cyborg - Debian Package Tracker

general

source: cyborg (main)
version: 16.0.0-2
maintainer: Debian OpenStack (DMD)
uploaders: Thomas Goirand [DMD]
arch: all
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 14.0.0-3
testing: 16.0.0-2
unstable: 16.0.0-2

versioned links

14.0.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.0.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cyborg-agent
cyborg-api
cyborg-common
cyborg-conductor
cyborg-doc
python3-cyborg

action needed

Marked for autoremoval on 08 June due to diskcache, python-git, starlette: #1134850, #1135349, #1135350, #1135392 high

Version 16.0.0-2 of cyborg is marked for autoremoval from testing on Mon 08 Jun 2026. It depends (transitively) on diskcache, python-git, starlette, affected by #1134850, #1135349, #1135350, #1135392. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-05-02 Last update: 2026-05-10 06:33

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-40213: OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVE-2026-40214: In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Created: 2026-05-08 Last update: 2026-05-08 17:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-40213: OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVE-2026-40214: In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Created: 2026-05-08 Last update: 2026-05-08 17:30

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-40213: OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVE-2026-40214: In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Created: 2026-05-08 Last update: 2026-05-08 17:30

lintian reports 17 warnings normal

Lintian reports 17 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-27 Last update: 2026-03-27 23:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.4.1).

Created: 2024-09-08 Last update: 2026-04-13 16:47

news

[rss feed]

[2026-04-15] cyborg 16.0.0-2 MIGRATED to testing (Debian testing watch)
[2026-04-13] Accepted cyborg 16.0.0-2 (source) into unstable (Thomas Goirand)
[2026-04-03] cyborg 16.0.0-1 MIGRATED to testing (Debian testing watch)
[2026-04-01] Accepted cyborg 16.0.0-1 (source) into unstable (Thomas Goirand)
[2026-04-01] cyborg 16.0.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2026-03-27] Accepted cyborg 16.0.0~rc2-1 (source) into unstable (Thomas Goirand)
[2026-03-18] Accepted cyborg 16.0.0~rc1-2 (source) into experimental (Thomas Goirand)
[2026-03-17] Accepted cyborg 16.0.0~rc1-1 (source) into experimental (Thomas Goirand)
[2025-10-04] cyborg 15.0.0-1 MIGRATED to testing (Debian testing watch)
[2025-10-01] Accepted cyborg 15.0.0-1 (source) into unstable (Thomas Goirand)
[2025-10-01] cyborg 15.0.0~rc1-3 MIGRATED to testing (Debian testing watch)
[2025-09-28] Accepted cyborg 15.0.0~rc1-3 (source) into unstable (Thomas Goirand)
[2025-09-18] Accepted cyborg 15.0.0~rc1-2 (source) into experimental (Thomas Goirand)
[2025-09-12] Accepted cyborg 15.0.0~rc1-1 (source) into experimental (Thomas Goirand)
[2025-07-18] cyborg 14.0.0-3 MIGRATED to testing (Debian testing watch)
[2025-07-12] Accepted cyborg 14.0.0-3 (source) into unstable (Thomas Goirand)
[2025-04-05] cyborg 14.0.0-2 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted cyborg 14.0.0-2 (source) into unstable (Thomas Goirand)
[2025-04-02] Accepted cyborg 14.0.0-1 (source) into unstable (Thomas Goirand)
[2025-03-31] cyborg 14.0.0~rc1-2 MIGRATED to testing (Debian testing watch)
[2025-03-28] Accepted cyborg 14.0.0~rc1-2 (source) into unstable (Thomas Goirand)
[2025-03-14] Accepted cyborg 14.0.0~rc1-1 (source) into experimental (Thomas Goirand)
[2024-12-22] cyborg 13.0.0-2 MIGRATED to testing (Debian testing watch)
[2024-12-19] Accepted cyborg 13.0.0-2 (source) into unstable (Thomas Goirand)
[2024-10-05] cyborg 13.0.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-02] Accepted cyborg 13.0.0-1 (source) into unstable (Thomas Goirand)
[2024-09-25] cyborg 13.0.0~rc1-1 MIGRATED to testing (Debian testing watch)
[2024-09-23] Accepted cyborg 13.0.0~rc1-1 (source) into unstable (Thomas Goirand)
[2024-09-08] Accepted cyborg 12.0.0-1 (source all) into unstable (Debian FTP Masters) (signed by: Thomas Goirand)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 17)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 16.0.0-2
1 bug