Bug#1138843: marked as done (CVE-2026-41283 OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution)

Debian Bug Tracking System Tue, 09 Jun 2026 15:13:22 -0700

Your message dated Tue, 09 Jun 2026 22:12:30 +0000
with message-id <[email protected]>
and subject line Bug#1138843: fixed in mistral 15.0.0-1+deb12u1
has caused the Debian Bug report #1138843,
regarding CVE-2026-41283 OSSA-2026-020: Mistral policy enforcement bypass 
allows unauthorized public resource creation and arbitrary code execution
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138843
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: mistral
Version: 20.0.0-2
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

Mistral is affected by CVE-2026-41283

Copying content of:
https://security.openstack.org/ossa/OSSA-2026-020.html

Date: June 03, 2026
CVE: CVE-2026-41283
Affects: Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0
Note from package maintainer: All versions from Bullseye to Trixie
Description:

Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several
Mistral API endpoints do not enforce access policies, allowing any
authenticated user to create public resources and upload arbitrary code that
executes on Mistral executor workers. An attacker could extract sensitive data
including service credentials from the worker. Deployments exposing the Mistral
API are affected.

Patches:
    https://review.opendev.org/991416 (2025.1/epoxy)
    https://review.opendev.org/991417 (2025.1/epoxy)
    https://review.opendev.org/991418 (2025.1/epoxy)
    https://review.opendev.org/991419 (2025.1/epoxy)
    https://review.opendev.org/991420 (2025.1/epoxy)
    https://review.opendev.org/991421 (2025.1/epoxy)
    https://review.opendev.org/991422 (2025.1/epoxy)
    https://review.opendev.org/991423 (2025.1/epoxy)
    https://review.opendev.org/991408 (2025.2/flamingo)
    https://review.opendev.org/991409 (2025.2/flamingo)
    https://review.opendev.org/991410 (2025.2/flamingo)
    https://review.opendev.org/991411 (2025.2/flamingo)
    https://review.opendev.org/991412 (2025.2/flamingo)
    https://review.opendev.org/991413 (2025.2/flamingo)
    https://review.opendev.org/991414 (2025.2/flamingo)
    https://review.opendev.org/991415 (2025.2/flamingo)
    https://review.opendev.org/991400 (2026.1/gazpacho)
    https://review.opendev.org/991401 (2026.1/gazpacho)
    https://review.opendev.org/991402 (2026.1/gazpacho)
    https://review.opendev.org/991403 (2026.1/gazpacho)
    https://review.opendev.org/991404 (2026.1/gazpacho)
    https://review.opendev.org/991405 (2026.1/gazpacho)
    https://review.opendev.org/991406 (2026.1/gazpacho)
    https://review.opendev.org/991407 (2026.1/gazpacho)
    https://review.opendev.org/991392 (2026.2/hibiscus)
    https://review.opendev.org/991393 (2026.2/hibiscus)
    https://review.opendev.org/991394 (2026.2/hibiscus)
    https://review.opendev.org/991395 (2026.2/hibiscus)
    https://review.opendev.org/991396 (2026.2/hibiscus)
    https://review.opendev.org/991397 (2026.2/hibiscus)
    https://review.opendev.org/991398 (2026.2/hibiscus)
    https://review.opendev.org/991399 (2026.2/hibiscus)

Credits:
    Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)
    Arnaud Morin from OVHcloud (CVE-2026-41283)

References:
    https://launchpad.net/bugs/2147178
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283

--- End Message ---

--- Begin Message ---

Source: mistral
Source-Version: 15.0.0-1+deb12u1
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated mistral package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 17:20:47 +0200
Source: mistral
Architecture: source
Version: 15.0.0-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138843
Changes:
 mistral (15.0.0-1+deb12u1) bookworm-security; urgency=medium
 .
   * CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
     public resource creation and arbitrary code execution. Applied upstream
     patches:
     - Restrict publicize policies to admin only
     - Remove unnecessary expect_errors=True from policy tests
     - Add code_sources publicize policy and enforcement
     - Restrict code_sources and dynamic_actions policies to
     - Add dynamic_actions publicize policy and enforcement
     - Add workbooks publicize policy and enforcement
     - Add cron_triggers publicize policy and enforcement
     - Add environments publicize policy and enforcement
    (Closes: #1138843)
Checksums-Sha1:
 9a1a3500d435d21b3cd9612cf64e9df3b0a10a2c 3571 mistral_15.0.0-1+deb12u1.dsc
 2e574a10bed1eba6811f0d531aa5d47380d1332c 1005320 mistral_15.0.0.orig.tar.xz
 4f1f46f2c93c946ec3201c6e84b15d946802adbc 17592 
mistral_15.0.0-1+deb12u1.debian.tar.xz
 1ad8a8afeeb22db6be8d052bc43911b01798e927 17572 
mistral_15.0.0-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 ead362e407b079b18bb723c9bccff0c5300e9f9ae38549170750e7335dbee8de 3571 
mistral_15.0.0-1+deb12u1.dsc
 5d684a6b5cc59c5e399e0998f2f4433e1994ebd313d38b94284c50940a1a15b1 1005320 
mistral_15.0.0.orig.tar.xz
 89799529e9aa45b772b09c5bb0e6729f42e0471f21d604b391bef727acf988c5 17592 
mistral_15.0.0-1+deb12u1.debian.tar.xz
 2cbf6f1f4cae1ba445b55d4df50c2d3ee5e2f1e245f795864810dae880449dc1 17572 
mistral_15.0.0-1+deb12u1_amd64.buildinfo
Files:
 7b4b207b807e8a855022efeb4cde603b 3571 net optional mistral_15.0.0-1+deb12u1.dsc
 7bba444c9137f3b4f7c11cf4f7cdadc8 1005320 net optional 
mistral_15.0.0.orig.tar.xz
 7fbd9c1cf39ded395a334db8ddb4c753 17592 net optional 
mistral_15.0.0-1+deb12u1.debian.tar.xz
 afa53967b36cd0ab836e73a436eaf542 17572 net optional 
mistral_15.0.0-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmonSjEACgkQ1BatFaxr
Q/7Ufg/9HkLvF/KZAEBMutBDR3tDfPQzO5/RPJdbsBk3RpIlVmBx3IKeHxQ3p6/P
9KffaevalOKoKFkxxF2XV/MKzggahk9pXcLXbLXIU1K7JVfDBTRB5fsGWqpDPZ51
yq/by5Ein9PiRit0MYXYT5CABXZA72RUctYJK9TTcmXjfq5LkqkYtrzPGt7mTGwT
R3jfU+02YU3Gvb0n5nsUBIlm6XncJJ/ZpqObjpZJK0MBKGsLyHPcsv6slOQ1S5G4
R2qG403CE0V3jG8FD+HOoI7u/X0TuGoCusM4MGPMbBDhEGgpExnxD2kL7ezZ6DRc
kTNbcE1YpRai4Ry2a9jNwWEgOvDrG5CxSAO1JOHGdVPuPbGUkKvmJPHzpt1d40sv
AwALGPm8Xg4QJozpw9kLd7WOO4wjrOkG1ofGqzVdKSxVVpRmKdAd91sUOUya7N8T
t4FkEasma5vFzrCnI3YPx5rTqO6wj5MjhdZ9fGOwk5qlaj56l76oIQQvEBo6Bbpp
wFF/s4rMt1e1GKOYjfqRUxtEnDVcF4vSaboPL8x2BpqiLg8LncWSbYrNX2F62sqf
s6VMdLdDOQZm4cjQvc0lsov/imLin7S0xi/qc0Unt4771ZeVh/Trt63dKA3RRKLh
qpQkCZ4WEQsyGSUphJVlDplIgCZKrKwXUfsUE5+6PTqsWxk7nro=
=rMkh
-----END PGP SIGNATURE-----

pgp5z0CDnpn8b.pgp
Description: PGP signature

--- End Message ---

Bug#1138843: marked as done (CVE-2026-41283 OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution)

Reply via email to