Debian Patches

Status for cyborg/14.0.0-3+deb13u1

Patch Description Author Forwarded Bugs Origin Last update
install-missing-files.patch install missing files
===================================================================
Thomas Goirand <zigo@debian.org> not-needed 2024-09-03
CVE-2026-40213_CVE-2026-40214_1_Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch The hand-rolled _check_policy_json in cyborg-status fails with
NoSuchOptError because oslo_policy config options are never
registered. Replace it with common_checks.check_policy_json
from oslo.upgradecheck[1] which handles option registration
internally.
.
[1] https://review.opendev.org/c/openstack/oslo.upgradecheck/+/763484
.

diff --git a/cyborg/cmd/status.py b/cyborg/cmd/status.py
index 63925b7..069493d 100644
Chandan Kumar (raukadah) <chkumar@redhat.com> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/980294 2026-05-11
CVE-2026-40213_CVE-2026-40214_2_Fix_cyborg-status_upgrade_check_tests.patch CVE-2026-40213 / CVE-2026-40214: Fix cyborg-status upgrade check tests Move the flags() config-override helper from the API-specific
BaseApiTest up to cyborg.tests.base.TestCase so all unit tests
can use it. This is needed by TestUpgradeCheckPolicyJSON which
inherits from base.TestCase, not BaseApiTest.
.
Also clear the policy_file config override set by PolicyFixture
at the start of TestUpgradeCheckPolicyJSON.setUp so that
common_checks.check_policy_json starts from a clean slate
instead of seeing the fixture's policy file.
.

===================================================================
Sean Mooney <work@seanmooney.info> no debian upstream, https://review.opendev.org/c/openstack/cyborg/+/987698 2026-05-11
CVE-2026-40213_CVE-2026-40214_3_Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch CVE-2026-40213 / CVE-2026-40214: Fix rule:allow policy bypass on device/deployable/attribute APIs Ten API endpoints in cyborg/common/policy.py used check_str='rule:allow'
(@), which unconditionally authorises any authenticated Keystone user
regardless of role, project membership, or scope. This allowed any
tenant to enumerate the full accelerator hardware topology and trigger
privileged operations including FPGA reprogramming and hardware metadata
mutation.
.
Replace the unconditional rule:allow with role-checked rules available
on all maintained stable branches:
.
cyborg:arq:create rule:allow -> rule:project_member_or_admin
cyborg:device:get_one rule:allow -> rule:admin_api
cyborg:device:get_all rule:allow -> rule:admin_api
cyborg:deployable:get_one rule:allow -> rule:admin_api
cyborg:deployable:get_all rule:allow -> rule:admin_api
cyborg:deployable:program rule:allow -> rule:admin_api
cyborg:attribute:get_one rule:allow -> rule:admin_api
cyborg:attribute:get_all rule:allow -> rule:admin_api
cyborg:attribute:create rule:allow -> rule:admin_api
cyborg:attribute:delete rule:allow -> rule:admin_api
.
arq:create receives project_member_or_admin rather than admin_api
because Nova forwards the end-user token when creating ARQs; admin_api
would break all non-admin instance launches.
.
Also remove the dead fpga_policies group (cyborg:fpga:{get_one,
get_all,update}) whose rules were registered but never evaluated at
runtime as no /v2/fpgas endpoint exists.
.
Add unit tests in cyborg/tests/unit/policies/ covering authorised and
unauthorised contexts for each affected endpoint group, following the
pattern established by test_device_profiles.py.
.
CVE-2026-40213
.

diff --git a/.zuul.yaml b/.zuul.yaml
index 493f548..c494844 100644
Sean Mooney <work@seanmooney.info> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/987699 2026-05-11
CVE-2026-40213_CVE-2026-40214_4_Set_project_id_on_ARQ_creation_and_binding.patch CVE-2026-40213 / CVE-2026-40214: Set project_id on ARQ creation and binding Cyborg never sets project_id when creating or binding ARQs,
leaving the column NULL for every ARQ ever created. This is
the first step in fixing the cross-tenant ARQ access
vulnerability.
.
Set project_id unconditionally from context.project_id at
creation time. Default project_id to context.project_id
during binding (PATCH). For microversion 2.1+, reject
non-admin callers who provide a project_id that differs
from their token's project (fixes project_id spoofing).

diff --git a/cyborg/api/controllers/v2/arqs.py b/cyborg/api/controllers/v2/arqs.py
index aea1dd0..801948c 100644
Sean Mooney <work@seanmooney.info> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/987700 2026-05-11
CVE-2026-40213_CVE-2026-40214_5_Refactor_session_handling_and_align_test_contexts.patch CVE-2026-40213 / CVE-2026-40214: Refactor session handling and align test contexts This change refactors database session management and aligns unit
tests with the production DB context handling.
.
- Replace _session_for_read() and _session_for_write() helpers with
@main_context_manager.reader / @main_context_manager.writer decorators
to simplify and standardize DB access.
- Update DB API methods to use context.session directly and rely on
centralized transaction management through enginefacade.
- Switch tests to use cyborg.context.RequestContext instead of
oslo_context.RequestContext for consistent context propagation.
.
Stable-Only:
python 3.9 and 3.12 differ in how they handel autospec when there
are context managers that use functools.wraps
this change was modifed to resolve that.

===================================================================
Sooyoung Kim <sykim.etri@gmail.com> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/984700 2026-05-11
CVE-2026-40213_CVE-2026-40214_6_Add_project_id_backfill_for_existing_ARQs.patch CVE-2026-40213 / CVE-2026-40214: Add project_id backfill for existing ARQs All existing ARQs have project_id=NULL because it was never
set (see previous commit). Add two mechanisms to heal this:
.
1. cyborg-dbsync online_data_migrations: operator-run bulk
backfill that queries Nova for each bound ARQ's instance
project_id.
2. Conductor startup heal: automatic heal on service start
for any remaining NULL project_id ARQs.
.
Unbound ARQs without instance_uuid cannot be healed and
remain admin-only after enforcement is enabled.

===================================================================
Sean Mooney <work@seanmooney.info> yes debian upstream https://review.opendev.org/c/openstack/cyborg/+/987701 2025-05-11
CVE-2026-40213_CVE-2026-40214_7_Enforce_project-scoped_access_for_ARQs.patch CVE-2026-40213 / CVE-2026-40214: Enforce project-scoped access for ARQs Add project_id filtering to all ARQ database queries so
non-admin users can only see and modify ARQs in their own
project. The object layer passes project_id to the DB layer
for non-admin contexts; admins bypass the filter.
.
ARQs with NULL project_id (not yet healed) are only visible
to admins. Fix get_one to use need_target=False so it works
for non-admin users (broken since 82fd155, 2019).
.

===================================================================
Sean Mooney <work@seanmooney.info> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/987702 2026-05-11
CVE-2026-40213_CVE-2026-40214_8_Require_service_token_for_bound_ARQ_operations.patch CVE-2026-40213 / CVE-2026-40214: Require service token for bound ARQ operations Users should not be able to directly delete or unbind ARQs
that are bound to instances. Only Nova, identified by a
valid service token, should perform these operations as
part of instance lifecycle.
.
Add is_service_request() check (following Cinder's
OSSA-2023-003 pattern) hardcoded in the API layer so it
cannot be bypassed via policy overrides. Unbound ARQs can
still be deleted by their owner without a service token.
.
Requires Nova [service_user] send_service_user_token=true
and Cyborg [keystone_authtoken]
service_token_roles_required=true.
.
CVE-2026-40214

diff --git a/cyborg/api/controllers/v2/arqs.py b/cyborg/api/controllers/v2/arqs.py
index 955714d..acd0713 100644
Sean Mooney <work@seanmooney.info> yes debian upstream upstream, https://review.opendev.org/c/openstack/cyborg/+/987703 2026-05-11

All known versions for source package 'cyborg'

Links