Debian Patches
Status for cyborg/14.0.0-3+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| install-missing-files.patch | install missing files =================================================================== |
Thomas Goirand <zigo@debian.org> | not-needed | 2024-09-03 | ||
| CVE-2026-40213_CVE-2026-40214_1_Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch | The hand-rolled _check_policy_json in cyborg-status fails with NoSuchOptError because oslo_policy config options are never registered. Replace it with common_checks.check_policy_json from oslo.upgradecheck[1] which handles option registration internally. . [1] https://review.opendev.org/c/openstack/oslo.upgradecheck/+/763484 . diff --git a/cyborg/cmd/status.py b/cyborg/cmd/status.py index 63925b7..069493d 100644 |
Chandan Kumar (raukadah) <chkumar@redhat.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/980294 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_2_Fix_cyborg-status_upgrade_check_tests.patch | CVE-2026-40213 / CVE-2026-40214: Fix cyborg-status upgrade check tests Move the flags() config-override helper from the API-specific BaseApiTest up to cyborg.tests.base.TestCase so all unit tests can use it. This is needed by TestUpgradeCheckPolicyJSON which inherits from base.TestCase, not BaseApiTest. . Also clear the policy_file config override set by PolicyFixture at the start of TestUpgradeCheckPolicyJSON.setUp so that common_checks.check_policy_json starts from a clean slate instead of seeing the fixture's policy file. . =================================================================== |
Sean Mooney <work@seanmooney.info> | no | debian | upstream, https://review.opendev.org/c/openstack/cyborg/+/987698 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_3_Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch | CVE-2026-40213 / CVE-2026-40214: Fix rule:allow policy bypass on device/deployable/attribute APIs Ten API endpoints in cyborg/common/policy.py used check_str='rule:allow' (@), which unconditionally authorises any authenticated Keystone user regardless of role, project membership, or scope. This allowed any tenant to enumerate the full accelerator hardware topology and trigger privileged operations including FPGA reprogramming and hardware metadata mutation. . Replace the unconditional rule:allow with role-checked rules available on all maintained stable branches: . cyborg:arq:create rule:allow -> rule:project_member_or_admin cyborg:device:get_one rule:allow -> rule:admin_api cyborg:device:get_all rule:allow -> rule:admin_api cyborg:deployable:get_one rule:allow -> rule:admin_api cyborg:deployable:get_all rule:allow -> rule:admin_api cyborg:deployable:program rule:allow -> rule:admin_api cyborg:attribute:get_one rule:allow -> rule:admin_api cyborg:attribute:get_all rule:allow -> rule:admin_api cyborg:attribute:create rule:allow -> rule:admin_api cyborg:attribute:delete rule:allow -> rule:admin_api . arq:create receives project_member_or_admin rather than admin_api because Nova forwards the end-user token when creating ARQs; admin_api would break all non-admin instance launches. . Also remove the dead fpga_policies group (cyborg:fpga:{get_one, get_all,update}) whose rules were registered but never evaluated at runtime as no /v2/fpgas endpoint exists. . Add unit tests in cyborg/tests/unit/policies/ covering authorised and unauthorised contexts for each affected endpoint group, following the pattern established by test_device_profiles.py. . CVE-2026-40213 . diff --git a/.zuul.yaml b/.zuul.yaml index 493f548..c494844 100644 |
Sean Mooney <work@seanmooney.info> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/987699 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_4_Set_project_id_on_ARQ_creation_and_binding.patch | CVE-2026-40213 / CVE-2026-40214: Set project_id on ARQ creation and binding Cyborg never sets project_id when creating or binding ARQs, leaving the column NULL for every ARQ ever created. This is the first step in fixing the cross-tenant ARQ access vulnerability. . Set project_id unconditionally from context.project_id at creation time. Default project_id to context.project_id during binding (PATCH). For microversion 2.1+, reject non-admin callers who provide a project_id that differs from their token's project (fixes project_id spoofing). diff --git a/cyborg/api/controllers/v2/arqs.py b/cyborg/api/controllers/v2/arqs.py index aea1dd0..801948c 100644 |
Sean Mooney <work@seanmooney.info> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/987700 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_5_Refactor_session_handling_and_align_test_contexts.patch | CVE-2026-40213 / CVE-2026-40214: Refactor session handling and align test contexts This change refactors database session management and aligns unit tests with the production DB context handling. . - Replace _session_for_read() and _session_for_write() helpers with @main_context_manager.reader / @main_context_manager.writer decorators to simplify and standardize DB access. - Update DB API methods to use context.session directly and rely on centralized transaction management through enginefacade. - Switch tests to use cyborg.context.RequestContext instead of oslo_context.RequestContext for consistent context propagation. . Stable-Only: python 3.9 and 3.12 differ in how they handel autospec when there are context managers that use functools.wraps this change was modifed to resolve that. =================================================================== |
Sooyoung Kim <sykim.etri@gmail.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/984700 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_6_Add_project_id_backfill_for_existing_ARQs.patch | CVE-2026-40213 / CVE-2026-40214: Add project_id backfill for existing ARQs All existing ARQs have project_id=NULL because it was never set (see previous commit). Add two mechanisms to heal this: . 1. cyborg-dbsync online_data_migrations: operator-run bulk backfill that queries Nova for each bound ARQ's instance project_id. 2. Conductor startup heal: automatic heal on service start for any remaining NULL project_id ARQs. . Unbound ARQs without instance_uuid cannot be healed and remain admin-only after enforcement is enabled. =================================================================== |
Sean Mooney <work@seanmooney.info> | yes | debian upstream | https://review.opendev.org/c/openstack/cyborg/+/987701 | 2025-05-11 |
| CVE-2026-40213_CVE-2026-40214_7_Enforce_project-scoped_access_for_ARQs.patch | CVE-2026-40213 / CVE-2026-40214: Enforce project-scoped access for ARQs Add project_id filtering to all ARQ database queries so non-admin users can only see and modify ARQs in their own project. The object layer passes project_id to the DB layer for non-admin contexts; admins bypass the filter. . ARQs with NULL project_id (not yet healed) are only visible to admins. Fix get_one to use need_target=False so it works for non-admin users (broken since 82fd155, 2019). . =================================================================== |
Sean Mooney <work@seanmooney.info> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/987702 | 2026-05-11 |
| CVE-2026-40213_CVE-2026-40214_8_Require_service_token_for_bound_ARQ_operations.patch | CVE-2026-40213 / CVE-2026-40214: Require service token for bound ARQ operations Users should not be able to directly delete or unbind ARQs that are bound to instances. Only Nova, identified by a valid service token, should perform these operations as part of instance lifecycle. . Add is_service_request() check (following Cinder's OSSA-2023-003 pattern) hardcoded in the API layer so it cannot be bypassed via policy overrides. Unbound ARQs can still be deleted by their owner without a service token. . Requires Nova [service_user] send_service_user_token=true and Cyborg [keystone_authtoken] service_token_roles_required=true. . CVE-2026-40214 diff --git a/cyborg/api/controllers/v2/arqs.py b/cyborg/api/controllers/v2/arqs.py index 955714d..acd0713 100644 |
Sean Mooney <work@seanmooney.info> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/cyborg/+/987703 | 2026-05-11 |
All known versions for source package 'cyborg'
- 16.0.0+git+2026.04.26.b8edfa06f1-1 (forky, sid)
- 14.0.0-3+deb13u1 (trixie-security, trixie-proposed-updates)
- 14.0.0-3 (trixie)
