)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"03c566f509b0d9b2d72c9a7b3f41bdcf7229cd2c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6b74ff73_eac48f61","updated":"2026-05-08 13:43:18.000000000","message":"I went ahead and fixed the backports, fyi. https://review.opendev.org/q/Ie85357166fafca0acd9d852fe05ce34818d2b366 \n\nI really don\u0027t know why the extra lines got injected, it just makes me think maybe the boundrary jump has enough test changes that it applies sort of clean, but violates syntax checking later.","commit_id":"017db1d350ca396d5e7281bd4216ae2ca3a7943f"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"3aef13cb185914dda23ab95cb1d4625c8b3c55ee","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"680ae2cc_09660ffe","updated":"2026-05-08 23:04:33.000000000","message":"LGTM, thank you for clarifying \n\nNote-to-self: should update the OSSA sample/draft here: \nhttps://security.openstack.org/vmt-process.html#:~:text\u003dOpenStack%20security%20advisories%20(OSSA)%C2%B6","commit_id":"eb4136b179c8abbb28a2d140e2832c4f8e4263fd"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"3aef13cb185914dda23ab95cb1d4625c8b3c55ee","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"399067a6_811eccc0","updated":"2026-05-08 23:04:33.000000000","message":"LGTM, thank you… we probably should update the vmt process page’s draft OSSA to clarify that master patches aren’t necessary https://security.openstack.org/vmt-process.html#:~:text\u003dOpenStack%20security%20advisories%20(OSSA)%C2%B6","commit_id":"eb4136b179c8abbb28a2d140e2832c4f8e4263fd"}],"ossa/OSSA-2026-012.yaml":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c46de73f7a7d1037234cea79ba7402ad190cc563","unresolved":true,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"reviews:"},{"line_number":39,"context_line":"  2026.1/gazpacho:"},{"line_number":40,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/987774"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"  2025.2/flamingo:"},{"line_number":43,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/987775"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"8c4e36e4_9f1e958f","line":40,"updated":"2026-05-08 20:31:20.000000000","message":"Missing \n\n2026.2/hibiscus?","commit_id":"eb4136b179c8abbb28a2d140e2832c4f8e4263fd"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"57cd2643778914aa5c2b859e176990cc9b86db68","unresolved":true,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"reviews:"},{"line_number":39,"context_line":"  2026.1/gazpacho:"},{"line_number":40,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/987774"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"  2025.2/flamingo:"},{"line_number":43,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/987775"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"dc2df20e_8cc02c91","line":40,"in_reply_to":"8c4e36e4_9f1e958f","updated":"2026-05-08 20:43:38.000000000","message":"So I missed in when reviewing yours the other day, but we don\u0027t security support master branch and so tend to exclude them from the OSSA to make it easier to understand.","commit_id":"eb4136b179c8abbb28a2d140e2832c4f8e4263fd"}],"ossa/OSSA-2026-TBD.yaml":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"589b66984d6377d7f7157e151c063129b68e0b4c","unresolved":true,"context_lines":[{"line_number":1,"context_line":"date: 2026-05-XX"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-TBD"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"515956c9_4f3a9e3e","line":1,"updated":"2026-05-07 21:54:32.000000000","message":"this not being a real date is why CI is failing. Feature, not a bug, as it\u0027ll ensure it gets set before it lands","commit_id":"017db1d350ca396d5e7281bd4216ae2ca3a7943f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3c94cc4a7d98af0f6656be18980579e9f2d8b4fc","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)"},{"line_number":9,"context_line":"  from the Metal3.io Security Team reported a vulnerability in Ironic\u0027s"},{"line_number":10,"context_line":"  anaconda deploy interface. Users who can set"},{"line_number":11,"context_line":"  ``node.instance_info[\u0027ks_template\u0027]`` can achieve RCE on the ironic-conductor"},{"line_number":12,"context_line":"  process, as the template is rendered without sandboxing."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"  In the default configuration, Ironic is not vulnerable to this issue. However,"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"7aa05daf_410524ed","line":11,"range":{"start_line":11,"start_character":52,"end_line":11,"end_character":55},"updated":"2026-05-08 13:44:07.000000000","message":"I\u0027d sot of prefer this be written out since off the top of my head, its not coming to me what this is representing.","commit_id":"017db1d350ca396d5e7281bd4216ae2ca3a7943f"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"2c6f67e32635be21d4f119c70ae5554eeb7b41f4","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)"},{"line_number":9,"context_line":"  from the Metal3.io Security Team reported a vulnerability in Ironic\u0027s"},{"line_number":10,"context_line":"  anaconda deploy interface. Users who can set"},{"line_number":11,"context_line":"  ``node.instance_info[\u0027ks_template\u0027]`` can achieve RCE on the ironic-conductor"},{"line_number":12,"context_line":"  process, as the template is rendered without sandboxing."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"  In the default configuration, Ironic is not vulnerable to this issue. However,"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"e0aebfae_11eec0e9","line":11,"range":{"start_line":11,"start_character":52,"end_line":11,"end_character":55},"in_reply_to":"7aa05daf_410524ed","updated":"2026-05-08 19:07:00.000000000","message":"Remote Code Execution. Basically the original security vuln acronym!","commit_id":"017db1d350ca396d5e7281bd4216ae2ca3a7943f"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"24b1ff85cb9c359064a9822aea3433f12b6422fb","unresolved":true,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"affected-products:"},{"line_number":20,"context_line":"  - product: ironic"},{"line_number":21,"context_line":"    version: \u0027UPDATE_ME_BEFORE_MERGE \u003e\u003d17.0.0 \u003c26.1.6, \u003e\u003d27.0.0 \u003c29.0.5, \u003e\u003d30.0.0 \u003c32.0.1, \u003e\u003d33.0.0 \u003c35.0.1\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"vulnerabilities:"},{"line_number":24,"context_line":"  - cve-id: \u0027CVE-2026-TBD\u0027"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"39edae5e_6e19a792","line":21,"updated":"2026-05-07 20:39:26.000000000","message":"We can\u0027t be certain (yet) what release will contain this fix. On day-of-merge, I\u0027ll pick an ID number and update the version string.","commit_id":"017db1d350ca396d5e7281bd4216ae2ca3a7943f"}]}