)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"aa8d5644fa1eb679c7d8820db21e0e42d284d140","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"OSSA-2026-013 Ironic: DoS via image CVE-2026-44919"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Related-bug: #2150332"},{"line_number":10,"context_line":"Change-Id: I7048e130a918c8e39f1e00e7955fab340c4936e2"},{"line_number":11,"context_line":"Signed-off-by: Jay Faulkner \u003cjay@jvf.cc\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"904bf5c4_3c4206fc","line":9,"updated":"2026-05-12 20:03:22.000000000","message":"Nit: I usually go with Closes-Bug so it will update the OSSA task status in LP.","commit_id":"47402daee40765e7dd924f70fd67d19889093acb"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"34362f1f8543d137d86a52f239bc33630c2c3e24","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"562c8f93_acfad10a","updated":"2026-05-12 19:49:03.000000000","message":"Will fix minor issues once we have patch URLs for all branches.","commit_id":"47402daee40765e7dd924f70fd67d19889093acb"}],"ossa/OSSA-2026-013.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Denial of Service in Ironic under specially crafted deployment requests"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: | "},{"line_number":8,"context_line":"  Erichen of the Institute of Computing Technology at the Chinese Academy of"},{"line_number":9,"context_line":"  Sciences reported a vulnerability in Ironic\u0027s image handling code where an"},{"line_number":10,"context_line":"  authenticated and appropriately authorized user could request a special"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"fb416493_0fed41b1","line":7,"updated":"2026-05-12 19:59:25.000000000","message":"Nit: trailing whitespace","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":17,"context_line":"  The result was that the user could request a deployment where the requested"},{"line_number":18,"context_line":"  disk image was a special file, such as \"file:///dev/zero\", which would"},{"line_number":19,"context_line":"  consume a conductor thread. This is a direct result of the auto-checksum"},{"line_number":20,"context_line":"  behavior atempting to checksum the file."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"  Repeated similar requests could then be leveraged to exhaust the available pool of"},{"line_number":23,"context_line":"  Ironic conductor threads resulting in a denial-of-service until the service is"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"dff63975_46322b23","line":20,"updated":"2026-05-12 19:59:25.000000000","message":"\"attempting\"","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"4879801c_e19c156d","line":31,"updated":"2026-05-12 19:59:25.000000000","message":"So versions after 28.0.0 will never be fixed?","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"75446cbfdf7476e999b8f064b176583130fffb54","unresolved":true,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1e837be2_4d5bc997","line":31,"in_reply_to":"0b7481c6_ac293226","updated":"2026-05-12 23:27:02.000000000","message":"\u003d\u003e28.0.0 should be fixed once we release the fix merged off of master.","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"03bba16a75bbfedf029276f949bb10d9dd11d817","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"abffc6e1_5ba6eddc","line":31,"in_reply_to":"1e837be2_4d5bc997","updated":"2026-05-19 19:40:37.000000000","message":"Done","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"16447248444bfd0571fad69a55f57d2451b95ee5","unresolved":true,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"0b7481c6_ac293226","line":31,"in_reply_to":"4879801c_e19c156d","updated":"2026-05-12 20:01:44.000000000","message":"Yeah I should review this whole list, I\u0027m unsure of where our releases are and I forgot to leave a #TODO","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"},{"line_number":35,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d71b490a_2c956c11","line":32,"updated":"2026-05-12 19:59:25.000000000","message":"Nit: whitespace on a line by itself","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2150332"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"reviews:"},{"line_number":45,"context_line":"  note-patch-on-review-in-master-at:"},{"line_number":46,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/988325"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"78d96e68_72e5a318","line":45,"updated":"2026-05-12 19:59:25.000000000","message":"Why is this not \"2026.2/hibiscus\" like we do in other advisories?","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"4256ac6b3fda65ca0f94d7f5654d33b6bc8b7cdf","unresolved":true,"context_lines":[{"line_number":42,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2150332"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"reviews:"},{"line_number":45,"context_line":"  note-patch-on-review-in-master-at:"},{"line_number":46,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/988325"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"7b5c593d_89531053","line":45,"in_reply_to":"055279de_4cada0ab","updated":"2026-05-12 20:45:59.000000000","message":"unresolving; good to align on for consistency. I like using \"2026.2/hibiscus\"","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"16447248444bfd0571fad69a55f57d2451b95ee5","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2150332"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"reviews:"},{"line_number":45,"context_line":"  note-patch-on-review-in-master-at:"},{"line_number":46,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/988325"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"cb579974_1308c8d8","line":45,"in_reply_to":"78d96e68_72e5a318","updated":"2026-05-12 20:01:44.000000000","message":"Because I wasn\u0027t going to include it in the final advisory but wanted it here so I wouldn\u0027t have to dig for it when it landed to backport. You\u0027ve given me review feedback in the past that unreleased versions (e.g. Hibiscus) aren\u0027t security supported and should not be included in OSSA.","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"03bba16a75bbfedf029276f949bb10d9dd11d817","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2150332"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"reviews:"},{"line_number":45,"context_line":"  note-patch-on-review-in-master-at:"},{"line_number":46,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/988325"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"583b9a69_f727e87a","line":45,"in_reply_to":"7b5c593d_89531053","updated":"2026-05-19 19:40:37.000000000","message":"Done","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"0f92a8642c39609ad4de69219959a7088460d310","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2150332"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"reviews:"},{"line_number":45,"context_line":"  note-patch-on-review-in-master-at:"},{"line_number":46,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/988325"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"055279de_4cada0ab","line":45,"in_reply_to":"cb579974_1308c8d8","updated":"2026-05-12 20:08:56.000000000","message":"That doesn\u0027t sound like something I expect myself to have said, but I suppose it\u0027s possible. We don\u0027t issue advisories for vulnerabilities that *only* appear in the master branch, but our advisories typically include the master branch patch just like all the rest (I\u0027ve always done that in those I\u0027ve published, as far as I can recall).","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":55,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/XXXXXX"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"  2024.2/dalmatian:"},{"line_number":58,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/XXXXXX"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"  2024.1/caracal (unmaintained):"},{"line_number":61,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/XXXXXX"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"71de049e_30214bc7","line":58,"updated":"2026-05-12 19:59:25.000000000","message":"You won\u0027t be able to push this since the branch is gone now that Dalmation is EOL.","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"213ff679e447f6a9858e4c7154c0f40f7673c803","unresolved":false,"context_lines":[{"line_number":76,"context_line":"    as released by the OpenStack community."},{"line_number":77,"context_line":"  - Operators or vendors who may have backported patches independently"},{"line_number":78,"context_line":"    of upstream should take the action of backporting this fix along with"},{"line_number":79,"context_line":"    ensureing that they have the appropriate fix for OSSA-2025-001, from"},{"line_number":80,"context_line":"    https://review.opendev.org/q/I2fa995439ee500f9dd82ec8ccfa1a25ee8e1179c"},{"line_number":81,"context_line":"    if not already backported."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d81dedb4_b538f587","line":79,"updated":"2026-05-12 19:59:25.000000000","message":"\"ensuring\"","commit_id":"78d7b32f85fb5e409d407256ccf5e86a5c40d31b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"34362f1f8543d137d86a52f239bc33630c2c3e24","unresolved":true,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Denial of Service in Ironic under specially crafted deployment requests"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: | "},{"line_number":8,"context_line":"  Erichen of the Institute of Computing Technology at the Chinese Academy of"},{"line_number":9,"context_line":"  Sciences reported a vulnerability in Ironic\u0027s image handling code where an"},{"line_number":10,"context_line":"  authenticated and appropriately authorized user could request a special"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"98b584e4_545c3711","line":7,"updated":"2026-05-12 19:49:03.000000000","message":"whitespace","commit_id":"47402daee40765e7dd924f70fd67d19889093acb"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"34362f1f8543d137d86a52f239bc33630c2c3e24","unresolved":true,"context_lines":[{"line_number":29,"context_line":"affected-products:"},{"line_number":30,"context_line":"  - product: ironic"},{"line_number":31,"context_line":"    version: \u0027\u003e\u003d23.0.4 \u003c24.0.0, \u003e\u003d24.1.4 \u003c25.0.0, \u003e\u003d26.1.2 \u003c27.0.0, \u003e\u003d28.0.0\u0027"},{"line_number":32,"context_line":"    "},{"line_number":33,"context_line":"vulnerabilities:"},{"line_number":34,"context_line":"  - cve-id: \u0027CVE-2026-44919\u0027"},{"line_number":35,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"10da1658_2b9d1dcd","line":32,"updated":"2026-05-12 19:49:03.000000000","message":"whitespace","commit_id":"47402daee40765e7dd924f70fd67d19889093acb"}]}