#1138225 trixie-pu: package neutron/26.0.0-9 (OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags)

#1138225#5
Date:
2026-05-29 17:18:02 UTC
From:
To:
Hi,

[ Reason ]
I'd like to fix a security issue where the policy for tags on
floating-ips shouldn't be granted. For more details, see the
announce from upstream:

https://security.openstack.org/ossa/OSSA-2026-016.html

[ Impact ]
tagging policy bypass allows project readers to mutate tags

[ Tests ]
Upstream unit tests are run during package build.

[ Risks ]
Change isn't big, only to the policy (upstream added some
policy.enforce() calls).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Just the upstream patch.

[ Other info ]
Note the attached debdiff targeted trixie-security, I'll
adjust for p-u before uploading.

Please allow me to uplaod Neutron 2:26.0.0-9+deb13u1.

Cheers,

Thomas Goirand (zigo)

#1138225#12
Date:
2026-05-31 11:01:51 UTC
From:
To:
Hi,

Please go ahead.

Thanks,

#1138225#19
Date:
2026-05-31 14:05:22 UTC
From:
To:
Thanks you!

Uploaded.

Thomas Goirand (zigo)