Source: murano X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for murano. CVE-2024-29156[0]: | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, | the Murano service's MuranoPL extension to the YAQL language fails | to sanitize the supplied environment, leading to potential leakage | of sensitive service account information. https://bugs.launchpad.net/murano/+bug/2048114 https://wiki.openstack.org/wiki/OSSN/OSSN-0093 No fix in Murano, but a change in src:python-yaql renders this unexploitable: https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29156 https://www.cve.org/CVERecord?id=CVE-2024-29156 Please adjust the affected versions in the BTS as needed.