Version 17.3.0-4 of python-oslo.messaging is marked for autoremoval from testing on Wed 22 Jul 2026. It depends (transitively) on pymongo, pyro5, affected by #1139431, #1139527. You should try to prevent the removal by fixing these RC bugs.
CVE-2026-44393:
An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
Among the 4 debian patches
available in version 17.3.0-4 of the package,
we noticed the following issues:
2 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.4 instead of
4.5.1).
![[bug history graph]](https://qa.debian.org/data/bts/graphs/p/python-oslo.messaging.png){kind=link}