diff -Nru python-openstackclient-5.2.0/debian/changelog python-openstackclient-5.2.0/debian/changelog
--- python-openstackclient-5.2.0/debian/changelog	2022-07-06 05:36:00.000000000 +0000
+++ python-openstackclient-5.2.0/debian/changelog	2024-02-20 13:12:46.000000000 +0000
@@ -1,3 +1,15 @@
+python-openstackclient (5.2.0-0ubuntu1.20.04.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: deleting a non existing access rule deletes another
+    existing access rule
+    - debian/patches/CVE-2023-6110.patch: fix access rule commands to only
+      use ID in openstackclient/identity/common.py,
+      openstackclient/identity/v3/access_rule.py,
+      openstackclient/tests/unit/identity/v3/test_access_rule.py.
+    - CVE-2023-6110
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 20 Feb 2024 08:12:46 -0500
+
 python-openstackclient (5.2.0-0ubuntu1.20.04.1) focal; urgency=medium
 
   * compute: Add missing options for 'server group list' (LP: #1980801)
diff -Nru python-openstackclient-5.2.0/debian/patches/CVE-2023-6110.patch python-openstackclient-5.2.0/debian/patches/CVE-2023-6110.patch
--- python-openstackclient-5.2.0/debian/patches/CVE-2023-6110.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-openstackclient-5.2.0/debian/patches/CVE-2023-6110.patch	2024-02-20 13:12:33.000000000 +0000
@@ -0,0 +1,142 @@
+Backport of:
+
+From bc60e3bb908a7f10c87993d791184bfe46784d6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
+Date: Wed, 31 May 2023 16:00:02 -0500
+Subject: [PATCH] Fix "access rule" commands to only use ID
+
+This patch modifies the access rule commands to use only the resource
+ID.  The previous logic incorrectly assumed that access rules have a
+"name" property, which resulted in unexpected behaviors.
+
+For example, "access rule delete {non-existent-id}" now results in a
+"not found" error instead of sometimes deleting an unrelated rule.
+
+Story: 2010775
+Task: 48163
+Change-Id: Ib5c3b7f86acf1dfe7cc76dfa99fa4c118388bd71
+---
+ openstackclient/identity/common.py            | 12 ++++++++++
+ openstackclient/identity/v3/access_rule.py    |  8 +++----
+ .../unit/identity/v3/test_access_rule.py      | 24 ++++++++-----------
+ .../fix-story-2010775-953dbdf03b2b6746.yaml   |  8 +++++++
+ 4 files changed, 34 insertions(+), 18 deletions(-)
+ create mode 100644 releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml
+
+#--- /dev/null
+#+++ b/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml
+#@@ -0,0 +1,8 @@
+#+---
+#+fixes:
+#+  - |
+#+    Fixed a bug in "access rule" subcommands where the client logic incorrectly
+#+    assumed that access rules have a "name" property which resulted in
+#+    unpredictable behaviors.  e.g. "access rule delete {non-existent-id}" now
+#+    results in a not-found error instead of sometimes deleting an unrelated
+#+    rule.
+--- a/openstackclient/identity/common.py
++++ b/openstackclient/identity/common.py
+@@ -87,6 +87,18 @@ def get_resource(manager, name_type_or_i
+         raise exceptions.CommandError(msg % name_type_or_id)
+ 
+ 
++def get_resource_by_id(manager, resource_id):
++    """Get resource by ID
++
++    Raises CommandError if the resource is not found
++    """
++    try:
++        return manager.get(resource_id)
++    except identity_exc.NotFound:
++        msg = _("Resource with id {} not found")
++        raise exceptions.CommandError(msg.format(resource_id))
++
++
+ def _get_token_resource(client, resource, parsed_name, parsed_domain=None):
+     """Peek into the user's auth token to get resource IDs
+ 
+--- a/openstackclient/identity/v3/access_rule.py
++++ b/openstackclient/identity/v3/access_rule.py
+@@ -38,7 +38,7 @@ class DeleteAccessRule(command.Command):
+             'access_rule',
+             metavar='<access-rule>',
+             nargs="+",
+-            help=_('Access rule(s) to delete (name or ID)'),
++            help=_('Access rule ID(s) to delete'),
+         )
+         return parser
+ 
+@@ -48,7 +48,7 @@ class DeleteAccessRule(command.Command):
+         errors = 0
+         for ac in parsed_args.access_rule:
+             try:
+-                access_rule = utils.find_resource(
++                access_rule = common.get_resource_by_id(
+                     identity_client.access_rules, ac)
+                 identity_client.access_rules.delete(access_rule.id)
+             except Exception as e:
+@@ -104,14 +104,14 @@ class ShowAccessRule(command.ShowOne):
+         parser.add_argument(
+             'access_rule',
+             metavar='<access-rule>',
+-            help=_('Access rule to display (name or ID)'),
++            help=_('Access rule ID to display'),
+         )
+         return parser
+ 
+     def take_action(self, parsed_args):
+         identity_client = self.app.client_manager.identity
+-        access_rule = utils.find_resource(identity_client.access_rules,
+-                                          parsed_args.access_rule)
++        access_rule = common.get_resource_by_id(identity_client.access_rules,
++                                                parsed_args.access_rule)
+ 
+         access_rule._info.pop('links', None)
+ 
+--- a/openstackclient/tests/unit/identity/v3/test_access_rule.py
++++ b/openstackclient/tests/unit/identity/v3/test_access_rule.py
+@@ -15,9 +15,8 @@
+ 
+ import copy
+ 
+-import mock
++from keystoneclient import exceptions as identity_exc
+ from osc_lib import exceptions
+-from osc_lib import utils
+ 
+ from openstackclient.identity.v3 import access_rule
+ from openstackclient.tests.unit import fakes
+@@ -69,10 +68,13 @@ class TestAccessRuleDelete(TestAccessRul
+         )
+         self.assertIsNone(result)
+ 
+-    @mock.patch.object(utils, 'find_resource')
+-    def test_delete_multi_access_rules_with_exception(self, find_mock):
+-        find_mock.side_effect = [self.access_rules_mock.get.return_value,
+-                                 exceptions.CommandError]
++    def test_delete_multi_access_rules_with_exception(self):
++        # mock returns for common.get_resource_by_id
++        mock_get = self.access_rules_mock.get
++        mock_get.side_effect = [
++            mock_get.return_value,
++            identity_exc.NotFound,
++        ]
+         arglist = [
+             identity_fakes.access_rule_id,
+             'nonexistent_access_rule',
+@@ -89,12 +91,10 @@ class TestAccessRuleDelete(TestAccessRul
+             self.assertEqual('1 of 2 access rules failed to'
+                              ' delete.', str(e))
+ 
+-        find_mock.assert_any_call(self.access_rules_mock,
+-                                  identity_fakes.access_rule_id)
+-        find_mock.assert_any_call(self.access_rules_mock,
+-                                  'nonexistent_access_rule')
++        mock_get.assert_any_call(identity_fakes.access_rule_id)
++        mock_get.assert_any_call('nonexistent_access_rule')
+ 
+-        self.assertEqual(2, find_mock.call_count)
++        self.assertEqual(2, mock_get.call_count)
+         self.access_rules_mock.delete.assert_called_once_with(
+             identity_fakes.access_rule_id)
+ 
diff -Nru python-openstackclient-5.2.0/debian/patches/series python-openstackclient-5.2.0/debian/patches/series
--- python-openstackclient-5.2.0/debian/patches/series	2022-07-06 05:36:00.000000000 +0000
+++ python-openstackclient-5.2.0/debian/patches/series	2024-02-20 13:11:38.000000000 +0000
@@ -1 +1,2 @@
 compute-Add-missing-options-for-server-group-list.patch
+CVE-2023-6110.patch