Your message dated Tue, 16 Jun 2026 21:03:36 +0000
with message-id <[email protected]>
and subject line Bug#1139452: fixed in vitrage 14.0.0-4+deb13u1
has caused the Debian Bug report #1139452,
regarding CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage
query parser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139452: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139452
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vitrage
Version: 14.0.0-4
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
https://security.openstack.org/ossa/OSSA-2026-003.html
Date: March 03, 2026
CVE: CVE-2026-28370
Affects: Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0
Description:
Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser.
A user allowed to access the Vitrage API may trigger code execution on the
Vitrage service host as the user the Vitrage service runs under. This may
result in unauthorized access to the host and further compromise of the
Vitrage service. All deployments exposing the Vitrage API are affected.
Patches:
https://review.opendev.org/962671 (2023.1/antelope)
https://review.opendev.org/962713 (2024.1/caracal)
https://review.opendev.org/962712 (2024.2/dalmatian)
https://review.opendev.org/962646 (2025.1/epoxy)
https://review.opendev.org/962658 (2025.2/flamingo)
https://review.opendev.org/962617 (2026.1/gazpacho)
Credits:
Khalil Lemtaffah from Nokia (CVE-2026-28370)
References:
https://storyboard.openstack.org/#!/story/2011539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370
Notes:
The stable/2023.1 branch is unmaintained and will receive no new point
releases, but a patch for it is provided as a courtesy.
--- End Message ---
--- Begin Message ---
Source: vitrage
Source-Version: 14.0.0-4+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vitrage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated vitrage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jun 2026 09:48:17 +0200
Source: vitrage
Architecture: source
Version: 14.0.0-4+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1139452
Changes:
vitrage (14.0.0-4+deb13u1) trixie; urgency=medium
.
* CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query
parser. Applied upstream patch "Replace eval with function matching".
(Closes: #1139452)
Checksums-Sha1:
92b3831a12bb8ef65bc40e000f7203b814081b90 3770 vitrage_14.0.0-4+deb13u1.dsc
6e3dcde6ab3854a772548b8839cc09573d0f3dd1 1593284 vitrage_14.0.0.orig.tar.xz
624cab7e7cb9cf592ca82c439326f891da55725f 9816
vitrage_14.0.0-4+deb13u1.debian.tar.xz
1fdd6b06c3d684934b37c11ab0163ffc31b65293 19592
vitrage_14.0.0-4+deb13u1_amd64.buildinfo
Checksums-Sha256:
3659dd3c97a945586b685cee86761004aa94e078d0b016794605558b492b379d 3770
vitrage_14.0.0-4+deb13u1.dsc
8f999878f3af470823f40b481c94c7674d34f4c4c8c7df18f6c2d445da8d5344 1593284
vitrage_14.0.0.orig.tar.xz
2bb2263f6dbe33b21156c1e73f82699cbc5d25749e807aacf8fa52817e52c195 9816
vitrage_14.0.0-4+deb13u1.debian.tar.xz
88f6c4ff4782af79b4cb6062dea8e6a71831b548071b6c6d6f9b99d733b4ee31 19592
vitrage_14.0.0-4+deb13u1_amd64.buildinfo
Files:
6e29742ea4a3e8bf9189fe8849c4151c 3770 net optional vitrage_14.0.0-4+deb13u1.dsc
932ae0188ac1895e8669b16ce027f5d2 1593284 net optional
vitrage_14.0.0.orig.tar.xz
30f35282d707e8c5c30a31c4eb280a3a 9816 net optional
vitrage_14.0.0-4+deb13u1.debian.tar.xz
95c84579a9dcda1328a6923555913c8a 19592 net optional
vitrage_14.0.0-4+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovpdIACgkQ1BatFaxr
Q/6+AxAAnj7oEyK/j0KNJw0a/WEVtcj54CRIso6/8E++EQakzCUd+W6JkjG+B0Wo
dFVye9YppE6xRoRdUy9Z1A21o1JOOG5LwMfHG3Lb+Gp+/r/Q8ZaYsememK+GIbJp
wHhGhInMHS5+CIDZVcYR0MwhpcPmVogavb36H7TgwIzmmSQSDGjfj1ZM4TfJpOqN
yJ1+iprUpuZjVBeDL/TB2gXLFni3CixErdBmYiispqCn58NUEUZ/I8ODQWs4WR51
ftP8zZqww8MLwnYUwc9b7ealfhRck6tVL+h8EJMC8vj2S26rW1d+KU1E/oz4fxjW
FxW9lSdvSJzzWX2U8apnCA3oUEKsz/EyD0lXI14B4dxtbQYxlpgjyzph2LT9WbaX
xiYP7pOWJZdndzzTeWy02MwNMBpb2bw4jHSCp8VzWdQHFbRYMi9dxGX+vdVdbJyh
/3wZO1h9XhgW8Uro4qEehZNCqeZWJhoVtw2U4lzpuASAWmzTgRo4j1bLvGBJ5xSV
O6vArQPUqwtpi45cu12mEcEzMH0ryaHmcGDN/KYdBwtYA8CeuVUnIvGB2UG0PZme
f7jlAIfEImyOk/+jT6GerdLKnYoiM06ytwehFpmge+x8YETR5Gvdv3w50hWSffTK
HSdhU/WpSnc3ePlGkJsQTGFvECLqZjXiBOWUII21zuwem1PIliE=
=q/Vs
-----END PGP SIGNATURE-----
pgpBzibEgSiU1.pgp
Description: PGP signature
--- End Message ---
