Bug#1139452: marked as done (CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query parser)

Thu, 11 Jun 2026 02:57:16 -0700 

Your message dated Thu, 11 Jun 2026 11:55:07 +0200
with message-id <[email protected]>
and subject line Fixed in Sid/Testing
has caused the Debian Bug report #1139452,
regarding CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage 
query parser
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139452: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139452
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: vitrage
Version: 14.0.0-4
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

https://security.openstack.org/ossa/OSSA-2026-003.html


Date: March 03, 2026
CVE: CVE-2026-28370

Affects: Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0

Description:

Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser.
A user allowed to access the Vitrage API may trigger code execution on the
Vitrage service host as the user the Vitrage service runs under. This may
result in unauthorized access to the host and further compromise of the
Vitrage service. All deployments exposing the Vitrage API are affected.

Patches:

    https://review.opendev.org/962671 (2023.1/antelope)
    https://review.opendev.org/962713 (2024.1/caracal)
    https://review.opendev.org/962712 (2024.2/dalmatian)
    https://review.opendev.org/962646 (2025.1/epoxy)
    https://review.opendev.org/962658 (2025.2/flamingo)
    https://review.opendev.org/962617 (2026.1/gazpacho)

Credits:

    Khalil Lemtaffah from Nokia (CVE-2026-28370)

References:

    https://storyboard.openstack.org/#!/story/2011539
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370

Notes:

    The stable/2023.1 branch is unmaintained and will receive no new point
    releases, but a patch for it is provided as a courtesy.

--- End Message ---
--- Begin Message --- I checked, and the patch for this bug is already in Sid/Testing, so this bug may be closed (also, because I already open bugs for Trixie/Bookworm to fix the issue there). 

Cheers,

Thomas Goirand (zigo)

--- End Message ---

Reply via email to