#1138848 OSSN-0096 CVE-2026-44393 : oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake #1138848
- Package:
- src:python-oslo.messaging
- Source:
- src:python-oslo.messaging
- Submitter:
- Thomas Goirand
- Date:
- 2026-06-13 14:37:03 UTC
- Severity:
- normal
- Tags:
OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake == Summary == Tim Shephard reported that oslo.messaging validates the RabbitMQ broker's certificate chain when ssl_ca_file is configured, but does not verify the broker's hostname against the certificate. An attacker with control plane network access and a certificate trusted by the deployment's CA can perform a man-in-the-middle attack on RPC and notification traffic between OpenStack services. == Affected Services / Software == - oslo.messaging: >=1.0.0 <16.2.0, >=17.0.0 <17.1.1, >=17.2.0 <17.3.1 All OpenStack services that use oslo.messaging for RPC or notifications with RabbitMQ TLS are affected. The fix is included in oslo.messaging 18.0.0 (2026.2/Hibiscus) with hostname verification enabled by default. Code patches for stable/2026.1, 2025.2, and 2025.1 default to disabling this validation (opt-in) to avoid breaking deployments on upgrade. == Discussion == When ssl_ca_file is configured, oslo.messaging validates the certificate chain but does not pass the broker hostname to the TLS stack. Any certificate trusted by the deployment's CA is accepted regardless of which hostname it was issued for. The fix adds ssl_enforce_hostname_verification to [oslo_messaging_rabbit]. On master (2026.2/Hibiscus) this defaults to True (secure by default). On stable branches it defaults to False to avoid breaking deployments whose broker certificates lack correct SAN entries. Multi-host configurations require Kombu >= 5.2.0 when hostname verification is enabled. == Recommended Actions == Operators running stable branches should: - Ensure RabbitMQ broker certificates have SAN entries matching the hostnames used in transport_url. - Set ssl_enforce_hostname_verification=True in [oslo_messaging_rabbit] in each service's configuration. - For multi-host configurations, verify Kombu >= 5.2.0 first. - Upgrade to the next major release when available, which enables hostname verification by default. === Patches === Hostname verification support was added on master and backported to supported stable branches with verification disabled by default. 2026.2/hibiscus (master): https://review.opendev.org/c/openstack/oslo.messaging/+/988095 2026.1/gazpacho: https://review.opendev.org/c/openstack/oslo.messaging/+/988979 2025.2/flamingo: https://review.opendev.org/c/openstack/oslo.messaging/+/988980 2025.1/epoxy: https://review.opendev.org/c/openstack/oslo.messaging/+/988981 == Credits == Tim Shephard, roiai.ca == Contacts / References == * Authors: Goutham Pacha Ravi, Red Hat * This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0096 * Original Launchpad bug: https://launchpad.net/bugs/2150316 * Mailing List : [security-sig] tag on openstack-discuss@lists.openstack.org * OpenStack Security : https://security.openstack.org/ * CVE: CVE-2026-44393
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/b10d3273162c6e597c204a5d6d6c046bf0d28667 ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/a85a755e976dd8acf2e90b3e17ebab4dcdf60bb6 ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/06fcf084f57840bff6c7e49825da412851ce901a ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/34b1d48c29df9293f22e7ef371f230280660498c ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/b3df9df04f37d8b1ce1275b2241f40c84c6136b7 ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/e26d7e63c7405ea6dc23f934ff867b828d2f232a ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/92d79d3dbfc6e37c72e6eb7314680bf0c2ceabc6 ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
Hello, Bug #1138848 in python-oslo.messaging reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/oslo/python-oslo.messaging/-/commit/0b6bec621a48e21f96ea1455cb9de8ef8be1b9df ------------------------------------------------------------------------ * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138848
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-oslo.messaging package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 04 Jun 2026 21:57:05 +0200
Source: python-oslo.messaging
Architecture: source
Version: 17.3.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138848
Changes:
python-oslo.messaging (17.3.0-4) unstable; urgency=medium
.
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
a089e5ca26dcaff6efeb02c812bc2d61eab5553b 2872 python-oslo.messaging_17.3.0-4.dsc
e83298b292c446b82375c21f1723c6cd212eea15 11692 python-oslo.messaging_17.3.0-4.debian.tar.xz
dd3d286a186cb8bc5961877124276282bfa7a7c4 12875 python-oslo.messaging_17.3.0-4_amd64.buildinfo
Checksums-Sha256:
29ec65a7e8b79aa2becc0eb32689a6bdf27f71bcc3a5e6abcf7d60c245c5b21d 2872 python-oslo.messaging_17.3.0-4.dsc
35faece4e934ec90a3c284ae20215012cba54eb697a8870ff3d625f1e4a32ba2 11692 python-oslo.messaging_17.3.0-4.debian.tar.xz
b2c97c1b27462ebd9ee8f4cf7e3ec4b29a0403c09dcd8a7b199c098b76e8d27e 12875 python-oslo.messaging_17.3.0-4_amd64.buildinfo
Files:
0b5f611017e3fb4a1d1b6539cbb28548 2872 python optional python-oslo.messaging_17.3.0-4.dsc
f2416a66aa8ed2a4f975ae8ab8fef98b 11692 python optional python-oslo.messaging_17.3.0-4.debian.tar.xz
18b11ccb1adb859764e79974d0a5db4c 12875 python optional python-oslo.messaging_17.3.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotXG0ACgkQ1BatFaxr
Q/7Itw//TOputJvcZnYLgHDF1+jo1+s0aQrRZny+zzr7Y79Z53kH2ZwKUxUPFZWp
toRiia5k7copdBdHh9OPTlCN3hFc9syVkqvd5JPI7sFKXxSLf0OPP5iSMJdX/tGo
JRNSCgYRiDN46KP1HX/1kfDUbdDbf/6GfxJ87RAIiqi/+O+jUBntlWoyZUGhQV3q
UH+gkxVvFvsJtc5DrVsKq2OzhSTKtCNkF5eEXx1yjmilpYDNFj0dYni0/QMbEuL/
TWPqBnL5Bnz3kxYELLFY/6ppKkBH//klZ2nRcIweehtpjnmG0/YGxyTFBNzBxKIL
QCmrEOaLzP/nuaD9x8r2ULe3PJ2mT/K+OuUDpl46MBAt8hFK2xuV8EFt6YhScB92
IhEswke81ym1Yw18GLzTE0VyqQ93sdSFDa7v5fnzGoc0IQP4jovO+1jbBzRiHq9b
lLfMYOex1tLUnRdBLBP97Z2Spj+83czWyXs+ZnUPPkdRiWN0R+e/ckWkO/+mM1gI
H3zZ40ajbepaPimNfzHmox14G7wyP0b76V0vhac1U05ZVNZpLeFYxGK6iUi8fYj5
gFTF3s3CyEjsabV4E24DuwiS8q1gUM+MzwgsJ6OyB5yuXh0RJQvd75TvxCj7RoW+
5INmjb/WuySJT3m7/wguxX8y/Y9pbcYXnb/CuQAeslv3HMEt47U=
=Qcd9
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-oslo.messaging package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 03 Jun 2025 11:21:22 +0200
Source: python-oslo.messaging
Architecture: source
Version: 16.1.0-3+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138848
Changes:
python-oslo.messaging (16.1.0-3+deb13u1) trixie-security; urgency=medium
.
* Add fix-not-using-non-durable.patch.
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
55710866b3a21aa04ad8faddbda4deb3f14fb0cb 2906 python-oslo.messaging_16.1.0-3+deb13u1.dsc
1e041ff1b046374496906a18fad1b12007f85b94 148044 python-oslo.messaging_16.1.0.orig.tar.xz
9554eff02375fbbabc027d395f4c76b03ead2551 11612 python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
d15f559d66724a1a6eb25809fd6b89975a9992bc 13177 python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
a768722f01b8c10e9d1d3d2aa05a712af2faa31a8d9ae870b38e3cdd15dcf120 2906 python-oslo.messaging_16.1.0-3+deb13u1.dsc
032ebc4b1011cb4bc5f69edd0a7426f3e9e9e33b76d475f17d7a36c9bcae43ec 148044 python-oslo.messaging_16.1.0.orig.tar.xz
500fd536b28d0d0932648843011779ce637f3d00aada39ca94bfc4a5fa6b1211 11612 python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
27da406d32e8cfb6addf1d723dd0614d59270e44e2175d6824cd094397aea82b 13177 python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
Files:
abdff89be59f441aa7f55ac1b6ef7cdb 2906 python optional python-oslo.messaging_16.1.0-3+deb13u1.dsc
091b3683775dc9933e90a5df1031ce09 148044 python optional python-oslo.messaging_16.1.0.orig.tar.xz
680784abbfa88e3f49e44630d864d1c3 11612 python optional python-oslo.messaging_16.1.0-3+deb13u1.debian.tar.xz
b8b86ae4b78ba61ebd97c41d4b314c10 13177 python optional python-oslo.messaging_16.1.0-3+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopgwoACgkQ1BatFaxr
Q/5EyQ/9FnUN35O325IdrajZwXPboyzyG1A4b91QFJ2NsvRHKx+8mzcUWKRXf6wO
TCb1S2fiSzsvzwu/7IVtFAmAPCh9oN6FRC78hrBlhCCoZ9XfGxRDFIsqEgo804RI
KZJexR5icZ3puMTjd5e5CVY1tml7GtkaLXu9KTMJ37K13jfpOfEy0nIqrej3y1oy
ebKIWuUZYADMBsGiWrAqkP/OIZmJ9L0jzNlQIhHbJU5qFv9jZN6FfuHxZ1gBLjAx
Dp6YjE/nDRQiFuZnx7yH3Bjmr7EkVcpNoZseaqB+qH2Augu74A5ffIfxgVtErzqB
V6Q0ujRKOt3y+Dn8KSTWwzmoLL9/PyokzHfwVVOlM4OXGy8r9QLariQa3kSJkPU6
r8TtJHy/4KEkOouK3yrb3TRNe5POoB6RzGQB+FGk9KMB0DWxA5doiiElT/Wy0M8t
leE48ejmPve4N+CKVmRCkxRGCXCygaT/+8XbCGOMYyvwxoZLhRlaMrFkhtjUzN2U
JDZMxAPjehNkTrSHxkD/dW1XN6mnWv33vIxBPCsLzoB0f+0eR7ppXEXje0L8RzGq
5xHDOP2qUVoKeGPEqOCBb6LYRZCWDq/grr3ZaaRBWQPwhZcb2z/ppOkzKTmQJ9W5
yar6IDXRKdm8zucdBi9YUcwNQ87kddYvzVvGRMCCCSwCR7bt8tM=
=MlcZ
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
python-oslo.messaging, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-oslo.messaging package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 06 Mar 2024 11:42:43 +0100
Source: python-oslo.messaging
Architecture: source
Version: 14.0.3-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138848
Changes:
python-oslo.messaging (14.0.3-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream release.
* Add patches:
- Implement_get_rpc_client_function.patch
- Support_overriding_class_for_get_rpc_helper_functions.patch
* CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker
hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS
hostname verification (Closes: #1138848).
Checksums-Sha1:
29d39bb126166c216fe43eaf88a983a3a4fd0752 2900 python-oslo.messaging_14.0.3-0+deb12u1.dsc
b7824e99203da272489fd6d2a891802685821d34 185176 python-oslo.messaging_14.0.3.orig.tar.xz
a4b2f05af7da001636b4c0301512047fc07e74f7 14776 python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
6fdf78a4bca80095437f5629aec9fa2cde1e9704 13218 python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
75a12529f33d2b265ae83d53fd6464eef23175be6ec578e61b4a6ef56ffa7138 2900 python-oslo.messaging_14.0.3-0+deb12u1.dsc
8762f506b07732b58260d7e137d275c9e1a6af021234728d520fbe78a092a414 185176 python-oslo.messaging_14.0.3.orig.tar.xz
feda56af27c0044cd808d53c93305e167039bdee6f0849105775c8a7a5e0aaa5 14776 python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
86a44c79a6ab8459667a5dc94079c33490d4d0eec8cd6e2ab9f98b49b062f3b8 13218 python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
Files:
ca9e546aec2e91f313c93f10a8cad456 2900 python optional python-oslo.messaging_14.0.3-0+deb12u1.dsc
c3cb8c007dbf4632142d1f235d1cc9a8 185176 python optional python-oslo.messaging_14.0.3.orig.tar.xz
ca24d7335d039a3b313377e2e3431059 14776 python optional python-oslo.messaging_14.0.3-0+deb12u1.debian.tar.xz
782badd9a573ef830ddc11c76f93d11b 13218 python optional python-oslo.messaging_14.0.3-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopgJoACgkQ1BatFaxr
Q/4JQBAAiy0iMN+F91BT/t8qA6jbt9tqSMeoOaSTiOrVmtLYQflne/ROp78QAATr
0WfO7eGhoID1o6EiytrQYYR/Fxh9/G+Mu9mu1iW2lPPo64F12jQs6BYlFvFSP7Nn
dN0lTJmem7ay0Dt16+9rRHVmHTnEAOjjy0PfZy4FujfpcGmt5+PoQoVCHsvYAu2p
q9/MIbY219Ox322aKv2J2M6+a5km6RZHiJqkkjhBv07tKA79RErp/3Oty13baa0G
s2VT+W32Mu7C0f4QZC0tDzwJsw1FxRKv8mPb1ifQpB5QBdFi3ObVA88wm2hM/OD4
EqL0S1LbEg2JpCVKDnYuQqmNwTlqtJj0ShAmmkLG5O5DR0rri8EJi+ykj3zySybn
gTXy2aFEh8pjGqXCTPrj4peBv8P8qxkiSrysDvEU5QbV5ORu7U+/8Mn5VL1ubtVY
64eWfTT5oesdONpHhQOEsPWkq9QZHvYpBSVVHZVs/enGm8LJ5HcavOT/ymDo5Ti9
cdOPQcrux1IqwNhqAIU49VWTvkEqfL0XdGPJcI9ORUPPl0rzd1iIancxookXa4/L
/petbbrAMreH7CCXJOel8KbnrARKb2m9hYy8sys/ZyETIeBx/ZyqPwu5e7hmlwfQ
6bc+x3zV1R5XVUvvu+oGpsEHJYy3cyPuQT6+WTK2cszcV2R4RVQ=
=KJww
-----END PGP SIGNATURE-----