Your message dated Sat, 13 Jun 2026 13:54:32 +0000
with message-id <[email protected]>
and subject line Bug#1138848: fixed in python-oslo.messaging 16.1.0-3+deb13u1
has caused the Debian Bug report #1138848,
regarding OSSN-0096 CVE-2026-44393 : oslo.messaging does not verify RabbitMQ
broker hostname during TLS handshake
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138848
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-oslo.messaging
Version: 16.1.0-3
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS
handshake
== Summary ==
Tim Shephard reported that oslo.messaging validates the RabbitMQ
broker's certificate chain when ssl_ca_file is configured, but does
not verify the broker's hostname against the certificate. An attacker
with control plane network access and a certificate trusted by the
deployment's CA can perform a man-in-the-middle attack on RPC and
notification traffic between OpenStack services.
== Affected Services / Software ==
- oslo.messaging: >=1.0.0 <16.2.0, >=17.0.0 <17.1.1, >=17.2.0 <17.3.1
All OpenStack services that use oslo.messaging for RPC or
notifications with RabbitMQ TLS are affected. The fix is included
in oslo.messaging 18.0.0 (2026.2/Hibiscus) with hostname verification
enabled by default. Code patches for stable/2026.1, 2025.2,
and 2025.1 default to disabling this validation (opt-in)
to avoid breaking deployments on upgrade.
== Discussion ==
When ssl_ca_file is configured, oslo.messaging validates the
certificate chain but does not pass the broker hostname to the
TLS stack. Any certificate trusted by the deployment's CA is
accepted regardless of which hostname it was issued for.
The fix adds ssl_enforce_hostname_verification to
[oslo_messaging_rabbit]. On master (2026.2/Hibiscus) this defaults
to True (secure by default). On stable branches it defaults to
False to avoid breaking deployments whose broker certificates lack
correct SAN entries. Multi-host configurations require
Kombu >= 5.2.0 when hostname verification is enabled.
== Recommended Actions ==
Operators running stable branches should:
- Ensure RabbitMQ broker certificates have SAN entries matching
the hostnames used in transport_url.
- Set ssl_enforce_hostname_verification=True in
[oslo_messaging_rabbit] in each service's configuration.
- For multi-host configurations, verify Kombu >= 5.2.0 first.
- Upgrade to the next major release when available, which
enables hostname verification by default.
=== Patches ===
Hostname verification support was added on master and backported to
supported stable branches with verification disabled by default.
2026.2/hibiscus (master):
https://review.opendev.org/c/openstack/oslo.messaging/+/988095
2026.1/gazpacho: https://review.opendev.org/c/openstack/oslo.messaging/+/988979
2025.2/flamingo: https://review.opendev.org/c/openstack/oslo.messaging/+/988980
2025.1/epoxy: https://review.opendev.org/c/openstack/oslo.messaging/+/988981
== Credits ==
Tim Shephard, roiai.ca
== Contacts / References ==
* Authors: Goutham Pacha Ravi, Red Hat
* This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0096
* Original Launchpad bug: https://launchpad.net/bugs/2150316
* Mailing List : [security-sig] tag on [email protected]
* OpenStack Security : https://security.openstack.org/
* CVE: CVE-2026-44393
--- End Message ---
--- Begin Message ---
Source: python-oslo.messaging
Source-Version: 16.1.0-3+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-oslo.messaging
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Jun 2025 11:21:22 +0200
Source: python-oslo.messaging
Architecture: source
Version: 16.1.0-3+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138848
Changes:
python-oslo.messaging (16.1.0-3+deb13u1) trixie-security; urgency=medium
.
* Add fix-not-using-non-durable.patch.
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
55710866b3a21aa04ad8faddbda4deb3f14fb0cb 2906
python-oslo.messaging_16.1.0-3+deb13u1.dsc
1e041ff1b046374496906a18fad1b12007f85b94 148044
python-oslo.messaging_16.1.0.orig.tar.xz
9554eff02375fbbabc027d395f4c76b03ead2551 11612
python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
d15f559d66724a1a6eb25809fd6b89975a9992bc 13177
python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
a768722f01b8c10e9d1d3d2aa05a712af2faa31a8d9ae870b38e3cdd15dcf120 2906
python-oslo.messaging_16.1.0-3+deb13u1.dsc
032ebc4b1011cb4bc5f69edd0a7426f3e9e9e33b76d475f17d7a36c9bcae43ec 148044
python-oslo.messaging_16.1.0.orig.tar.xz
500fd536b28d0d0932648843011779ce637f3d00aada39ca94bfc4a5fa6b1211 11612
python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
27da406d32e8cfb6addf1d723dd0614d59270e44e2175d6824cd094397aea82b 13177
python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
Files:
abdff89be59f441aa7f55ac1b6ef7cdb 2906 python optional
python-oslo.messaging_16.1.0-3+deb13u1.dsc
091b3683775dc9933e90a5df1031ce09 148044 python optional
python-oslo.messaging_16.1.0.orig.tar.xz
680784abbfa88e3f49e44630d864d1c3 11612 python optional
python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
b8b86ae4b78ba61ebd97c41d4b314c10 13177 python optional
python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopgwoACgkQ1BatFaxr
Q/5EyQ/9FnUN35O325IdrajZwXPboyzyG1A4b91QFJ2NsvRHKx+8mzcUWKRXf6wO
TCb1S2fiSzsvzwu/7IVtFAmAPCh9oN6FRC78hrBlhCCoZ9XfGxRDFIsqEgo804RI
KZJexR5icZ3puMTjd5e5CVY1tml7GtkaLXu9KTMJ37K13jfpOfEy0nIqrej3y1oy
ebKIWuUZYADMBsGiWrAqkP/OIZmJ9L0jzNlQIhHbJU5qFv9jZN6FfuHxZ1gBLjAx
Dp6YjE/nDRQiFuZnx7yH3Bjmr7EkVcpNoZseaqB+qH2Augu74A5ffIfxgVtErzqB
V6Q0ujRKOt3y+Dn8KSTWwzmoLL9/PyokzHfwVVOlM4OXGy8r9QLariQa3kSJkPU6
r8TtJHy/4KEkOouK3yrb3TRNe5POoB6RzGQB+FGk9KMB0DWxA5doiiElT/Wy0M8t
leE48ejmPve4N+CKVmRCkxRGCXCygaT/+8XbCGOMYyvwxoZLhRlaMrFkhtjUzN2U
JDZMxAPjehNkTrSHxkD/dW1XN6mnWv33vIxBPCsLzoB0f+0eR7ppXEXje0L8RzGq
5xHDOP2qUVoKeGPEqOCBb6LYRZCWDq/grr3ZaaRBWQPwhZcb2z/ppOkzKTmQJ9W5
yar6IDXRKdm8zucdBi9YUcwNQ87kddYvzVvGRMCCCSwCR7bt8tM=
=MlcZ
-----END PGP SIGNATURE-----
pgp5MCUe5YG_Z.pgp
Description: PGP signature
--- End Message ---
