)]}'
{"ossa/OSSA-2026-023.yaml":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"9dbc8c035de7c4ef678636954d1f061d5c15d561","unresolved":true,"context_lines":[{"line_number":1,"context_line":"date: 2026-06-15"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-023"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":5,"id":"b5975923_8018ec8c","line":1,"updated":"2026-06-16 19:36:39.000000000","message":"fix date","commit_id":"48d1be589245e916f3c5ec5318db527c9bbd3143"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"date: 2026-06-15"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-023"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":5,"id":"3bf6d56b_19607313","line":1,"in_reply_to":"b5975923_8018ec8c","updated":"2026-06-16 19:42:36.000000000","message":"Done","commit_id":"48d1be589245e916f3c5ec5318db527c9bbd3143"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8f6570966862acdf0ebffc5d420f041693aa541d","unresolved":true,"context_lines":[{"line_number":7,"context_line":"description: |"},{"line_number":8,"context_line":"  Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)"},{"line_number":9,"context_line":"  of the Metal3.io Security Team discovered a vulnerability in Ironic API RBAC"},{"line_number":10,"context_line":"  handling, where a user with a valid token and credentials to send a "},{"line_number":11,"context_line":"  POST or PATCH request to ``/v1/volume/targets`` can have potentially"},{"line_number":12,"context_line":"  sensitive properties returned in the response unredacted, such as iSCSI"},{"line_number":13,"context_line":"  credentials."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"b5f52727_bd431b26","line":10,"updated":"2026-06-16 14:46:52.000000000","message":"nit, whitespace :)","commit_id":"48d1be589245e916f3c5ec5318db527c9bbd3143"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8f6570966862acdf0ebffc5d420f041693aa541d","unresolved":true,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"reviews:"},{"line_number":34,"context_line":"  2026.2/hibiscus (development):"},{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"},{"line_number":38,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992321"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"ca704577_ce36803f","line":35,"updated":"2026-06-16 14:46:52.000000000","message":"😉","commit_id":"48d1be589245e916f3c5ec5318db527c9bbd3143"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-023"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Sensitive properties returned unredacted in POST and PATCH HTTP responseses"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: |"},{"line_number":8,"context_line":"  Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"054ab3af_02184b0b","line":5,"range":{"start_line":5,"start_character":71,"end_line":5,"end_character":82},"updated":"2026-06-16 19:42:36.000000000","message":"typo","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":false,"context_lines":[{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-023"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Sensitive properties returned unredacted in POST and PATCH HTTP responseses"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: |"},{"line_number":8,"context_line":"  Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"acc8c2eb_eac73925","line":5,"range":{"start_line":5,"start_character":71,"end_line":5,"end_character":82},"in_reply_to":"054ab3af_02184b0b","updated":"2026-06-16 19:47:00.000000000","message":"Done","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"8da5a955b42004a3ee5a586c3493f660aec60f51","unresolved":false,"context_lines":[{"line_number":7,"context_line":"description: |"},{"line_number":8,"context_line":"  Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)"},{"line_number":9,"context_line":"  of the Metal3.io Security Team discovered a vulnerability in Ironic API RBAC"},{"line_number":10,"context_line":"  handling, where a user with a valid token and credentials to send a "},{"line_number":11,"context_line":"  POST or PATCH request to ``/v1/volume/targets`` can have potentially"},{"line_number":12,"context_line":"  sensitive properties returned in the response unredacted, such as iSCSI"},{"line_number":13,"context_line":"  credentials."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"4b0f691c_e2cbcaeb","line":10,"updated":"2026-06-16 19:43:29.000000000","message":"Nit: trailing whitespace","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":false,"context_lines":[{"line_number":7,"context_line":"description: |"},{"line_number":8,"context_line":"  Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)"},{"line_number":9,"context_line":"  of the Metal3.io Security Team discovered a vulnerability in Ironic API RBAC"},{"line_number":10,"context_line":"  handling, where a user with a valid token and credentials to send a "},{"line_number":11,"context_line":"  POST or PATCH request to ``/v1/volume/targets`` can have potentially"},{"line_number":12,"context_line":"  sensitive properties returned in the response unredacted, such as iSCSI"},{"line_number":13,"context_line":"  credentials."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"37b21ab0_9fbb4d65","line":10,"in_reply_to":"4b0f691c_e2cbcaeb","updated":"2026-06-16 19:47:00.000000000","message":"fixed","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2155049"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"reviews:"},{"line_number":34,"context_line":"  2026.2/hibiscus (development):"},{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"2e816c2d_c47ab7fe","line":34,"range":{"start_line":34,"start_character":19,"end_line":34,"end_character":30},"updated":"2026-06-16 19:42:36.000000000","message":"master?","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    - https://bugs.launchpad.net/ironic/+bug/2155049"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"reviews:"},{"line_number":34,"context_line":"  2026.2/hibiscus (development):"},{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"a2d3c046_bd16ca2d","line":34,"range":{"start_line":34,"start_character":19,"end_line":34,"end_character":30},"in_reply_to":"2e816c2d_c47ab7fe","updated":"2026-06-16 19:47:00.000000000","message":"I avoid use of the term \"master\" when possible in technical contexts in lieu of more inclusive language, like \"development\". It also mirrors our release language.","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"8da5a955b42004a3ee5a586c3493f660aec60f51","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"reviews:"},{"line_number":34,"context_line":"  2026.2/hibiscus (development):"},{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"},{"line_number":38,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992321"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"32095c1a_2a8c9bd2","line":35,"updated":"2026-06-16 19:43:29.000000000","message":"Nit: trailing whitespace","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":true,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"reviews:"},{"line_number":34,"context_line":"  2026.2/hibiscus (development):"},{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"},{"line_number":38,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992321"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"dbbb66b1_70433218","line":35,"in_reply_to":"32095c1a_2a8c9bd2","updated":"2026-06-16 19:47:00.000000000","message":"fixed","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":35,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/990430 "},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  2026.1/gazpacho:"},{"line_number":38,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992321"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"  2025.2/flamingo:"},{"line_number":41,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992325"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9e68704b_3299d322","line":38,"range":{"start_line":38,"start_character":6,"end_line":38,"end_character":60},"updated":"2026-06-16 19:42:36.000000000","message":"nitpick: shortform preferred","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":50,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992335"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"  bugfix/33.0:"},{"line_number":53,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992335"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"  bugfix/34.0:"},{"line_number":56,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992322"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"e1d90c7d_78cf2357","line":53,"range":{"start_line":53,"start_character":0,"end_line":53,"end_character":60},"updated":"2026-06-16 19:42:36.000000000","message":"same link as above?","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":false,"context_lines":[{"line_number":50,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992335"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"  bugfix/33.0:"},{"line_number":53,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992335"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"  bugfix/34.0:"},{"line_number":56,"context_line":"    - https://review.opendev.org/c/openstack/ironic/+/992322"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"3c83ad40_ae01d334","line":53,"range":{"start_line":53,"start_character":0,"end_line":53,"end_character":60},"in_reply_to":"e1d90c7d_78cf2357","updated":"2026-06-16 19:47:00.000000000","message":"Done","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":57,"context_line":""},{"line_number":58,"context_line":"notes:"},{"line_number":59,"context_line":"  - The vulnerable code path has existed since Ironic 9.0.0 (OpenStack Pike),"},{"line_number":60,"context_line":"    however, this could only be considered an escalation of privledges after"},{"line_number":61,"context_line":"    Ironic 17.0.0 (OpenStack Wallaby), when Ironic introduced the ability for"},{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"30a834c7_175a7483","line":60,"range":{"start_line":60,"start_character":60,"end_line":60,"end_character":70},"updated":"2026-06-16 19:42:36.000000000","message":"typo","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":false,"context_lines":[{"line_number":57,"context_line":""},{"line_number":58,"context_line":"notes:"},{"line_number":59,"context_line":"  - The vulnerable code path has existed since Ironic 9.0.0 (OpenStack Pike),"},{"line_number":60,"context_line":"    however, this could only be considered an escalation of privledges after"},{"line_number":61,"context_line":"    Ironic 17.0.0 (OpenStack Wallaby), when Ironic introduced the ability for"},{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"98a4caa0_7274ffd2","line":60,"range":{"start_line":60,"start_character":60,"end_line":60,"end_character":70},"in_reply_to":"30a834c7_175a7483","updated":"2026-06-16 19:47:00.000000000","message":"Done","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"8da5a955b42004a3ee5a586c3493f660aec60f51","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    however, this could only be considered an escalation of privledges after"},{"line_number":61,"context_line":"    Ironic 17.0.0 (OpenStack Wallaby), when Ironic introduced the ability for"},{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"},{"line_number":64,"context_line":"    are provided as a courtesy. Releases 2023.2 (bobcat) and"},{"line_number":65,"context_line":"    2024.2 (dalmation) are end of life and have not had patches provided. See"},{"line_number":66,"context_line":"    https://releases.openstack.org for more information on supported releases."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"89a63f45_65dec7c2","line":63,"updated":"2026-06-16 19:43:29.000000000","message":"We usually refer to these as \"branches\" rather than releases in order to not confuse readers between the tagged project versions and the OpenStack coordinated release identifiers.","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":true,"context_lines":[{"line_number":60,"context_line":"    however, this could only be considered an escalation of privledges after"},{"line_number":61,"context_line":"    Ironic 17.0.0 (OpenStack Wallaby), when Ironic introduced the ability for"},{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"},{"line_number":64,"context_line":"    are provided as a courtesy. Releases 2023.2 (bobcat) and"},{"line_number":65,"context_line":"    2024.2 (dalmation) are end of life and have not had patches provided. See"},{"line_number":66,"context_line":"    https://releases.openstack.org for more information on supported releases."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"c92011fd_cea7be6e","line":63,"in_reply_to":"89a63f45_65dec7c2","updated":"2026-06-16 19:47:00.000000000","message":"fixed","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6aa416af5be56c9d2a7a90ad3fe48a17297a560f","unresolved":true,"context_lines":[{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"},{"line_number":64,"context_line":"    are provided as a courtesy. Releases 2023.2 (bobcat) and"},{"line_number":65,"context_line":"    2024.2 (dalmation) are end of life and have not had patches provided. See"},{"line_number":66,"context_line":"    https://releases.openstack.org for more information on supported releases."},{"line_number":67,"context_line":"  - Ironic bugfix branch patches will be available in git for interested"},{"line_number":68,"context_line":"    operators. We will not perform an additional release from these branches."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"e96dbb1b_b9174d5b","line":65,"updated":"2026-06-16 19:42:36.000000000","message":"dalmatian","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8c4b6db90f8f0cbf91c5baafb347b274cefe82e1","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    project-scoped users to interact via the owner/lessee model."},{"line_number":63,"context_line":"  - Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches"},{"line_number":64,"context_line":"    are provided as a courtesy. Releases 2023.2 (bobcat) and"},{"line_number":65,"context_line":"    2024.2 (dalmation) are end of life and have not had patches provided. See"},{"line_number":66,"context_line":"    https://releases.openstack.org for more information on supported releases."},{"line_number":67,"context_line":"  - Ironic bugfix branch patches will be available in git for interested"},{"line_number":68,"context_line":"    operators. We will not perform an additional release from these branches."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"fe90c3cd_0b338560","line":65,"in_reply_to":"e96dbb1b_b9174d5b","updated":"2026-06-16 19:47:00.000000000","message":"Done","commit_id":"4b162e1c12bd315f881d3c359938029eb619baff"}]}