Your message dated Sat, 13 Jun 2026 13:48:59 +0000
with message-id <[email protected]>
and subject line Bug#1138848: fixed in python-oslo.messaging 17.3.0-4
has caused the Debian Bug report #1138848,
regarding OSSN-0096 CVE-2026-44393 : oslo.messaging does not verify RabbitMQ
broker hostname during TLS handshake
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138848
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-oslo.messaging
Version: 16.1.0-3
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS
handshake
== Summary ==
Tim Shephard reported that oslo.messaging validates the RabbitMQ
broker's certificate chain when ssl_ca_file is configured, but does
not verify the broker's hostname against the certificate. An attacker
with control plane network access and a certificate trusted by the
deployment's CA can perform a man-in-the-middle attack on RPC and
notification traffic between OpenStack services.
== Affected Services / Software ==
- oslo.messaging: >=1.0.0 <16.2.0, >=17.0.0 <17.1.1, >=17.2.0 <17.3.1
All OpenStack services that use oslo.messaging for RPC or
notifications with RabbitMQ TLS are affected. The fix is included
in oslo.messaging 18.0.0 (2026.2/Hibiscus) with hostname verification
enabled by default. Code patches for stable/2026.1, 2025.2,
and 2025.1 default to disabling this validation (opt-in)
to avoid breaking deployments on upgrade.
== Discussion ==
When ssl_ca_file is configured, oslo.messaging validates the
certificate chain but does not pass the broker hostname to the
TLS stack. Any certificate trusted by the deployment's CA is
accepted regardless of which hostname it was issued for.
The fix adds ssl_enforce_hostname_verification to
[oslo_messaging_rabbit]. On master (2026.2/Hibiscus) this defaults
to True (secure by default). On stable branches it defaults to
False to avoid breaking deployments whose broker certificates lack
correct SAN entries. Multi-host configurations require
Kombu >= 5.2.0 when hostname verification is enabled.
== Recommended Actions ==
Operators running stable branches should:
- Ensure RabbitMQ broker certificates have SAN entries matching
the hostnames used in transport_url.
- Set ssl_enforce_hostname_verification=True in
[oslo_messaging_rabbit] in each service's configuration.
- For multi-host configurations, verify Kombu >= 5.2.0 first.
- Upgrade to the next major release when available, which
enables hostname verification by default.
=== Patches ===
Hostname verification support was added on master and backported to
supported stable branches with verification disabled by default.
2026.2/hibiscus (master):
https://review.opendev.org/c/openstack/oslo.messaging/+/988095
2026.1/gazpacho: https://review.opendev.org/c/openstack/oslo.messaging/+/988979
2025.2/flamingo: https://review.opendev.org/c/openstack/oslo.messaging/+/988980
2025.1/epoxy: https://review.opendev.org/c/openstack/oslo.messaging/+/988981
== Credits ==
Tim Shephard, roiai.ca
== Contacts / References ==
* Authors: Goutham Pacha Ravi, Red Hat
* This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0096
* Original Launchpad bug: https://launchpad.net/bugs/2150316
* Mailing List : [security-sig] tag on [email protected]
* OpenStack Security : https://security.openstack.org/
* CVE: CVE-2026-44393
--- End Message ---
--- Begin Message ---
Source: python-oslo.messaging
Source-Version: 17.3.0-4
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-oslo.messaging
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Jun 2026 21:57:05 +0200
Source: python-oslo.messaging
Architecture: source
Version: 17.3.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138848
Changes:
python-oslo.messaging (17.3.0-4) unstable; urgency=medium
.
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
a089e5ca26dcaff6efeb02c812bc2d61eab5553b 2872
python-oslo.messaging_17.3.0-4.dsc
e83298b292c446b82375c21f1723c6cd212eea15 11692
python-oslo.messaging_17.3.0-4.debian.tar.xz
dd3d286a186cb8bc5961877124276282bfa7a7c4 12875
python-oslo.messaging_17.3.0-4_amd64.buildinfo
Checksums-Sha256:
29ec65a7e8b79aa2becc0eb32689a6bdf27f71bcc3a5e6abcf7d60c245c5b21d 2872
python-oslo.messaging_17.3.0-4.dsc
35faece4e934ec90a3c284ae20215012cba54eb697a8870ff3d625f1e4a32ba2 11692
python-oslo.messaging_17.3.0-4.debian.tar.xz
b2c97c1b27462ebd9ee8f4cf7e3ec4b29a0403c09dcd8a7b199c098b76e8d27e 12875
python-oslo.messaging_17.3.0-4_amd64.buildinfo
Files:
0b5f611017e3fb4a1d1b6539cbb28548 2872 python optional
python-oslo.messaging_17.3.0-4.dsc
f2416a66aa8ed2a4f975ae8ab8fef98b 11692 python optional
python-oslo.messaging_17.3.0-4.debian.tar.xz
18b11ccb1adb859764e79974d0a5db4c 12875 python optional
python-oslo.messaging_17.3.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotXG0ACgkQ1BatFaxr
Q/7Itw//TOputJvcZnYLgHDF1+jo1+s0aQrRZny+zzr7Y79Z53kH2ZwKUxUPFZWp
toRiia5k7copdBdHh9OPTlCN3hFc9syVkqvd5JPI7sFKXxSLf0OPP5iSMJdX/tGo
JRNSCgYRiDN46KP1HX/1kfDUbdDbf/6GfxJ87RAIiqi/+O+jUBntlWoyZUGhQV3q
UH+gkxVvFvsJtc5DrVsKq2OzhSTKtCNkF5eEXx1yjmilpYDNFj0dYni0/QMbEuL/
TWPqBnL5Bnz3kxYELLFY/6ppKkBH//klZ2nRcIweehtpjnmG0/YGxyTFBNzBxKIL
QCmrEOaLzP/nuaD9x8r2ULe3PJ2mT/K+OuUDpl46MBAt8hFK2xuV8EFt6YhScB92
IhEswke81ym1Yw18GLzTE0VyqQ93sdSFDa7v5fnzGoc0IQP4jovO+1jbBzRiHq9b
lLfMYOex1tLUnRdBLBP97Z2Spj+83czWyXs+ZnUPPkdRiWN0R+e/ckWkO/+mM1gI
H3zZ40ajbepaPimNfzHmox14G7wyP0b76V0vhac1U05ZVNZpLeFYxGK6iUi8fYj5
gFTF3s3CyEjsabV4E24DuwiS8q1gUM+MzwgsJ6OyB5yuXh0RJQvd75TvxCj7RoW+
5INmjb/WuySJT3m7/wguxX8y/Y9pbcYXnb/CuQAeslv3HMEt47U=
=Qcd9
-----END PGP SIGNATURE-----
pgp6dOuhNkVq0.pgp
Description: PGP signature
--- End Message ---
