--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:neutron
User: [email protected]
Usertags: pu
Hi,
[ Reason ]
I'd like to fix a security issue where the policy for tags on
floating-ips shouldn't be granted. For more details, see the
announce from upstream:
https://security.openstack.org/ossa/OSSA-2026-016.html
[ Impact ]
tagging policy bypass allows project readers to mutate tags
[ Tests ]
Upstream unit tests are run during package build.
[ Risks ]
Change isn't big, only to the policy (upstream added some
policy.enforce() calls).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Just the upstream patch.
[ Other info ]
Note the attached debdiff targeted trixie-security, I'll
adjust for p-u before uploading.
Please allow me to uplaod Neutron 2:26.0.0-9+deb13u1.
Cheers,
Thomas Goirand (zigo)
diff -Nru neutron-26.0.0/debian/changelog neutron-26.0.0/debian/changelog
--- neutron-26.0.0/debian/changelog 2025-07-13 17:16:33.000000000 +0200
+++ neutron-26.0.0/debian/changelog 2026-05-29 08:24:56.000000000 +0200
@@ -1,3 +1,11 @@
+neutron (2:26.0.0-9+deb13u1) trixie-security; urgency=medium
+
+ * OSSA-2026-016: Neutron tagging policy bypass allows project readers to
+ mutate tags. Added upstream patch: "Fix plural policy names in tagging
+ controller and floatingip policy" (Closes: #1138172).
+
+ -- Thomas Goirand <[email protected]> Fri, 29 May 2026 08:24:56 +0200
+
neutron (2:26.0.0-9) unstable; urgency=medium
* Replace Add_state_reporting_back_to_metadata_agents.patch by a version
diff -Nru
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
---
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
1970-01-01 01:00:00.000000000 +0100
+++
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
2026-05-29 08:24:56.000000000 +0200
@@ -0,0 +1,150 @@
+Author: Rodolfo Alonso Hernandez <[email protected]>
+Date: Tue, 19 May 2026 12:47:59 +0200
+Description: Fix plural policy names in tagging controller and floatingip
policy
+ The TaggingController.create() and update() methods enforce policy
+ action names using the plural collection key (e.g. create_networks:tags)
+ instead of the singular member name (e.g. create_network:tags). Since
+ the registered policy rules use the singular form, the unmatched plural
+ names fall through to oslo.policy's default rule, allowing project
+ readers to mutate tags on same-project resources.
+ .
+ Fix the delete_floatingips:tags policy rule name (should be singular
+ delete_floatingip:tags) and add a unit test that validates
+ _get_policy_action produces the correct singular form for all supported
+ resources and actions, and that each generated name matches an actually
+ registered policy rule.
+Bug: https://launchpad.net/bugs/2150132
+Bug-Debian: https://bugs.debian.org/1138172
+Signed-off-by: Rodolfo Alonso Hernandez <[email protected]>
+Change-Id: I783510565e4fc4191b5494eb9a6dc0bdd3ace3fc
+Origin: upstream, https://review.opendev.org/c/openstack/neutron/+/989376
+Last-Update: 2026-05-29
+
+diff --git a/neutron/conf/policies/floatingip.py
b/neutron/conf/policies/floatingip.py
+index 9a3eaaf..ae99279 100644
+--- a/neutron/conf/policies/floatingip.py
++++ b/neutron/conf/policies/floatingip.py
+@@ -170,7 +170,7 @@
+ deprecated_since=versionutils.deprecated.WALLABY)
+ ),
+ policy.DocumentedRuleDefault(
+- name='delete_floatingips:tags',
++ name='delete_floatingip:tags',
+ check_str=base.ADMIN_OR_PROJECT_MEMBER,
+ description='Delete the floating IP tags',
+ operations=ACTION_DELETE_TAGS,
+diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py
+index 543f2dc..b88cda0 100644
+--- a/neutron/extensions/tagging.py
++++ b/neutron/extensions/tagging.py
+@@ -197,8 +197,10 @@
+ # GET /v2.0/{obj_resource}/{obj_resource_id}/tags
+ ctx = request.context
+ rinfo = self._get_resource_info(ctx, kwargs)
+- policy.enforce(ctx, 'get_{}_{}'.format(rinfo.obj_type, TAGS),
+- rinfo.obj)
++ policy.enforce(
++ ctx,
++ self._get_policy_action("get", rinfo.obj_type),
++ rinfo.obj)
+ return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
+
+ def show(self, request, id, **kwargs):
+@@ -207,8 +209,10 @@
+ validate_tag(id)
+ ctx = request.context
+ rinfo = self._get_resource_info(ctx, kwargs)
+- policy.enforce(ctx, 'get_{}:{}'.format(rinfo.obj_type, TAGS),
+- rinfo.obj)
++ policy.enforce(
++ ctx,
++ self._get_policy_action("get", rinfo.obj_type),
++ rinfo.obj)
+ return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
+
+ def create(self, request, body, **kwargs):
+@@ -217,8 +221,10 @@
+ validate_tags(body)
+ ctx = request.context
+ rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
+- policy.enforce(ctx, 'create_{}:{}'.format(rinfo.obj_type, TAGS),
+- rinfo.obj)
++ policy.enforce(
++ ctx,
++ self._get_policy_action("create", rinfo.obj_type),
++ rinfo.obj)
+ validate_tags_limit(rinfo.obj_type, body['tags'])
+ notify_tag_action(ctx, 'create.start', rinfo.obj_type,
+ rinfo.obj['id'], body['tags'])
+@@ -234,8 +240,10 @@
+ validate_tag(id)
+ ctx = request.context
+ rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
+- policy.enforce(ctx, 'update_{}:{}'.format(rinfo.obj_type, TAGS),
+- rinfo.obj)
++ policy.enforce(
++ ctx,
++ self._get_policy_action("update", rinfo.obj_type),
++ rinfo.obj)
+ current_tags = self.plugin.get_tags(
+ ctx, rinfo.obj_type, rinfo.obj['id'])['tags']
+ new_tags = current_tags + [id]
+diff --git a/neutron/tests/unit/extensions/test_tagging.py
b/neutron/tests/unit/extensions/test_tagging.py
+index 8366fb7..56d2b7f 100644
+--- a/neutron/tests/unit/extensions/test_tagging.py
++++ b/neutron/tests/unit/extensions/test_tagging.py
+@@ -24,6 +24,7 @@
+ from neutron_lib.utils import net as net_utils
+ from oslo_utils import uuidutils
+
++from neutron.conf import policies as conf_policies
+ from neutron.extensions import tagging
+ from neutron.objects import network as network_obj
+ from neutron.objects import network_segment_range as network_segment_range_obj
+@@ -87,6 +88,22 @@
+ ovo_resources = set(tagging.OVO_CLS.keys())
+ self.assertEqual(tc_supported_resources, ovo_resources)
+
++ def test__get_policy_action_all_resources_and_actions(self):
++ registered_rules = {rule.name for rule in conf_policies.list_rules()}
++ actions = ('get', 'create', 'update', 'delete')
++ for collection, member in self.tc.supported_resources.items():
++ for action in actions:
++ expected = f'{action}_{member}:tags'
++ result = self.tc._get_policy_action(action, collection)
++ self.assertEqual(
++ expected, result,
++ f'_get_policy_action("{action}", "{collection}") '
++ f'returned "{result}" instead of "{expected}"')
++ self.assertIn(
++ result, registered_rules,
++ f'Policy rule "{result}" is not registered in '
++ f'neutron.conf.policies')
++
+ def _check_resource_info(self, obj, obj_type):
+ id_key = self.tc.supported_resources[obj_type] + '_id'
+ res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})
+diff --git
a/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
+new file mode 100644
+index 0000000..91ee65c
+--- /dev/null
++++ b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
+@@ -0,0 +1,18 @@
++---
++security:
++ - |
++ Fixed a security issue where the tagging controller's single-tag write
++ endpoints (``POST /v2.0/{resource}/{id}/tags`` and
++ ``PUT /v2.0/{resource}/{id}/tags/{tag}``) enforced policy action names
++ using the plural collection key (e.g. ``create_networks:tags``) instead
++ of the singular member name (e.g. ``create_network:tags``). Because the
++ plural names did not match any registered policy rule, they fell through
++ to oslo.policy's default rule, allowing project readers to create and
++ update tags on same-project resources.
++ All tag-write endpoints now consistently use the singular policy action
++ names that match the registered rules.
++fixes:
++ - |
++ Fixed the ``delete_floatingips:tags`` policy rule name to use the correct
++ singular form ``delete_floatingip:tags``, consistent with all other
++ tag-related policy rules.
diff -Nru neutron-26.0.0/debian/patches/series
neutron-26.0.0/debian/patches/series
--- neutron-26.0.0/debian/patches/series 2025-07-13 17:16:33.000000000
+0200
+++ neutron-26.0.0/debian/patches/series 2026-05-29 08:24:56.000000000
+0200
@@ -1,3 +1,4 @@
fix-path-of-healthcheck_disable.patch
Add_state_reporting_back_to_metadata_agents.patch
Fix_LoopingCallBase_argument_issue.patch
+OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
--- End Message ---