Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1138225,
regarding trixie-pu: package neutron/26.0.0-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138225
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:neutron
User: [email protected]
Usertags: pu

Hi,

[ Reason ]
I'd like to fix a security issue where the policy for tags on
floating-ips shouldn't be granted. For more details, see the
announce from upstream:

https://security.openstack.org/ossa/OSSA-2026-016.html

[ Impact ]
tagging policy bypass allows project readers to mutate tags

[ Tests ]
Upstream unit tests are run during package build.

[ Risks ]
Change isn't big, only to the policy (upstream added some
policy.enforce() calls).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Just the upstream patch.

[ Other info ]
Note the attached debdiff targeted trixie-security, I'll
adjust for p-u before uploading.

Please allow me to uplaod Neutron 2:26.0.0-9+deb13u1.

Cheers,

Thomas Goirand (zigo)
diff -Nru neutron-26.0.0/debian/changelog neutron-26.0.0/debian/changelog
--- neutron-26.0.0/debian/changelog     2025-07-13 17:16:33.000000000 +0200
+++ neutron-26.0.0/debian/changelog     2026-05-29 08:24:56.000000000 +0200
@@ -1,3 +1,11 @@
+neutron (2:26.0.0-9+deb13u1) trixie-security; urgency=medium
+
+  * OSSA-2026-016: Neutron tagging policy bypass allows project readers to
+    mutate tags. Added upstream patch: "Fix plural policy names in tagging
+    controller and floatingip policy" (Closes: #1138172).
+
+ -- Thomas Goirand <[email protected]>  Fri, 29 May 2026 08:24:56 +0200
+
 neutron (2:26.0.0-9) unstable; urgency=medium
 
   * Replace Add_state_reporting_back_to_metadata_agents.patch by a version
diff -Nru 
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
 
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
--- 
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
neutron-26.0.0/debian/patches/OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch
       2026-05-29 08:24:56.000000000 +0200
@@ -0,0 +1,150 @@
+Author: Rodolfo Alonso Hernandez <[email protected]>
+Date: Tue, 19 May 2026 12:47:59 +0200
+Description: Fix plural policy names in tagging controller and floatingip 
policy
+ The TaggingController.create() and update() methods enforce policy
+ action names using the plural collection key (e.g. create_networks:tags)
+ instead of the singular member name (e.g. create_network:tags). Since
+ the registered policy rules use the singular form, the unmatched plural
+ names fall through to oslo.policy's default rule, allowing project
+ readers to mutate tags on same-project resources.
+ .
+ Fix the delete_floatingips:tags policy rule name (should be singular
+ delete_floatingip:tags) and add a unit test that validates
+ _get_policy_action produces the correct singular form for all supported
+ resources and actions, and that each generated name matches an actually
+ registered policy rule.
+Bug: https://launchpad.net/bugs/2150132
+Bug-Debian: https://bugs.debian.org/1138172
+Signed-off-by: Rodolfo Alonso Hernandez <[email protected]>
+Change-Id: I783510565e4fc4191b5494eb9a6dc0bdd3ace3fc
+Origin: upstream, https://review.opendev.org/c/openstack/neutron/+/989376
+Last-Update: 2026-05-29
+
+diff --git a/neutron/conf/policies/floatingip.py 
b/neutron/conf/policies/floatingip.py
+index 9a3eaaf..ae99279 100644
+--- a/neutron/conf/policies/floatingip.py
++++ b/neutron/conf/policies/floatingip.py
+@@ -170,7 +170,7 @@
+             deprecated_since=versionutils.deprecated.WALLABY)
+     ),
+     policy.DocumentedRuleDefault(
+-        name='delete_floatingips:tags',
++        name='delete_floatingip:tags',
+         check_str=base.ADMIN_OR_PROJECT_MEMBER,
+         description='Delete the floating IP tags',
+         operations=ACTION_DELETE_TAGS,
+diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py
+index 543f2dc..b88cda0 100644
+--- a/neutron/extensions/tagging.py
++++ b/neutron/extensions/tagging.py
+@@ -197,8 +197,10 @@
+         # GET /v2.0/{obj_resource}/{obj_resource_id}/tags
+         ctx = request.context
+         rinfo = self._get_resource_info(ctx, kwargs)
+-        policy.enforce(ctx, 'get_{}_{}'.format(rinfo.obj_type, TAGS),
+-                       rinfo.obj)
++        policy.enforce(
++            ctx,
++            self._get_policy_action("get", rinfo.obj_type),
++            rinfo.obj)
+         return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
+ 
+     def show(self, request, id, **kwargs):
+@@ -207,8 +209,10 @@
+         validate_tag(id)
+         ctx = request.context
+         rinfo = self._get_resource_info(ctx, kwargs)
+-        policy.enforce(ctx, 'get_{}:{}'.format(rinfo.obj_type, TAGS),
+-                       rinfo.obj)
++        policy.enforce(
++            ctx,
++            self._get_policy_action("get", rinfo.obj_type),
++            rinfo.obj)
+         return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
+ 
+     def create(self, request, body, **kwargs):
+@@ -217,8 +221,10 @@
+         validate_tags(body)
+         ctx = request.context
+         rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
+-        policy.enforce(ctx, 'create_{}:{}'.format(rinfo.obj_type, TAGS),
+-                       rinfo.obj)
++        policy.enforce(
++            ctx,
++            self._get_policy_action("create", rinfo.obj_type),
++            rinfo.obj)
+         validate_tags_limit(rinfo.obj_type, body['tags'])
+         notify_tag_action(ctx, 'create.start', rinfo.obj_type,
+                           rinfo.obj['id'], body['tags'])
+@@ -234,8 +240,10 @@
+         validate_tag(id)
+         ctx = request.context
+         rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
+-        policy.enforce(ctx, 'update_{}:{}'.format(rinfo.obj_type, TAGS),
+-                       rinfo.obj)
++        policy.enforce(
++            ctx,
++            self._get_policy_action("update", rinfo.obj_type),
++            rinfo.obj)
+         current_tags = self.plugin.get_tags(
+             ctx, rinfo.obj_type, rinfo.obj['id'])['tags']
+         new_tags = current_tags + [id]
+diff --git a/neutron/tests/unit/extensions/test_tagging.py 
b/neutron/tests/unit/extensions/test_tagging.py
+index 8366fb7..56d2b7f 100644
+--- a/neutron/tests/unit/extensions/test_tagging.py
++++ b/neutron/tests/unit/extensions/test_tagging.py
+@@ -24,6 +24,7 @@
+ from neutron_lib.utils import net as net_utils
+ from oslo_utils import uuidutils
+ 
++from neutron.conf import policies as conf_policies
+ from neutron.extensions import tagging
+ from neutron.objects import network as network_obj
+ from neutron.objects import network_segment_range as network_segment_range_obj
+@@ -87,6 +88,22 @@
+         ovo_resources = set(tagging.OVO_CLS.keys())
+         self.assertEqual(tc_supported_resources, ovo_resources)
+ 
++    def test__get_policy_action_all_resources_and_actions(self):
++        registered_rules = {rule.name for rule in conf_policies.list_rules()}
++        actions = ('get', 'create', 'update', 'delete')
++        for collection, member in self.tc.supported_resources.items():
++            for action in actions:
++                expected = f'{action}_{member}:tags'
++                result = self.tc._get_policy_action(action, collection)
++                self.assertEqual(
++                    expected, result,
++                    f'_get_policy_action("{action}", "{collection}") '
++                    f'returned "{result}" instead of "{expected}"')
++                self.assertIn(
++                    result, registered_rules,
++                    f'Policy rule "{result}" is not registered in '
++                    f'neutron.conf.policies')
++
+     def _check_resource_info(self, obj, obj_type):
+         id_key = self.tc.supported_resources[obj_type] + '_id'
+         res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})
+diff --git 
a/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml 
b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
+new file mode 100644
+index 0000000..91ee65c
+--- /dev/null
++++ b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
+@@ -0,0 +1,18 @@
++---
++security:
++  - |
++    Fixed a security issue where the tagging controller's single-tag write
++    endpoints (``POST /v2.0/{resource}/{id}/tags`` and
++    ``PUT /v2.0/{resource}/{id}/tags/{tag}``) enforced policy action names
++    using the plural collection key (e.g. ``create_networks:tags``) instead
++    of the singular member name (e.g. ``create_network:tags``). Because the
++    plural names did not match any registered policy rule, they fell through
++    to oslo.policy's default rule, allowing project readers to create and
++    update tags on same-project resources.
++    All tag-write endpoints now consistently use the singular policy action
++    names that match the registered rules.
++fixes:
++  - |
++    Fixed the ``delete_floatingips:tags`` policy rule name to use the correct
++    singular form ``delete_floatingip:tags``, consistent with all other
++    tag-related policy rules.
diff -Nru neutron-26.0.0/debian/patches/series 
neutron-26.0.0/debian/patches/series
--- neutron-26.0.0/debian/patches/series        2025-07-13 17:16:33.000000000 
+0200
+++ neutron-26.0.0/debian/patches/series        2026-05-29 08:24:56.000000000 
+0200
@@ -1,3 +1,4 @@
 fix-path-of-healthcheck_disable.patch
 Add_state_reporting_back_to_metadata_agents.patch
 Fix_LoopingCallBase_argument_issue.patch
+OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to