Your message dated Sat, 13 Jun 2026 14:34:19 +0000
with message-id <[email protected]>
and subject line Bug#1138848: fixed in python-oslo.messaging 14.0.3-0+deb12u1
has caused the Debian Bug report #1138848,
regarding OSSN-0096 CVE-2026-44393 : oslo.messaging does not verify RabbitMQ
broker hostname during TLS handshake
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138848
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-oslo.messaging
Version: 16.1.0-3
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS
handshake
== Summary ==
Tim Shephard reported that oslo.messaging validates the RabbitMQ
broker's certificate chain when ssl_ca_file is configured, but does
not verify the broker's hostname against the certificate. An attacker
with control plane network access and a certificate trusted by the
deployment's CA can perform a man-in-the-middle attack on RPC and
notification traffic between OpenStack services.
== Affected Services / Software ==
- oslo.messaging: >=1.0.0 <16.2.0, >=17.0.0 <17.1.1, >=17.2.0 <17.3.1
All OpenStack services that use oslo.messaging for RPC or
notifications with RabbitMQ TLS are affected. The fix is included
in oslo.messaging 18.0.0 (2026.2/Hibiscus) with hostname verification
enabled by default. Code patches for stable/2026.1, 2025.2,
and 2025.1 default to disabling this validation (opt-in)
to avoid breaking deployments on upgrade.
== Discussion ==
When ssl_ca_file is configured, oslo.messaging validates the
certificate chain but does not pass the broker hostname to the
TLS stack. Any certificate trusted by the deployment's CA is
accepted regardless of which hostname it was issued for.
The fix adds ssl_enforce_hostname_verification to
[oslo_messaging_rabbit]. On master (2026.2/Hibiscus) this defaults
to True (secure by default). On stable branches it defaults to
False to avoid breaking deployments whose broker certificates lack
correct SAN entries. Multi-host configurations require
Kombu >= 5.2.0 when hostname verification is enabled.
== Recommended Actions ==
Operators running stable branches should:
- Ensure RabbitMQ broker certificates have SAN entries matching
the hostnames used in transport_url.
- Set ssl_enforce_hostname_verification=True in
[oslo_messaging_rabbit] in each service's configuration.
- For multi-host configurations, verify Kombu >= 5.2.0 first.
- Upgrade to the next major release when available, which
enables hostname verification by default.
=== Patches ===
Hostname verification support was added on master and backported to
supported stable branches with verification disabled by default.
2026.2/hibiscus (master):
https://review.opendev.org/c/openstack/oslo.messaging/+/988095
2026.1/gazpacho: https://review.opendev.org/c/openstack/oslo.messaging/+/988979
2025.2/flamingo: https://review.opendev.org/c/openstack/oslo.messaging/+/988980
2025.1/epoxy: https://review.opendev.org/c/openstack/oslo.messaging/+/988981
== Credits ==
Tim Shephard, roiai.ca
== Contacts / References ==
* Authors: Goutham Pacha Ravi, Red Hat
* This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0096
* Original Launchpad bug: https://launchpad.net/bugs/2150316
* Mailing List : [security-sig] tag on [email protected]
* OpenStack Security : https://security.openstack.org/
* CVE: CVE-2026-44393
--- End Message ---
--- Begin Message ---
Source: python-oslo.messaging
Source-Version: 14.0.3-0+deb12u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-oslo.messaging
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Mar 2024 11:42:43 +0100
Source: python-oslo.messaging
Architecture: source
Version: 14.0.3-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138848
Changes:
python-oslo.messaging (14.0.3-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream release.
* Add patches:
- Implement_get_rpc_client_function.patch
- Support_overriding_class_for_get_rpc_helper_functions.patch
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
29d39bb126166c216fe43eaf88a983a3a4fd0752 2900
python-oslo.messaging_14.0.3-0+deb12u1.dsc
b7824e99203da272489fd6d2a891802685821d34 185176
python-oslo.messaging_14.0.3.orig.tar.xz
a4b2f05af7da001636b4c0301512047fc07e74f7 14776
python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
6fdf78a4bca80095437f5629aec9fa2cde1e9704 13218
python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
75a12529f33d2b265ae83d53fd6464eef23175be6ec578e61b4a6ef56ffa7138 2900
python-oslo.messaging_14.0.3-0+deb12u1.dsc
8762f506b07732b58260d7e137d275c9e1a6af021234728d520fbe78a092a414 185176
python-oslo.messaging_14.0.3.orig.tar.xz
feda56af27c0044cd808d53c93305e167039bdee6f0849105775c8a7a5e0aaa5 14776
python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
86a44c79a6ab8459667a5dc94079c33490d4d0eec8cd6e2ab9f98b49b062f3b8 13218
python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
Files:
ca9e546aec2e91f313c93f10a8cad456 2900 python optional
python-oslo.messaging_14.0.3-0+deb12u1.dsc
c3cb8c007dbf4632142d1f235d1cc9a8 185176 python optional
python-oslo.messaging_14.0.3.orig.tar.xz
ca24d7335d039a3b313377e2e3431059 14776 python optional
python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
782badd9a573ef830ddc11c76f93d11b 13218 python optional
python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopgJoACgkQ1BatFaxr
Q/4JQBAAiy0iMN+F91BT/t8qA6jbt9tqSMeoOaSTiOrVmtLYQflne/ROp78QAATr
0WfO7eGhoID1o6EiytrQYYR/Fxh9/G+Mu9mu1iW2lPPo64F12jQs6BYlFvFSP7Nn
dN0lTJmem7ay0Dt16+9rRHVmHTnEAOjjy0PfZy4FujfpcGmt5+PoQoVCHsvYAu2p
q9/MIbY219Ox322aKv2J2M6+a5km6RZHiJqkkjhBv07tKA79RErp/3Oty13baa0G
s2VT+W32Mu7C0f4QZC0tDzwJsw1FxRKv8mPb1ifQpB5QBdFi3ObVA88wm2hM/OD4
EqL0S1LbEg2JpCVKDnYuQqmNwTlqtJj0ShAmmkLG5O5DR0rri8EJi+ykj3zySybn
gTXy2aFEh8pjGqXCTPrj4peBv8P8qxkiSrysDvEU5QbV5ORu7U+/8Mn5VL1ubtVY
64eWfTT5oesdONpHhQOEsPWkq9QZHvYpBSVVHZVs/enGm8LJ5HcavOT/ymDo5Ti9
cdOPQcrux1IqwNhqAIU49VWTvkEqfL0XdGPJcI9ORUPPl0rzd1iIancxookXa4/L
/petbbrAMreH7CCXJOel8KbnrARKb2m9hYy8sys/ZyETIeBx/ZyqPwu5e7hmlwfQ
6bc+x3zV1R5XVUvvu+oGpsEHJYy3cyPuQT6+WTK2cszcV2R4RVQ=
=KJww
-----END PGP SIGNATURE-----
pgp4mqHy1s2DL.pgp
Description: PGP signature
--- End Message ---
