Your message dated Thu, 11 Jun 2026 20:47:15 +0000
with message-id <[email protected]>
and subject line Bug#1138844: fixed in neutron 2:26.0.3-0+deb13u2
has caused the Debian Bug report #1138844,
regarding OSSA-2026-021: Neutron port RBAC policy bypass allows project
managers to set trusted device owners on shared networks (CVE-2026-50266)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: neutron
Version: 2:26.0.0-9
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Copying upstream announce form here:
https://security.openstack.org/ossa/OSSA-2026-021.html
Date: June 04, 2026
CVE: CVE-2026-pending
Affects: Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0
Note from packaging maintainer: Only Trixie Sid/Testing.
Description:
Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
default port RBAC rules. A project manager can create or update a port on a
shared network owned by another project and set device_owner to a trusted
network-service value such as network:dhcp. Depending on backend and
deployment, this can bypass anti-spoofing and security group protections. This
is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager
role support change. Deployments running Neutron 25.0.0 or later are affected.
Patches:
https://review.opendev.org/991523 (2025.1/epoxy)
https://review.opendev.org/990356 (2025.2/flamingo)
https://review.opendev.org/990353 (2026.1/gazpacho)
https://review.opendev.org/990273 (2026.2/hibiscus)
Credits:
Tim Shephard from roiai.ca (CVE-2026-pending)
References:
https://launchpad.net/bugs/2152115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending
Notes:
A CVE request has been filed with MITRE (CAN-2026-2030702).
This is a regression of CVE-2015-5240 (OSSA-2015-018).
--- End Message ---
--- Begin Message ---
Source: neutron
Source-Version: 2:26.0.3-0+deb13u2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated neutron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2026 11:00:14 +0200
Source: neutron
Architecture: source
Version: 2:26.0.3-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135272 1138844
Changes:
neutron (2:26.0.3-0+deb13u2) trixie-security; urgency=medium
.
* New upstream point release.
* Removed patches applied upstream:
- Add_state_reporting_back_to_metadata_agents.patch
- Fix_LoopingCallBase_argument_issue.patch
* Add start-time=%t in neutron-api-uwsgi.ini.
* Add haproxy as runtime depends of neutron-ovn-agent. Thanks to Sakirnth
Nagarasa for the report (Closes: #1135272).
* CVE-2026-50266 / OSSA-2026-021: Neutron port RBAC policy bypass allows
project managers to set trusted device owners on shared networks. Added
upstream patch: Fix port RBAC policies to require network ownership
(Closes: #1138844).
Checksums-Sha1:
07942b56d312f39f43dc72b334042f0f6bcdd3b4 5086 neutron_26.0.3-0+deb13u2.dsc
153a29dc30b55187ea6bb052e94cb48d012dc500 10241136 neutron_26.0.3.orig.tar.xz
053543953d67b6774104fa0a98496994369ceea0 47164
neutron_26.0.3-0+deb13u2.debian.tar.xz
406b88ce61cdaca46373745f1a008a848202e1d4 23146
neutron_26.0.3-0+deb13u2_amd64.buildinfo
Checksums-Sha256:
dec5eea268039fd604d47036d14cb84f8014d26ff71a29503791679b296a9ad2 5086
neutron_26.0.3-0+deb13u2.dsc
611e8b2e2aab1f6585bd426bcb91b94c3f88215d2913aa1158f6a604d448c1be 10241136
neutron_26.0.3.orig.tar.xz
767089c90a06b06b2fa22b32895236a1ef0926343983d8d038d0527e899e2fbb 47164
neutron_26.0.3-0+deb13u2.debian.tar.xz
7de63a7d206fa1259cd49ad6ac799354c00914c03e7a921891f896408e94c4be 23146
neutron_26.0.3-0+deb13u2_amd64.buildinfo
Files:
323dfc5e716b4eebb614f0640d771ad0 5086 net optional neutron_26.0.3-0+deb13u2.dsc
605a4f7f503a30e367b766d6a903f853 10241136 net optional
neutron_26.0.3.orig.tar.xz
7eae47cec7cc4f63ef5664d91ba2eb38 47164 net optional
neutron_26.0.3-0+deb13u2.debian.tar.xz
e2019df24eaff587ca246ab53c7381d9 23146 net optional
neutron_26.0.3-0+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopEbEACgkQ1BatFaxr
Q/5meQ/+O9QVuuLdXXmBYFQskN4YqKTRr8Qlybz5EaIg96ZiIY6tezlPKKn54nW3
xrQ5m0WpG/A/FavCE4CTRZnL19Rnh9z38z4WisCasIOt1XPfRH+9gy06o8kMdVKy
3yCl84riK3kqKamJUwumHhLellyJA6qzqt4BbAgQkQBgWj5liw3AlWYl+iHbZZbg
AqnPcY9houwAocdWS5G/H3VkbTNIN61yi9n7KaKlwJe/vjRjZ21UzdSmkEXX3dqM
+Eh+YIZVFhgpTp4BKuizXH0XVOTYeqABYjmIcm/Xfh71Io4KP5JfLt96u5NbrBGa
7wB5EinCT6facN6ayRWdsIWfOtuwObme7fDS0QDKSwmmT0emmo+R49d+tj9co6o1
23YQwzR7pYqhq0jotw+PbX4PsVPhIRaAnxaRoAsqHNv/L5v3QL8r0D5SPxyBYjFH
4R92IpKOEru0uoSbGr2nD3oqzqZDeI6bltZQLvkWYuZQlp8eBtWCS0vNsVqUXg1M
jYL61ub4LrXxQViOpL1186xWNGDX6FKrGFPLEi8ajuMdppWLxigw48puwIkcLdm9
zkiManztCieWmv356e4+2XTm5zRePk0v6l0h5yS14e54JyfKPrfKaYbzKpxC8eFb
YXSVFolg4WW2ijrD4wP79KGzuZd7RmUXPkprbQzO3PwHMZSnKSM=
=WRUy
-----END PGP SIGNATURE-----
pgpKHJBKXUypR.pgp
Description: PGP signature
--- End Message ---
