Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-oslo.messaging for
openSUSE:Factory checked in at 2026-06-08 14:22:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-oslo.messaging (Old)
and /work/SRC/openSUSE:Factory/.python-oslo.messaging.new.2375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oslo.messaging"
Mon Jun 8 14:22:34 2026 rev:37 rq:1357874 version:18.1.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-oslo.messaging/python-oslo.messaging.changes
2026-03-09 16:11:32.337416127 +0100
+++
/work/SRC/openSUSE:Factory/.python-oslo.messaging.new.2375/python-oslo.messaging.changes
2026-06-08 14:27:53.783469386 +0200
@@ -1,0 +2,13 @@
+Mon Jun 8 07:02:57 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 18.1.0 (bsc#1267828, CVE-2026-44393):
+ * Fix RabbitMQ TLS hostname verification (bsc#1267828,
+ CVE-2026-44393)
+ * Deprecate version module
+ * tox: Use new constraints option
+ * Remove deprecated heartbeat_in_pthread option from RabbitMQ
+ driver
+ * Update master for stable/2026.1
+ * Replace deprecated datetime.datetime.utcnow
+
+-------------------------------------------------------------------
Old:
----
oslo_messaging-17.3.0.tar.gz
New:
----
oslo_messaging-18.1.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-oslo.messaging.spec ++++++
--- /var/tmp/diff_new_pack.hC3qPe/_old 2026-06-08 14:27:54.455497272 +0200
+++ /var/tmp/diff_new_pack.hC3qPe/_new 2026-06-08 14:27:54.459497438 +0200
@@ -17,7 +17,7 @@
Name: python-oslo.messaging
-Version: 17.3.0
+Version: 18.1.0
Release: 0
Summary: OpenStack oslo.messaging library
License: Apache-2.0
@@ -28,14 +28,15 @@
BuildRequires: %{python_module WebOb >= 1.7.1}
BuildRequires: %{python_module amqp >= 2.5.2}
BuildRequires: %{python_module cachetools >= 2.0.0}
-BuildRequires: %{python_module confluent-kafka}
+BuildRequires: %{python_module confluent-kafka >= 1.3.0}
BuildRequires: %{python_module debtcollector >= 1.2.0}
-BuildRequires: %{python_module eventlet}
-BuildRequires: %{python_module fixtures}
+BuildRequires: %{python_module eventlet >= 0.23.0}
+BuildRequires: %{python_module fixtures >= 3.0.0}
BuildRequires: %{python_module futurist >= 1.2.0}
-BuildRequires: %{python_module greenlet}
-BuildRequires: %{python_module kombu >= 4.6.6}
+BuildRequires: %{python_module greenlet >= 0.4.15}
+BuildRequires: %{python_module kombu >= 4.6.8}
BuildRequires: %{python_module oslo.config >= 5.2.0}
+BuildRequires: %{python_module oslo.context >= 5.3.0}
BuildRequires: %{python_module oslo.i18n}
BuildRequires: %{python_module oslo.log >= 3.36.0}
BuildRequires: %{python_module oslo.metrics >= 0.2.1}
@@ -43,12 +44,13 @@
BuildRequires: %{python_module oslo.serialization >= 2.18.0}
BuildRequires: %{python_module oslo.service >= 1.24.0}
BuildRequires: %{python_module oslo.utils >= 3.37.0}
-BuildRequires: %{python_module oslotest}
+BuildRequires: %{python_module oslotest >= 3.2.0}
+BuildRequires: %{python_module pbr >= 2.0.0}
BuildRequires: %{python_module pip}
-BuildRequires: %{python_module stestr}
+BuildRequires: %{python_module stestr >= 2.0.0}
BuildRequires: %{python_module stevedore >= 1.20.0}
-BuildRequires: %{python_module testscenarios}
-BuildRequires: %{python_module testtools}
+BuildRequires: %{python_module testscenarios >= 0.4}
+BuildRequires: %{python_module testtools >= 2.2.0}
BuildRequires: %{python_module wheel}
BuildRequires: openstack-macros
Requires: python-PyYAML >= 3.13
@@ -57,9 +59,10 @@
Requires: python-cachetools >= 2.0.0
Requires: python-debtcollector >= 1.2.0
Requires: python-futurist >= 1.2.0
-Requires: python-greenlet
-Requires: python-kombu >= 4.6.6
+Requires: python-greenlet >= 0.4.15
+Requires: python-kombu >= 4.6.8
Requires: python-oslo.config >= 5.2.0
+Requires: python-oslo.context >= 5.3.0
Requires: python-oslo.i18n
Requires: python-oslo.log >= 3.36.0
Requires: python-oslo.metrics >= 0.2.1
++++++ oslo_messaging-17.3.0.tar.gz -> oslo_messaging-18.1.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/ChangeLog
new/oslo_messaging-18.1.0/ChangeLog
--- old/oslo_messaging-17.3.0/ChangeLog 2026-02-18 14:45:54.000000000 +0100
+++ new/oslo_messaging-18.1.0/ChangeLog 2026-05-20 10:58:00.000000000 +0200
@@ -1,6 +1,20 @@
CHANGES
=======
+18.1.0
+------
+
+* Fix RabbitMQ TLS hostname verification
+* Deprecate version module
+
+18.0.0
+------
+
+* tox: Use new constraints option
+* Remove deprecated heartbeat\_in\_pthread option from RabbitMQ driver
+* Update master for stable/2026.1
+* Replace deprecated datetime.datetime.utcnow
+
17.3.0
------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/PKG-INFO
new/oslo_messaging-18.1.0/PKG-INFO
--- old/oslo_messaging-17.3.0/PKG-INFO 2026-02-18 14:45:54.968240300 +0100
+++ new/oslo_messaging-18.1.0/PKG-INFO 2026-05-20 10:58:00.186659600 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: oslo.messaging
-Version: 17.3.0
+Version: 18.1.0
Summary: Oslo Messaging API
Author-email: OpenStack <[email protected]>
Project-URL: Homepage, https://docs.openstack.org/oslo.messaging
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo.messaging.egg-info/PKG-INFO
new/oslo_messaging-18.1.0/oslo.messaging.egg-info/PKG-INFO
--- old/oslo_messaging-17.3.0/oslo.messaging.egg-info/PKG-INFO 2026-02-18
14:45:54.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo.messaging.egg-info/PKG-INFO 2026-05-20
10:58:00.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: oslo.messaging
-Version: 17.3.0
+Version: 18.1.0
Summary: Oslo Messaging API
Author-email: OpenStack <[email protected]>
Project-URL: Homepage, https://docs.openstack.org/oslo.messaging
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo.messaging.egg-info/SOURCES.txt
new/oslo_messaging-18.1.0/oslo.messaging.egg-info/SOURCES.txt
--- old/oslo_messaging-17.3.0/oslo.messaging.egg-info/SOURCES.txt
2026-02-18 14:45:54.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo.messaging.egg-info/SOURCES.txt
2026-05-20 10:58:00.000000000 +0200
@@ -154,6 +154,7 @@
releasenotes/notes/deprecate-enforce_fips_mode-5b0269709d0102dc.yaml
releasenotes/notes/deprecate-eventlet-executor-13835b9818fd77f2.yaml
releasenotes/notes/deprecate-the-option-heartbeat_in_pthread-from-rabbit-driver-5757adb83701caa5.yaml
+releasenotes/notes/deprecate-version-module-d7200868a8066b0e.yaml
releasenotes/notes/deprecated-amqp1-driver-4bf57449bc2b7aad.yaml
releasenotes/notes/disable-mandatory-flag-a6210a534f3853f0.yaml
releasenotes/notes/do-not-run-heartbeat-in-pthread-by-default-42e1299f59b841f8.yaml
@@ -173,6 +174,7 @@
releasenotes/notes/oslo-metrics-support-fe16343a637cc14b.yaml
releasenotes/notes/pika-driver-has-been-deprecated-e2407fa53c91fe5c.yaml
releasenotes/notes/rabbit-no-wait-for-ack-9e5de3e1320d7660.yaml
+releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml
releasenotes/notes/rabbit_queue_manager-363209285cbbe257.yaml
releasenotes/notes/rabbit_quorum_typo-9c06a9fd8d767f53.yaml
releasenotes/notes/rabbit_transient_quorum-fc3c3f88ead90034.yaml
@@ -182,6 +184,7 @@
releasenotes/notes/remove-ZeroMQ-driver-e9e0bbbb7bd4f5e6.yaml
releasenotes/notes/remove-amqp1-c924ea548dadffaa.yaml
releasenotes/notes/remove-deprecated-notif-opts-142f8eea540c17ec.yaml
+releasenotes/notes/remove-heartbeat-in-pthread-option-0ffa11bfc07c58e2.yaml
releasenotes/notes/remove-kafka-conn-pool-opts-0b7962e2f22b24ed.yaml
releasenotes/notes/remove-old-quorum-opts-with-typo-5e013064fb6df062.yaml
releasenotes/notes/remove-pika-1bae204ced2521a3.yaml
@@ -199,6 +202,7 @@
releasenotes/source/2024.2.rst
releasenotes/source/2025.1.rst
releasenotes/source/2025.2.rst
+releasenotes/source/2026.1.rst
releasenotes/source/conf.py
releasenotes/source/index.rst
releasenotes/source/newton.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo.messaging.egg-info/pbr.json
new/oslo_messaging-18.1.0/oslo.messaging.egg-info/pbr.json
--- old/oslo_messaging-17.3.0/oslo.messaging.egg-info/pbr.json 2026-02-18
14:45:54.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo.messaging.egg-info/pbr.json 2026-05-20
10:58:00.000000000 +0200
@@ -1 +1 @@
-{"git_version": "3035e816", "is_release": true}
\ No newline at end of file
+{"git_version": "8ea2d5b4", "is_release": true}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo_messaging/_drivers/impl_rabbit.py
new/oslo_messaging-18.1.0/oslo_messaging/_drivers/impl_rabbit.py
--- old/oslo_messaging-17.3.0/oslo_messaging/_drivers/impl_rabbit.py
2026-02-18 14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo_messaging/_drivers/impl_rabbit.py
2026-05-20 10:57:32.000000000 +0200
@@ -16,6 +16,7 @@
import contextlib
import errno
import functools
+import importlib.metadata
import itertools
import math
import os
@@ -37,6 +38,7 @@
from oslo_log import log as logging
from oslo_utils import eventletutils
from oslo_utils import netutils
+from oslo_utils import versionutils
import oslo_messaging
from oslo_messaging._drivers import amqp as rpc_amqp
@@ -84,6 +86,18 @@
default='',
help='SSL certification authority file '
'(valid only if SSL enabled).'),
+ cfg.BoolOpt('ssl_enforce_hostname_verification',
+ default=True,
+ deprecated_for_removal=True,
+ deprecated_reason='Hostname verification should remain '
+ 'enabled once operators have completed '
+ 'the migration.',
+ help='When true, verify the broker hostname against the '
+ 'certificate when ``ssl_ca_file`` is set. When false, '
+ '``ssl`` with ``ssl_ca_file`` still validates the '
+ 'certificate chain but does not verify the broker '
+ 'hostname. ``ssl=true`` without ``ssl_ca_file`` never '
+ 'enables hostname verification.'),
cfg.BoolOpt('ssl_enforce_fips_mode',
default=False,
deprecated_for_removal=True,
@@ -96,25 +110,6 @@
'Python versions on select environments. If the Python '
'executable used does not support OpenSSL FIPS mode, '
'an exception will be raised.'),
- cfg.BoolOpt('heartbeat_in_pthread',
- default=False,
- deprecated_for_removal=True,
- deprecated_reason='The option is related to Eventlet which '
- 'will be removed. In addition this has '
- 'never worked as expected with services '
- 'using eventlet for core service framework.',
- help="(DEPRECATED) It is recommend not to use this option "
- "anymore. Run the health check heartbeat thread "
- "through a native python thread by default. If this "
- "option is equal to False then the health check "
- "heartbeat will inherit the execution model "
- "from the parent process. For "
- "example if the parent process has monkey patched the "
- "stdlib by using eventlet/greenlet then the heartbeat "
- "will be run through a green thread. "
- "This option should be set to True only for the "
- "wsgi services.",
- ),
cfg.FloatOpt('kombu_reconnect_delay',
default=1.0,
min=0.0,
@@ -741,7 +736,6 @@
driver_conf.kombu_missing_consumer_retry_timeout
self.kombu_failover_strategy = driver_conf.kombu_failover_strategy
self.kombu_compression = driver_conf.kombu_compression
- self.heartbeat_in_pthread = driver_conf.heartbeat_in_pthread
self.ssl_enforce_fips_mode = driver_conf.ssl_enforce_fips_mode
self.enable_cancel_on_failover = driver_conf.enable_cancel_on_failover
self.use_queue_manager = driver_conf.use_queue_manager
@@ -757,35 +751,6 @@
'need rabbit_transient_quorum_queue to be set '
'to true.')
- if self.heartbeat_in_pthread:
- # NOTE(hberaud): Experimental: threading module is in use to run
- # the rabbitmq health check heartbeat. in some situation like
- # with nova-api, nova need green threads to run the cells
- # mechanismes in an async mode, so they used eventlet and
- # greenlet to monkey patch the python stdlib and get green threads.
- # The issue here is that nova-api run under the apache MPM prefork
- # module and mod_wsgi. The apache prefork module doesn't support
- # epoll and recent kernel features, and evenlet is built over epoll
- # and libevent, so when we run the rabbitmq heartbeat we inherit
- # from the execution model of the parent process (nova-api), and
- # in this case we will run the heartbeat through a green thread.
- # We want to allow users to choose between pthread and
- # green threads if needed in some specific situations.
- # This experimental feature allow user to use pthread in an env
- # that doesn't support eventlet without forcing the parent process
- # to stop to use eventlet if they need monkey patching for some
- # specific reasons.
- # If users want to use pthread we need to make sure that we
- # will use the *native* threading module for
- # initialize the heartbeat thread.
- # Here we override globaly the previously imported
- # threading module with the native python threading module
- # if it was already monkey patched by eventlet/greenlet.
- global threading
- threading = _utils.stdlib_threading
- amqpdriver.threading = _utils.stdlib_threading
- amqpdriver.queue = _utils.stdlib_queue
-
self.direct_mandatory_flag = driver_conf.direct_mandatory_flag
if self.ssl:
@@ -793,6 +758,11 @@
self.ssl_key_file = driver_conf.ssl_key_file
self.ssl_cert_file = driver_conf.ssl_cert_file
self.ssl_ca_file = driver_conf.ssl_ca_file
+ self.ssl_enforce_hostname_verification = (
+ driver_conf.ssl_enforce_hostname_verification)
+ self.ssl_server_hostname = None
+ if (self.ssl_ca_file and self.ssl_enforce_hostname_verification):
+ self.ssl_server_hostname = self._get_ssl_server_hostname(url)
self._url = ''
if url.hosts:
@@ -962,6 +932,33 @@
except KeyError:
raise RuntimeError("Invalid SSL version : %s" % version)
+ @staticmethod
+ def _get_ssl_server_hostname(url):
+ if len(url.hosts) == 1:
+ return url.hosts[0].hostname
+ if len(url.hosts) > 1:
+ kombu_ver = importlib.metadata.version('kombu')
+ try:
+ kombu_substitutes_failover_hostname = (
+ versionutils.convert_version_to_tuple(kombu_ver) >=
+ (5, 2, 0)
+ )
+ except ValueError:
+ kombu_substitutes_failover_hostname = False
+ if kombu_substitutes_failover_hostname:
+ # Kombu >= 5.2.0 substitutes None with the selected broker
+ # hostname after failover chooses the active URL.
+ return None
+ LOG.warning(
+ "Multi-host RabbitMQ TLS hostname verification with Kombu "
+ "before 5.2.0 cannot automatically track the active failover "
+ "broker for the TLS server name. Using the first configured "
+ "broker hostname as a best effort. Upgrade to Kombu >= "
+ "5.2.0, or use a broker certificate (SAN or wildcard) that "
+ "covers all configured broker hostnames.")
+ return url.hosts[0].hostname
+ return None
+
def _get_quorum_configurations(self, driver_conf):
"""Get the quorum queue configurations"""
delivery_limit = driver_conf.rabbit_quorum_delivery_limit
@@ -1004,6 +1001,8 @@
# We might want to allow variations in the
# future with this?
ssl_params['cert_reqs'] = ssl.CERT_REQUIRED
+ if self.ssl_enforce_hostname_verification:
+ ssl_params['server_hostname'] = self.ssl_server_hostname
return ssl_params or True
return False
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo_messaging/tests/drivers/test_impl_rabbit.py
new/oslo_messaging-18.1.0/oslo_messaging/tests/drivers/test_impl_rabbit.py
--- old/oslo_messaging-17.3.0/oslo_messaging/tests/drivers/test_impl_rabbit.py
2026-02-18 14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo_messaging/tests/drivers/test_impl_rabbit.py
2026-05-20 10:57:32.000000000 +0200
@@ -93,11 +93,6 @@
info='A recoverable connection/channel error occurred, '
'trying to reconnect: %s')
- def test_run_heartbeat_in_pthread(self):
- self.config(heartbeat_in_pthread=True,
- group="oslo_messaging_rabbit")
- self._do_test_heartbeat_sent()
-
class TestRabbitQos(test_utils.BaseTestCase):
@@ -176,7 +171,20 @@
keyfile='foo',
certfile='bar',
ca_certs='foobar',
- cert_reqs=ssl.CERT_REQUIRED))),
+ cert_reqs=ssl.CERT_REQUIRED,
+ server_hostname=None))),
+ ('ssl_with_options_no_hostname_check',
+ dict(options=dict(ssl=True,
+ ssl_version='TLSv1',
+ ssl_key_file='foo',
+ ssl_cert_file='bar',
+ ssl_ca_file='foobar',
+ ssl_enforce_hostname_verification=False),
+ expected=dict(ssl_version=3,
+ keyfile='foo',
+ certfile='bar',
+ ca_certs='foobar',
+ cert_reqs=ssl.CERT_REQUIRED))),
]
@mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
@@ -206,6 +214,162 @@
)
+class TestRabbitDriverSSLHostname(test_utils.BaseTestCase):
+
+ def test_ssl_enforce_hostname_verification_default_true(self):
+ transport = oslo_messaging.get_transport(self.conf,
+ 'kombu+memory:////')
+ self.addCleanup(transport.cleanup)
+ self.assertTrue(
+ self.conf.oslo_messaging_rabbit.ssl_enforce_hostname_verification)
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.LOG')
+ @mock.patch(
+ 'oslo_messaging._drivers.impl_rabbit.importlib.metadata.version',
+ return_value='5.2.0')
+ def test_multi_host_kombu_5_2_uses_hostname_substitution(
+ self, mock_version, mock_log, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertIsNone(ssl_params['server_hostname'])
+ mock_log.warning.assert_not_called()
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.LOG')
+ @mock.patch(
+ 'oslo_messaging._drivers.impl_rabbit.importlib.metadata.version',
+ return_value='5.1.0')
+ def test_multi_host_old_kombu_warns_and_uses_first_hostname(
+ self, mock_version, mock_log, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertEqual('host1', ssl_params['server_hostname'])
+ mock_log.warning.assert_called_once()
+ self.assertIn('Multi-host RabbitMQ TLS',
+ mock_log.warning.call_args[0][0])
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.LOG')
+ @mock.patch(
+ 'oslo_messaging._drivers.impl_rabbit.importlib.metadata.version',
+ return_value='unknown')
+ def test_multi_host_unparsable_kombu_version_warns_first_hostname(
+ self, mock_version, mock_log, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertEqual('host1', ssl_params['server_hostname'])
+ mock_log.warning.assert_called_once()
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ def test_enforcement_disabled_omits_server_hostname(self, connection_klass,
+ fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ ssl_enforce_hostname_verification=False,
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertNotIn('server_hostname', ssl_params)
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ def test_single_host_uses_hostname(self, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertEqual('host1', ssl_params['server_hostname'])
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ @mock.patch(
+ 'oslo_messaging._drivers.impl_rabbit.importlib.metadata.version',
+ return_value='5.1.0')
+ def test_multi_host_old_kombu_allowed_without_enforcement(
+ self, mock_version, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ ssl_enforce_hostname_verification=False,
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertNotIn('server_hostname', ssl_params)
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ def test_multi_host_unknown_kombu_allowed_without_enforcement(
+ self, connection_klass, fake_ensure):
+ self.config(ssl=True, ssl_ca_file='foobar',
+ ssl_enforce_hostname_verification=False,
+ group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+ transport._driver._get_connection()
+
+ ssl_params = connection_klass.call_args.kwargs['ssl']
+ self.assertNotIn('server_hostname', ssl_params)
+
+ @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection'
+ '.ensure_connection')
+ @mock.patch('kombu.connection.Connection')
+ def test_ssl_without_ca_does_not_check_hostname(self, connection_klass,
+ fake_ensure):
+ self.config(ssl=True, group='oslo_messaging_rabbit')
+ transport = oslo_messaging.get_transport(
+ self.conf, 'rabbit://host1:5672,host2:5672//')
+ self.addCleanup(transport.cleanup)
+
+ transport._driver._get_connection()
+
+ self.assertIs(True, connection_klass.call_args.kwargs['ssl'])
+
+
class TestRabbitPublisher(test_utils.BaseTestCase):
@mock.patch('kombu.messaging.Producer.publish')
def test_send(self, fake_publish):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo_messaging/tests/notify/test_logger.py
new/oslo_messaging-18.1.0/oslo_messaging/tests/notify/test_logger.py
--- old/oslo_messaging-17.3.0/oslo_messaging/tests/notify/test_logger.py
2026-02-18 14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo_messaging/tests/notify/test_logger.py
2026-05-20 10:57:32.000000000 +0200
@@ -61,8 +61,8 @@
return_value=fake_transport):
self.logger = oslo_messaging.LoggingNotificationHandler('test://')
- mock_utcnow.return_value = datetime.datetime.utcnow().replace(
- tzinfo=None)
+ mock_utcnow.return_value = datetime.datetime.now(
+ datetime.timezone.utc).replace(tzinfo=None)
levelno = getattr(logging, self.priority.upper(), 42)
@@ -122,8 +122,8 @@
},
})
- mock_utcnow.return_value = datetime.datetime.utcnow().replace(
- tzinfo=None)
+ mock_utcnow.return_value = datetime.datetime.now(
+ datetime.timezone.utc).replace(tzinfo=None)
levelno = getattr(logging, self.priority.upper())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/oslo_messaging/tests/notify/test_notifier.py
new/oslo_messaging-18.1.0/oslo_messaging/tests/notify/test_notifier.py
--- old/oslo_messaging-17.3.0/oslo_messaging/tests/notify/test_notifier.py
2026-02-18 14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo_messaging/tests/notify/test_notifier.py
2026-05-20 10:57:32.000000000 +0200
@@ -187,7 +187,8 @@
message_id = uuid.uuid4()
uuid.uuid4 = mock.Mock(return_value=message_id)
- mock_utcnow.return_value = datetime.datetime.utcnow()
+ mock_utcnow.return_value = datetime.datetime.now(
+ datetime.timezone.utc).replace(tzinfo=None)
message = {
'message_id': str(message_id),
@@ -326,7 +327,8 @@
message_id = uuid.uuid4()
uuid.uuid4 = mock.Mock(return_value=message_id)
- mock_utcnow.return_value = datetime.datetime.utcnow()
+ mock_utcnow.return_value = datetime.datetime.now(
+ datetime.timezone.utc).replace(tzinfo=None)
serializer.serialize_context = mock.Mock()
serializer.serialize_context.return_value = dict(user_name='alice')
@@ -395,7 +397,8 @@
uuid.uuid4 = mock.Mock()
uuid.uuid4.return_value = message_id
- mock_utcnow.return_value = datetime.datetime.utcnow()
+ mock_utcnow.return_value = datetime.datetime.now(
+ datetime.timezone.utc).replace(tzinfo=None)
logger = mock.Mock()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/oslo_messaging/version.py
new/oslo_messaging-18.1.0/oslo_messaging/version.py
--- old/oslo_messaging-17.3.0/oslo_messaging/version.py 2026-02-18
14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/oslo_messaging/version.py 2026-05-20
10:57:32.000000000 +0200
@@ -12,7 +12,14 @@
# License for the specific language governing permissions and limitations
# under the License.
+import warnings
import pbr.version
+warnings.warn(
+ f'The {__name__} module is deprecated. Prefer use of importlib.metadata '
+ f'to inspect version information for packages.',
+ DeprecationWarning,
+)
+
version_info = pbr.version.VersionInfo('oslo.messaging')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/releasenotes/notes/deprecate-version-module-d7200868a8066b0e.yaml
new/oslo_messaging-18.1.0/releasenotes/notes/deprecate-version-module-d7200868a8066b0e.yaml
---
old/oslo_messaging-17.3.0/releasenotes/notes/deprecate-version-module-d7200868a8066b0e.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/oslo_messaging-18.1.0/releasenotes/notes/deprecate-version-module-d7200868a8066b0e.yaml
2026-05-20 10:57:32.000000000 +0200
@@ -0,0 +1,6 @@
+---
+deprecations:
+ - |
+ The ``oslo_messaging.version`` module and associated objects has been
+ deprecated for removal. Prefer use of ``importlib.metadata`` to inspect
+ version information for installed packages.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml
new/oslo_messaging-18.1.0/releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml
---
old/oslo_messaging-17.3.0/releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/oslo_messaging-18.1.0/releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml
2026-05-20 10:57:32.000000000 +0200
@@ -0,0 +1,23 @@
+---
+security:
+ - |
+ Under TLS with ``ssl_ca_file``, oslo.messaging validated the broker
+ certificate chain but did not verify the RabbitMQ broker hostname. A
+ man-in-the-middle attacker with a certificate trusted by that CA could
+ impersonate the broker.
+
+ The RabbitMQ driver now verifies the broker hostname when ``ssl_ca_file``
+ is set and ``[oslo_messaging_rabbit] ssl_enforce_hostname_verification``
+ is enabled. Using ``ssl=true`` without ``ssl_ca_file`` still does not
+ verify the broker hostname.
+
+ The ``ssl_enforce_hostname_verification`` option is deprecated and
+ scheduled for removal after deployments finish migrating; hostname
+ verification should remain enabled.
+
+ For transport URLs with multiple brokers and hostname verification
+ enabled, Kombu 5.2.0 or newer substitutes the active broker hostname for
+ TLS. Older Kombu versions log a warning and use the first configured
+ broker hostname as a best effort; operators should upgrade Kombu or use a
+ certificate (SAN or wildcard) that covers all configured broker
+ hostnames.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo_messaging-17.3.0/releasenotes/notes/remove-heartbeat-in-pthread-option-0ffa11bfc07c58e2.yaml
new/oslo_messaging-18.1.0/releasenotes/notes/remove-heartbeat-in-pthread-option-0ffa11bfc07c58e2.yaml
---
old/oslo_messaging-17.3.0/releasenotes/notes/remove-heartbeat-in-pthread-option-0ffa11bfc07c58e2.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/oslo_messaging-18.1.0/releasenotes/notes/remove-heartbeat-in-pthread-option-0ffa11bfc07c58e2.yaml
2026-05-20 10:57:32.000000000 +0200
@@ -0,0 +1,6 @@
+---
+upgrade:
+ - |
+ The deprecated ``heartbeat_in_pthread`` option in the
+ ``[oslo_messaging_rabbit]`` section has been removed. Operators should
+ remove this option from their configuration files.
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/releasenotes/source/2026.1.rst
new/oslo_messaging-18.1.0/releasenotes/source/2026.1.rst
--- old/oslo_messaging-17.3.0/releasenotes/source/2026.1.rst 1970-01-01
01:00:00.000000000 +0100
+++ new/oslo_messaging-18.1.0/releasenotes/source/2026.1.rst 2026-05-20
10:57:32.000000000 +0200
@@ -0,0 +1,6 @@
+===========================
+2026.1 Series Release Notes
+===========================
+
+.. release-notes::
+ :branch: stable/2026.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/releasenotes/source/index.rst
new/oslo_messaging-18.1.0/releasenotes/source/index.rst
--- old/oslo_messaging-17.3.0/releasenotes/source/index.rst 2026-02-18
14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/releasenotes/source/index.rst 2026-05-20
10:57:32.000000000 +0200
@@ -6,6 +6,7 @@
:maxdepth: 1
unreleased
+ 2026.1
2025.2
2025.1
2024.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo_messaging-17.3.0/tox.ini
new/oslo_messaging-18.1.0/tox.ini
--- old/oslo_messaging-17.3.0/tox.ini 2026-02-18 14:45:04.000000000 +0100
+++ new/oslo_messaging-18.1.0/tox.ini 2026-05-20 10:57:32.000000000 +0200
@@ -1,5 +1,5 @@
[tox]
-minversion = 3.18.0
+minversion = 4.28.0
envlist = py3, pep8
[testenv]
@@ -7,8 +7,9 @@
OS_*
ZUUL_CACHE_DIR
REQUIREMENTS_PIP_LOCATION
+constraints =
+
{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
deps =
-
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/requirements.txt
commands =
@@ -36,9 +37,9 @@
commands = {posargs}
[testenv:docs]
-allowlist_externals = rm
+allowlist_externals =
+ rm
deps =
-
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-r{toxinidir}/doc/requirements.txt
commands =
rm -fr doc/build
@@ -88,12 +89,10 @@
[testenv:releasenotes]
allowlist_externals =
rm
+deps = {[testenv:docs]deps}
commands =
rm -rf releasenotes/build
sphinx-build -a -E -W -d releasenotes/build/doctrees --keep-going -b html
releasenotes/source releasenotes/build/html
-deps =
-
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
- -r{toxinidir}/doc/requirements.txt
[testenv:bindep]
deps =
