-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 17:18:35 +0200
Source: mistral
Binary: mistral-api mistral-common mistral-engine mistral-event-engine mistral-executor python3-mistral
Architecture: all
Version: 20.0.0-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 mistral-api - OpenStack Workflow service - API
 mistral-common - OpenStack Workflow service - common files
 mistral-engine - OpenStack Workflow service - Engine
 mistral-event-engine - OpenStack Workflow service - Event Engine
 mistral-executor - OpenStack Workflow service - Executor
 python3-mistral - OpenStack Workflow Service - Python libraries
Closes: 1138843 1138849
Changes:
 mistral (20.0.0-2+deb13u1) trixie-security; urgency=medium
 .
   * CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
     public resource creation and arbitrary code execution. Applied upstream
     patches:
     - Restrict publicize policies to admin only
     - Remove unnecessary expect_errors=True from policy tests
     - Add code_sources publicize policy and enforcement
     - Restrict code_sources and dynamic_actions policies to
     - Add dynamic_actions publicize policy and enforcement
     - Add workbooks publicize policy and enforcement
     - Add cron_triggers publicize policy and enforcement
     - Add environments publicize policy and enforcement
    (Closes: #1138843)
   * OSSN-0098: Mistral workflow execution context exposes Keystone auth token.
     Applied upstream patch: "Strip sensitive info from workflow execution
     context" (Closes: #1138849).
Checksums-Sha1:
 e5b80bf0216b49ba0c3cb67f007b475cd7ec65b3 26280 mistral-api_20.0.0-2+deb13u1_all.deb
 c5ab7ba1973b14527d73aec92c9c482fc10cc09e 44288 mistral-common_20.0.0-2+deb13u1_all.deb
 638a3202551aba93ef13f5bd43fee38613947c1e 8184 mistral-engine_20.0.0-2+deb13u1_all.deb
 9e77ac0d7ba2ce066dc6df382b7e4f4090992c26 8228 mistral-event-engine_20.0.0-2+deb13u1_all.deb
 76a05747f39286138a48bd6c5d1239efd40cb591 8180 mistral-executor_20.0.0-2+deb13u1_all.deb
 c5d01434cdfd0eca82361bf3befcd57342dfc75e 17387 mistral_20.0.0-2+deb13u1_all-buildd.buildinfo
 748c786991e04e0bc587391f2f6064c118db7838 307408 python3-mistral_20.0.0-2+deb13u1_all.deb
Checksums-Sha256:
 cafba285ae478136efbe86b9cfdea6c5ec0bf00017afc7b6e2cebe26bbe5ffae 26280 mistral-api_20.0.0-2+deb13u1_all.deb
 f5be040957e73779191e7535487f61a3f51266ca4f3a40a3c6832f9758563bb9 44288 mistral-common_20.0.0-2+deb13u1_all.deb
 8a45f820b2cd0626a32de55f5cb81d2001921ae9a4da9a87b1f476be371140d2 8184 mistral-engine_20.0.0-2+deb13u1_all.deb
 12bf85f7e6aa8e6534c6a3f7be48d008ca287ce83f12f08e1dc46519673f78da 8228 mistral-event-engine_20.0.0-2+deb13u1_all.deb
 0412004f363296736c12e40214d7d87ba0eb5da986c5d7cee594e0aa75da9cf4 8180 mistral-executor_20.0.0-2+deb13u1_all.deb
 8cac6dfc07e2e23080ff1167cce9222d42e9ee262da6185f35badcb82e97aef9 17387 mistral_20.0.0-2+deb13u1_all-buildd.buildinfo
 93beb6503a65b3159690cf3d7600b1a0c16bbfa2b21a137dc0f5ec8fb3fcfb3d 307408 python3-mistral_20.0.0-2+deb13u1_all.deb
Files:
 a45aeba71f3716b79898bc989e000b74 26280 net optional mistral-api_20.0.0-2+deb13u1_all.deb
 eb3256c15a3e90b9549f8050bcd1d75a 44288 net optional mistral-common_20.0.0-2+deb13u1_all.deb
 7af9bb81840b01ffdc5abe5fb0f76ca8 8184 net optional mistral-engine_20.0.0-2+deb13u1_all.deb
 d4597abbf506a0376df6d2489fe4f87d 8228 net optional mistral-event-engine_20.0.0-2+deb13u1_all.deb
 71ac937431713a9ea33857804a0581e6 8180 net optional mistral-executor_20.0.0-2+deb13u1_all.deb
 1f6364dd20d759a3101438125ace5edc 17387 net optional mistral_20.0.0-2+deb13u1_all-buildd.buildinfo
 7c7fe1e2f2fb22720448076f8401897f 307408 python optional python3-mistral_20.0.0-2+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmonUk0ACgkQmgPNRvTf
/zf/zRAAm96pLaqnC+s9THSqOg7qIYANUigVF95plyza55L0gTnKnRHfsaaELpCi
Um7zAhD7gElbt3pLWUlOFHLHtF5qOpYiojEwEkRQRTzGPHALJlsbAqT4VV3FIZBO
hWMnadLEBf93nLyU2pgMNdXvXjgtbJwj1kXI92GuNu7uxSQmJrGUrMBi4MAB0B0c
57BeFk14/ryRd9Rg6RX7PgzELl4FtXm0NuOiD+Xrl3zwhH47jk6C95KWDeXo6PwR
17oon72jkbnmNjYHWB5DzOZ3b9SmBjDqf/kdOm1Px4CI+iqfb6m8vv+CXkKWeix1
t7uVE9XCJhTHhKGhQY7a1qrhc8RacBi8DkOHjN6sGp/yxziBF3XW26o5Kr+UPvXt
TyxyWNzIOWVVSvKWA8zW+sDAxGhvxqg2IQ/k4uzrkrbg1dYD7nrYLed+j3XYdXkf
OFWDynUb7u56bXmMwAyB5UBAZt3Xz446nXdLCptYh16tcGkhPHTwQuwtBzQpsPVd
4UsAZnufw+mTOtbaC4ukKeGEfcSoFVQffJi+LAQ7h8y72JcXwh4z7oYdWZPDJHA4
gcAEcwZb+HnM6yzRg93aTtWuyElN5Rp+jzrfAhnVt53kZmRGf6KIe4l9FTi9cqcm
FaIhklFo7j4PFzff8WFcX43SKNlCJ3oiuDHBX0WV0AoT+JOkOwM=
=qXAX
-----END PGP SIGNATURE-----