[PKG-Openstack-devel] Bug#827886: Bug#827886: ironic: CVE-2016-4985: Ironic node information including credentials exposed to unathenticated users
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 22 10:52:59 UTC 2016
Hi Thomas,
On Wed, Jun 22, 2016 at 11:17:44AM +0200, Thomas Goirand wrote:
> On 06/22/2016 07:57 AM, Salvatore Bonaccorso wrote:
> > Source: ironic
> > Version: 1:5.1.0-1
> > Severity: grave
> > Tags: security upstream
> >
> > Hi,
> >
> > the following vulnerability was published for ironic.
> >
> > Setting security to grave, since looks it would allow to expose
> > credentials to unauthenticated users.
> >
> > CVE-2016-4985[0]:
> > Ironic node information including credentials exposed to unathenticated users
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-4985
> > [1] http://www.openwall.com/lists/oss-security/2016/06/21/6
> >
> > Regards,
> > Salvatore
>
> FYI, I pushed upstream new releases which include the fixes:
> - 5.1.2 to Sid (with urgency high)
> - 4.2.5 to jessie-backports.
>
> Please update the tracker.
It got accepted into the archive now, so just have update the tracker
information.
Thanks for your work!
Regards,
Salvatore
More information about the Openstack-devel
mailing list