xz
 d4b499bc5f055a4724edaabb8ffc211d7449bdab9843c82e48abbe47df48d298 22359 
neutron_28.0.0-7_amd64.buildinfo
Files:
 3837eee82535c68a2ad211b853b22ee1 4929 net optional neutron_28.0.0-7.dsc
 eedde683daf39690149e2278d76ca419 54932 net optional 
neutron_28.0.0-7.debian.tar.xz
 d4187b48802b6b60b7ab739b302cd28a 22359 net optional 
neutron_28.0.0-7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmohn0gACgkQ1BatFaxr
Q/5l4g/4h5CDqcS8i+LX6SlsDREjMtIqTIFqdptuXsRv+n0+vV1hnXIco+fRKoh+
EAImXihgo2ivpShGE27ir9DQgvtG5Fg0HzomwlFo98e5jjTqfx5ZHuNZULXZNEj3
B8mjw1n5XWBSYx4SQBKIaLXh3RqUfCqfgAcOP5sE+B4dzQPTK/OvKW31bmW4XUqO
r8qS6pwVN8MMjJdzXM3SE62MPMeG592gMrCNo3hBJlbC5RhaeMFxIyL9rp6S/YQg
nb+7UzU/vRjQTNTDLcTv1aLt3muRuzfkXT/ISAOTXdhQKtNsCUmMo7toYCCf6TK3
qaexWnDRslXPCSldH85y+ovw1B9Sb7+4UVrTCrHx9qmK1TyOTkDyUHocadyAixwQ
E1NkxkybYhZz7A6lINgFIeB/lse0dWBisexp9OiicGhpPHpDptdpBY6XzuTjqQ3V
akcnlEk5TR+/gx4e11L8Cl3EmIJsdChmvwTJAB+gIsNtTA3Cm4cQtSahxnQoKGTc
aBwKVCP2k2gwNMA9BQli1YNun6fwHG/ZATzWERuzHdNMwy9Qk7Aa6Ay7cHQcvJ0t
/zwyLSoJ7cwLg8JQPOByZjq4x5JtIpzjP9ah+9qKT/B5VYrHEPEqOew91/lZEK7H
hTINQjCqu074S/viQDszgIypo50SxcdAv4G1QKHAqb/IReocIg==
=XHqC
-----END PGP SIGNATURE-----

Attachment: pgp1Wr60kmiNj.pgp
Description: PGP signature


--- End Message ---

Reply via email to