-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 May 2026 10:00:13 +0200 Source: cyborg Architecture: source Version: 14.0.0-3+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1136006 Changes: cyborg (14.0.0-3+deb13u1) trixie-security; urgency=medium . * CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service. Applied upstream patches: - Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch - Fix_cyborg-status_upgrade_check_tests.patch - Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch - Set_project_id_on_ARQ_creation_and_binding.patch - Refactor_session_handling_and_align_test_contexts.patch - Add_project_id_backfill_for_existing_ARQs.patch - Enforce_project-scoped_access_for_ARQs.patch - Require_service_token_for_bound_ARQ_operations.patch (Closes: #1136006). Checksums-Sha1: cc46aec9f706532f85f4667db9eb094f5a23bef7 3331 cyborg_14.0.0-3+deb13u1.dsc 9febb5db18a246db6326ae2a0cc98c92d94d6c4d 267020 cyborg_14.0.0.orig.tar.xz cd3a018e52c6a69ceb2a19b47dc4ae13b3af0006 35924 cyborg_14.0.0-3+deb13u1.debian.tar.xz 8ec5a35b629ca6f4bc7390bb06dce181f6d6520a 22076 cyborg_14.0.0-3+deb13u1_amd64.buildinfo Checksums-Sha256: dd7ef7350bd2f68b92c329928d229941fc997c0b275fa7a734a856e8fb530fd2 3331 cyborg_14.0.0-3+deb13u1.dsc c8a831229ad6d29e5932aaed12e0983409ac0ac7bf4c6870521e1e92631e9fc7 267020 cyborg_14.0.0.orig.tar.xz 5a2da2d815a565bde805e6a00a96d35b8ccfece300ebe3f7f36a0ce7f8f6e4f0 35924 cyborg_14.0.0-3+deb13u1.debian.tar.xz 16efd598696278d102f7b13b95d068439f12d9216b742d7bd75fce35a97fd2de 22076 cyborg_14.0.0-3+deb13u1_amd64.buildinfo Files: eebe1b25705c6f7c885022d61ca05ad0 3331 net optional cyborg_14.0.0-3+deb13u1.dsc da38cceb505abc1abd7795fa91e4e628 267020 net optional cyborg_14.0.0.orig.tar.xz ad4f0a82e2b0d5b4382e7fabaf93abe4 35924 net optional cyborg_14.0.0-3+deb13u1.debian.tar.xz 44fa28caabad2cec59bb97dd53ff4c56 22076 net optional cyborg_14.0.0-3+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmobQSQACgkQ1BatFaxr Q/4apQ//Q6agbrpoPOm1/Jwh6jNCc2Wbis/VlrGaAR60gKTKg1mIv2a1A8qFpcQ/ 5Jx1nzLrX0a1YqMP0EnpVbQA6ZVguPldPrE12/8pBjVcGX4GgQS0pF3Haxpxrdt7 QE1hM/a5a+a6WG+DgJ3zms9Pv1MBbNd2mGeycgsy4nseL1vrZTgrR3qutrwESvA9 2S7Y+JsfUfyG9hKT+nXuwCTaW3xoF4JsK9+7BWrpXM3SlMhnK0mUgzhd0zkmHsnW XburX6/YQZgxNe+hJAcPyHpzURNIQ4/v8mlD7DHSwAEzT6bNI9iaO2CbCyADbUai jixcN9KLg4POhAQlOOTTbODLymgEqd0zfU06nUKz0vM40Yj6PGtLOFDH/aU5GlRc bIQNj/WzPqB7BtMQ/T6xoBgKFx6MJrsKpdnSdSlV5PbNTey/F/wtnEzSjPbicFw0 kksbUUh49+wh4DOSYy83h0zDIH7Zdwp6BnbgvwaVhYhtGII2Ht3VvNDT4dwXYrD6 9ODNw9A3+sXSnTX+qDERF/HA/mJQNy2SR/NL/fZd5MO8X0c8iwlF60VRIwl1l17+ WRZOiefXVop+KknmA3OSVKMI/8te9V2Lb2wHDfo352Cusx7ZSilme9lIj4ycHpvK SG5MzJ8xmwYKXVQktMZ45L4IqYmOfZtM65Zmzn48QiYOi4eqzew= =xPrR -----END PGP SIGNATURE-----