Source: neutron Version: 2:26.0.0-9 Severity: serious Tags: patch security X-Debbugs-Cc: Debian Security Team <[email protected]>
Copying upstream announce form here: https://security.openstack.org/ossa/OSSA-2026-021.html Date: June 04, 2026 CVE: CVE-2026-pending Affects: Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0 Note from packaging maintainer: Only Trixie Sid/Testing. Description: Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s default port RBAC rules. A project manager can create or update a port on a shared network owned by another project and set device_owner to a trusted network-service value such as network:dhcp. Depending on backend and deployment, this can bypass anti-spoofing and security group protections. This is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support change. Deployments running Neutron 25.0.0 or later are affected. Patches: https://review.opendev.org/991523 (2025.1/epoxy) https://review.opendev.org/990356 (2025.2/flamingo) https://review.opendev.org/990353 (2026.1/gazpacho) https://review.opendev.org/990273 (2026.2/hibiscus) Credits: Tim Shephard from roiai.ca (CVE-2026-pending) References: https://launchpad.net/bugs/2152115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending Notes: A CVE request has been filed with MITRE (CAN-2026-2030702). This is a regression of CVE-2015-5240 (OSSA-2015-018).
