Your message dated Tue, 09 Jun 2026 22:12:06 +0000
with message-id <[email protected]>
and subject line Bug#1138843: fixed in mistral 20.0.0-2+deb13u1
has caused the Debian Bug report #1138843,
regarding CVE-2026-41283 OSSA-2026-020: Mistral policy enforcement bypass
allows unauthorized public resource creation and arbitrary code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138843
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mistral
Version: 20.0.0-2
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Mistral is affected by CVE-2026-41283
Copying content of:
https://security.openstack.org/ossa/OSSA-2026-020.html
Date: June 03, 2026
CVE: CVE-2026-41283
Affects: Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0
Note from package maintainer: All versions from Bullseye to Trixie
Description:
Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several
Mistral API endpoints do not enforce access policies, allowing any
authenticated user to create public resources and upload arbitrary code that
executes on Mistral executor workers. An attacker could extract sensitive data
including service credentials from the worker. Deployments exposing the Mistral
API are affected.
Patches:
https://review.opendev.org/991416 (2025.1/epoxy)
https://review.opendev.org/991417 (2025.1/epoxy)
https://review.opendev.org/991418 (2025.1/epoxy)
https://review.opendev.org/991419 (2025.1/epoxy)
https://review.opendev.org/991420 (2025.1/epoxy)
https://review.opendev.org/991421 (2025.1/epoxy)
https://review.opendev.org/991422 (2025.1/epoxy)
https://review.opendev.org/991423 (2025.1/epoxy)
https://review.opendev.org/991408 (2025.2/flamingo)
https://review.opendev.org/991409 (2025.2/flamingo)
https://review.opendev.org/991410 (2025.2/flamingo)
https://review.opendev.org/991411 (2025.2/flamingo)
https://review.opendev.org/991412 (2025.2/flamingo)
https://review.opendev.org/991413 (2025.2/flamingo)
https://review.opendev.org/991414 (2025.2/flamingo)
https://review.opendev.org/991415 (2025.2/flamingo)
https://review.opendev.org/991400 (2026.1/gazpacho)
https://review.opendev.org/991401 (2026.1/gazpacho)
https://review.opendev.org/991402 (2026.1/gazpacho)
https://review.opendev.org/991403 (2026.1/gazpacho)
https://review.opendev.org/991404 (2026.1/gazpacho)
https://review.opendev.org/991405 (2026.1/gazpacho)
https://review.opendev.org/991406 (2026.1/gazpacho)
https://review.opendev.org/991407 (2026.1/gazpacho)
https://review.opendev.org/991392 (2026.2/hibiscus)
https://review.opendev.org/991393 (2026.2/hibiscus)
https://review.opendev.org/991394 (2026.2/hibiscus)
https://review.opendev.org/991395 (2026.2/hibiscus)
https://review.opendev.org/991396 (2026.2/hibiscus)
https://review.opendev.org/991397 (2026.2/hibiscus)
https://review.opendev.org/991398 (2026.2/hibiscus)
https://review.opendev.org/991399 (2026.2/hibiscus)
Credits:
Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)
Arnaud Morin from OVHcloud (CVE-2026-41283)
References:
https://launchpad.net/bugs/2147178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283
--- End Message ---
--- Begin Message ---
Source: mistral
Source-Version: 20.0.0-2+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated mistral package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 17:18:35 +0200
Source: mistral
Architecture: source
Version: 20.0.0-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138843 1138849
Changes:
mistral (20.0.0-2+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution. Applied upstream
patches:
- Restrict publicize policies to admin only
- Remove unnecessary expect_errors=True from policy tests
- Add code_sources publicize policy and enforcement
- Restrict code_sources and dynamic_actions policies to
- Add dynamic_actions publicize policy and enforcement
- Add workbooks publicize policy and enforcement
- Add cron_triggers publicize policy and enforcement
- Add environments publicize policy and enforcement
(Closes: #1138843)
* OSSN-0098: Mistral workflow execution context exposes Keystone auth token.
Applied upstream patch: "Strip sensitive info from workflow execution
context" (Closes: #1138849).
Checksums-Sha1:
f5b854625f9fd69baa1693184ebdd6df39d8f555 3536 mistral_20.0.0-2+deb13u1.dsc
d521ec7e7ace2409de2c97c3cccf67f2f91b67e5 1013184 mistral_20.0.0.orig.tar.xz
1578f0956734337f30a22803d8c6a83d12c10ef9 21228
mistral_20.0.0-2+deb13u1.debian.tar.xz
a47693c653c0ce23b84d9441dc6624cdabec930e 17628
mistral_20.0.0-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
2b37fb33e6f944361d7d0de72c4df31b69ec930d4cfceff6d5e8756549ca3b68 3536
mistral_20.0.0-2+deb13u1.dsc
2c8368e56b9038a8f1b1c75440168a95bf389b9080d923c07fac8f4e4121a1a3 1013184
mistral_20.0.0.orig.tar.xz
442b30306097bc93d48c696d94142f3b580d03a11e6a3d0fed3c47c8587bc228 21228
mistral_20.0.0-2+deb13u1.debian.tar.xz
4c5bef8000bdc6bb942a86a1d614b4be08eb1a75f36c547b47be0d6cf25ae52d 17628
mistral_20.0.0-2+deb13u1_amd64.buildinfo
Files:
64ce16f1e983d06c616f152136efd9bf 3536 net optional mistral_20.0.0-2+deb13u1.dsc
83adc2526c2c78db6d680ec05e032186 1013184 net optional
mistral_20.0.0.orig.tar.xz
64d9fb6430c1990ee45b8fd098da6c9a 21228 net optional
mistral_20.0.0-2+deb13u1.debian.tar.xz
33ecac5579e813857058b178f4b87ac1 17628 net optional
mistral_20.0.0-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmolmwAACgkQ1BatFaxr
Q/56pQ/+OzwfZPl56nUwaY+rlbxif00xjHuX4zinCqKikalNx3PhGQsz//w8Tbzs
SGDLlwcz7Fj9VSDouEooYu5iz7WZ7gh8lscVxV7W4llV7Fo0GW3diLYi/mFDz9OC
bz+kg3fqYdk/NKyxEu+Hen+sykaLu+CuDCXpsQYP4JnZQINVGP+dgqYfHD7tzauY
8lWpnnOt4m4JxilSx7dE7jqMF2BpNC+Y/QRODtLSw2+vwqmqpHh1JWN4Cf14D8ZQ
Kpn1Ne4sE0u8TCeKEvvffdQWsjap6dISaPWDsXpL7kFo4JgfBATOafjoSMpbWZjP
PuW7U5fwVV59y5PC+AMF8zFdmTye+P5WwKD8O5W3CyJRTMSplrx84IUrFRbzXjqA
kOGP8loitun+3yELbchi04Xv5d1SLAUhGKMClk2Be95MLqacz9DkmV/CXy7KpiuA
6i691QlzbmLMQ9t50/JJH8UwU/Xf0J56Ra051r6RBa15WJsgvL+GnySr0X/vgCYK
TReNsmHiYT0Ls7LG4gWrn1GHVQe6Taavka1lD5/iqi7b9nVA3ybkenrjk9g7tffG
yHby+HKonrV7Q540vE0cz+8HiDODBITONz4w4uIf361rfDmY7rNgncfYksCkHgci
OP6jsDR2UHgJWvD942xVw4Yzj6/czrSSSBxsCAsOFY0lp6IcFic=
=mn94
-----END PGP SIGNATURE-----
pgpqow7Mg9MUO.pgp
Description: PGP signature
--- End Message ---
