[PKG-Openstack-devel] Bug#827886: Bug#827886: ironic: CVE-2016-4985: Ironic node information including credentials exposed to unathenticated users
Thomas Goirand
zigo at debian.org
Wed Jun 22 09:17:44 UTC 2016
On 06/22/2016 07:57 AM, Salvatore Bonaccorso wrote:
> Source: ironic
> Version: 1:5.1.0-1
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for ironic.
>
> Setting security to grave, since looks it would allow to expose
> credentials to unauthenticated users.
>
> CVE-2016-4985[0]:
> Ironic node information including credentials exposed to unathenticated users
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-4985
> [1] http://www.openwall.com/lists/oss-security/2016/06/21/6
>
> Regards,
> Salvatore
FYI, I pushed upstream new releases which include the fixes:
- 5.1.2 to Sid (with urgency high)
- 4.2.5 to jessie-backports.
Please update the tracker.
Ironic isn't in Stable (because at the time of the freeze, Nova didn't
have support for it, so it was useless).
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list