-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 10:36:13 +0200
Source: cyborg
Architecture: source
Version: 16.0.0+git+2026.04.26.b8edfa06f1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Changes:
cyborg (16.0.0+git+2026.04.26.b8edfa06f1-1) unstable; urgency=medium
.
* New upstream release based on top of stable branch. Includes CVE fixes:
CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default
policy for multiple API endpoints. This unconditionally authorizes any
request carrying a valid Keystone token regardless of roles, project
membership, or scope. An authenticated user with zero role assignments can
complete various actions such as reprogramming FPGA bitstreams on arbitrary
compute nodes via agent RPC.
CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project
ownership at any layer. The project_id column in the database is never
populated (NULL for every ARQ), database queries have no project filtering,
and policy checks are self-referential (the authorize_wsgi decorator
compares the caller's project_id with itself rather than the target
resource). Any authenticated non-admin user can complete various actions
such as deleting ARQs bound to other projects' instances, aka cross-tenant
denial of service.
Checksums-Sha1:
add658fa19011362879bd85ad11b50a249279af2 3409 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.dsc
896cb749a612185a4e76dce8809d1cfd1181c209 290384 cyborg_16.0.0+git+2026.04.26.b8edfa06f1.orig.tar.xz
311457e405577c0a633eba34fafc38691e75fbeb 7188 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.debian.tar.xz
db440ef5c7099eb8b3607ebcb354a449cf6816ee 21489 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1_amd64.buildinfo
Checksums-Sha256:
cd009bd2cc2fcbbb9eb6c5b39b2e084737a2bb008b7904bb99279002d14eff02 3409 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.dsc
76492a3ef588058bb9f24c0600fb9a06db495c305e99b41d54df4f500f6f14a9 290384 cyborg_16.0.0+git+2026.04.26.b8edfa06f1.orig.tar.xz
f340e5bbe7322d2a8a294dd6df4b2a3be911a198830694e902b3d9a7106bbd47 7188 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.debian.tar.xz
2d86173bdfb22672354f5021bafc8cf9defb21daf823fc84a9347c4324e005af 21489 cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1_amd64.buildinfo
Files:
4540341bc78b56447dd79f8a72d37c48 3409 net optional cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.dsc
337bd3506a19c89fa71bc9366374a3f6 290384 net optional cyborg_16.0.0+git+2026.04.26.b8edfa06f1.orig.tar.xz
9af3cf1fc0d38283efddd635a6753625 7188 net optional cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1.debian.tar.xz
22bdf57a7831ac6ab8166bf2af4b41e7 21489 net optional cyborg_16.0.0+git+2026.04.26.b8edfa06f1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoBlqIACgkQ1BatFaxr
Q/4zgxAAmrlLuizhouVhf5xGwNB5QDgjDe/N4PxmN63VkdRVIvkHDUGXftlwKPkb
qvanOe1vlQqGlBCu3aBwr3ga3zkr/+UhiXHaF06u58nheuDS3EGG3hTK4JicNqPC
jLVtQjNdPJNmlB0SGu+aQvR6bsxs1IxJnTQDCD4wZKfB38GK4Mpmj2kOSQ9hvktF
auFej3ZzMANPueN9cRlwkhQfhXm1byv4Mh2Rsz8yzQqog19PibeVH+tez4IMU0++
izAAYFkwcwdD1kt+TqleQqH6RKf/nS6XS90B+vvivjuwD60elbPBGz3UcjQA5lH0
Muzsc91NSFeh+hNGKzMwyYO/jIh930IrsAOP+MaPJbnFUzOegDJiq1fAL4UTh+4D
0J/lle9GX0rjAiTPr0S/1MUYsWEv7al8PsVANiNigpes4SossmbK9l/7wW6Hk05x
Zj4NdpCsmdrxLEqO5B2b8Pdlco4g03z0kyd7k7Si/thLAf2GxYL8wPn9pYIeXvoU
1Z6itXBsq3+1pbTr5eIgsNAuGVOv590HSPWl+tXdRLSd5eaj3d1trLjxftQq2N0+
Js3ZzJULs/4iy2SVv6SoYxVKbd7KSsApT/Odl0t9sxiN0lOZ+Ma6nHwtDShSFN/Y
iK/JyOd2PKXXdOqtgEUtZD+eRhZVvQ0u9xbNI/BDI8FcZFAUqbs=
=E6/b
-----END PGP SIGNATURE-----
