From 54ec5860f4bd2c469071519e96e28aebb9a95615 Mon Sep 17 00:00:00 2001 From: Jay Faulkner <jay@jvf.cc> Date: Tue, 20 Aug 2024 15:09:33 -0700 Subject: [PATCH] Warn about CVE-2024-44082 Unmaintained Ironic-Python-Agent branches will not be patched against CVE-2024-44082. This patch updates the release notes and readme instructing deployers how to mitigate their risk using the provided Ironic conductor patches. Related-Bug: 2071740 Change-Id: Ie4aeef4af01ead5c18b359a22ab488de0c35248a --- README.rst | 5 +++++ ...44082-image-security-warning-37ac1ac7647a806a.yaml | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml diff --git a/README.rst b/README.rst index 4494ed5a9..42e65dcd8 100644 --- a/README.rst +++ b/README.rst @@ -11,6 +11,11 @@ Team and repository tags Overview ======== +*WARNING:* The Ironic-Python-Agent version in this branch is vulnerable to +CVE-2024-44082. Do not run this in production unless using a patched +conductor with ``[conductor]/conductor_always_validate_images`` set to +``True``. + An agent for controlling and deploying Ironic controlled baremetal nodes. The ironic-python-agent works with the agent driver in Ironic to provision diff --git a/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml b/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml new file mode 100644 index 000000000..92509277a --- /dev/null +++ b/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml @@ -0,0 +1,11 @@ +--- +security: + - | + Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable to + CVE-2024-44082, tracked in + `bug 2071740 <https://bugs.launchpad.net/bugs/2071740>_`. Deployers of + Ironic versions Zed or older must apply CVE-2024-44082 fixes to their + Ironic environment and leave (default for all releases Zed and older) + ``[conductor]/conductor_always_validates_images`` set to ``True``. This + ensures the conductor will security check the image because + Ironic-Python-Agent will not.