Your message dated Tue, 16 Jun 2026 20:47:37 +0000
with message-id <[email protected]>
and subject line Bug#1139452: fixed in vitrage 9.0.0-3.1+deb12u1
has caused the Debian Bug report #1139452,
regarding CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage
query parser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139452: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139452
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vitrage
Version: 14.0.0-4
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
https://security.openstack.org/ossa/OSSA-2026-003.html
Date: March 03, 2026
CVE: CVE-2026-28370
Affects: Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0
Description:
Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser.
A user allowed to access the Vitrage API may trigger code execution on the
Vitrage service host as the user the Vitrage service runs under. This may
result in unauthorized access to the host and further compromise of the
Vitrage service. All deployments exposing the Vitrage API are affected.
Patches:
https://review.opendev.org/962671 (2023.1/antelope)
https://review.opendev.org/962713 (2024.1/caracal)
https://review.opendev.org/962712 (2024.2/dalmatian)
https://review.opendev.org/962646 (2025.1/epoxy)
https://review.opendev.org/962658 (2025.2/flamingo)
https://review.opendev.org/962617 (2026.1/gazpacho)
Credits:
Khalil Lemtaffah from Nokia (CVE-2026-28370)
References:
https://storyboard.openstack.org/#!/story/2011539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370
Notes:
The stable/2023.1 branch is unmaintained and will receive no new point
releases, but a patch for it is provided as a courtesy.
--- End Message ---
--- Begin Message ---
Source: vitrage
Source-Version: 9.0.0-3.1+deb12u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vitrage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated vitrage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Jun 2026 22:00:22 +0200
Source: vitrage
Architecture: source
Version: 9.0.0-3.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1139452
Changes:
vitrage (9.0.0-3.1+deb12u1) bookworm; urgency=medium
.
* CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query
parser. Applied upstream patch: Replace eval with function matching.
(Closes: #1139452)
Checksums-Sha1:
4ee9724166386d7816c41d3ac0bacee7c5ac572d 3765 vitrage_9.0.0-3.1+deb12u1.dsc
d0f0639ca62db72f3d740c218516fd833a7c503c 1595144 vitrage_9.0.0.orig.tar.xz
9b0d49ea519ceaf35a43eb60cbbe7fbfbd081518 9156
vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
9e7e8596eb67b2cc59e6632998fe549f732b764c 20306
vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
fff6fd5a60812e350360f36eaada8767719d7d1e5216fc0d843aa34d8e0415b4 3765
vitrage_9.0.0-3.1+deb12u1.dsc
336838c0f88941fb6fc937395a5e581453482945c737db3a1b2b975cd5b9d894 1595144
vitrage_9.0.0.orig.tar.xz
ba312ee5ba425782e40884dd9d268d2473b94c525188922f7fba8ebeb6b8d61b 9156
vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
5a8172290982186d185d0c24a557d39e9be1d52d82f3a12ebece1746b23817bd 20306
vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
Files:
b6f72c2e942e68fa95abee275728ff8b 3765 net optional
vitrage_9.0.0-3.1+deb12u1.dsc
178c7592e68403bb8beb317d1e3acbcb 1595144 net optional vitrage_9.0.0.orig.tar.xz
1a186b98e4bc35fbda3dbcb9c96b1ff5 9156 net optional
vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
53b7409994262c2ea688c9b6b40d46d5 20306 net optional
vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovrsAACgkQ1BatFaxr
Q/5O2A//dVTur9AoIfsKYAfbt+Rvg2QkX5UePT+kUB9bg7MiCZRw5BWlOP0DGx8Q
VbTHCLud4jBMSCil9AJ49kV7e5fN3feKQ4buBn6+7DYABETf8F7oZ9rUGBSnX1Z0
1V4KPgh66twelO2Ku5MGCTIQS0f+sHxCZ2sF1tIHzUgMzCtBkHuwpH5Ps5wPHQUE
8Ibi0pnnf9D4XtL0THBQNhhoXEmJ/qxgEK3XlgNwX41CLz/gJeg4eCNJddQzogYE
otBlr99c8vKakQyq1+beQEvCFPioWzTafHbxOVwbBLfB/Hqk3e13of32T7jffSQR
4WXSqa2sJUlUuosx8+NNpdra3cq6kTI3IEUBcHrsM6z4yWSaUOuf+cfdu7kruQS5
TJ6oWsW6eNbJ8RNKdXu0pAJW+TwzJyYAlqxojhwmsUbDd6gKK0ps2FEv9wHNgtEK
+3wOm4Uj+uFPUJwAOtX8b0BntGl8+vT6owgA+kIArRtKRerEtxH0qQmGo2dO6vTw
TCUxOEt1oHpnq0FMDeck3rMm1hG960E7chvET3u+N/14YlS4iUe6/VWgS4eYs8l8
raeWbVWfk5MV4wUO0O+9ot2pSoHV/YTArFgeJZxwd2+VIMAr/74xyuR1bEPvFZvj
ujpzl/bRq2PtAssvsk12sMUuoMBJnJscoOtz08uL13lzJx+xynk=
=AwJo
-----END PGP SIGNATURE-----
pgp0HuPt9lU3n.pgp
Description: PGP signature
--- End Message ---
