Your message dated Sun, 31 May 2026 20:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1136006: fixed in cyborg 14.0.0-3+deb13u1
has caused the Debian Bug report #1136006,
regarding cyborg: CVE-2026-40213 CVE-2026-40214
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136006
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cyborg
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for cyborg.
CVE-2026-40213[0]:
| OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as
| the default policy for multiple API endpoints. This unconditionally
| authorizes any request carrying a valid Keystone token regardless of
| roles, project membership, or scope. An authenticated user with zero
| role assignments can complete various actions such as reprogramming
| FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVE-2026-40214[1]:
| In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API
| does not enforce project ownership at any layer. The project_id
| column in the database is never populated (NULL for every ARQ),
| database queries have no project filtering, and policy checks are
| self-referential (the authorize_wsgi decorator compares the caller's
| project_id with itself rather than the target resource). Any
| authenticated non-admin user can complete various actions such as
| deleting ARQs bound to other projects' instances, aka cross-tenant
| denial of service.
https://www.openwall.com/lists/oss-security/2026/05/07/6
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40213
https://www.cve.org/CVERecord?id=CVE-2026-40213
[1] https://security-tracker.debian.org/tracker/CVE-2026-40214
https://www.cve.org/CVERecord?id=CVE-2026-40214
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: cyborg
Source-Version: 14.0.0-3+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cyborg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated cyborg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 10:00:13 +0200
Source: cyborg
Architecture: source
Version: 14.0.0-3+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1136006
Changes:
cyborg (14.0.0-3+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default
policy for multiple API endpoints. This unconditionally authorizes any
request carrying a valid Keystone token regardless of roles, project
membership, or scope. An authenticated user with zero role assignments can
complete various actions such as reprogramming FPGA bitstreams on arbitrary
compute nodes via agent RPC.
CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project
ownership at any layer. The project_id column in the database is never
populated (NULL for every ARQ), database queries have no project filtering,
and policy checks are self-referential (the authorize_wsgi decorator
compares the caller's project_id with itself rather than the target
resource). Any authenticated non-admin user can complete various actions
such as deleting ARQs bound to other projects' instances, aka cross-tenant
denial of service.
Applied upstream patches:
- Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch
- Fix_cyborg-status_upgrade_check_tests.patch
- Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch
- Set_project_id_on_ARQ_creation_and_binding.patch
- Refactor_session_handling_and_align_test_contexts.patch
- Add_project_id_backfill_for_existing_ARQs.patch
- Enforce_project-scoped_access_for_ARQs.patch
- Require_service_token_for_bound_ARQ_operations.patch
(Closes: #1136006).
Checksums-Sha1:
cc46aec9f706532f85f4667db9eb094f5a23bef7 3331 cyborg_14.0.0-3+deb13u1.dsc
9febb5db18a246db6326ae2a0cc98c92d94d6c4d 267020 cyborg_14.0.0.orig.tar.xz
cd3a018e52c6a69ceb2a19b47dc4ae13b3af0006 35924
cyborg_14.0.0-3+deb13u1.debian.tar.xz
8ec5a35b629ca6f4bc7390bb06dce181f6d6520a 22076
cyborg_14.0.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
dd7ef7350bd2f68b92c329928d229941fc997c0b275fa7a734a856e8fb530fd2 3331
cyborg_14.0.0-3+deb13u1.dsc
c8a831229ad6d29e5932aaed12e0983409ac0ac7bf4c6870521e1e92631e9fc7 267020
cyborg_14.0.0.orig.tar.xz
5a2da2d815a565bde805e6a00a96d35b8ccfece300ebe3f7f36a0ce7f8f6e4f0 35924
cyborg_14.0.0-3+deb13u1.debian.tar.xz
16efd598696278d102f7b13b95d068439f12d9216b742d7bd75fce35a97fd2de 22076
cyborg_14.0.0-3+deb13u1_amd64.buildinfo
Files:
eebe1b25705c6f7c885022d61ca05ad0 3331 net optional cyborg_14.0.0-3+deb13u1.dsc
da38cceb505abc1abd7795fa91e4e628 267020 net optional cyborg_14.0.0.orig.tar.xz
ad4f0a82e2b0d5b4382e7fabaf93abe4 35924 net optional
cyborg_14.0.0-3+deb13u1.debian.tar.xz
44fa28caabad2cec59bb97dd53ff4c56 22076 net optional
cyborg_14.0.0-3+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmobQSQACgkQ1BatFaxr
Q/4apQ//Q6agbrpoPOm1/Jwh6jNCc2Wbis/VlrGaAR60gKTKg1mIv2a1A8qFpcQ/
5Jx1nzLrX0a1YqMP0EnpVbQA6ZVguPldPrE12/8pBjVcGX4GgQS0pF3Haxpxrdt7
QE1hM/a5a+a6WG+DgJ3zms9Pv1MBbNd2mGeycgsy4nseL1vrZTgrR3qutrwESvA9
2S7Y+JsfUfyG9hKT+nXuwCTaW3xoF4JsK9+7BWrpXM3SlMhnK0mUgzhd0zkmHsnW
XburX6/YQZgxNe+hJAcPyHpzURNIQ4/v8mlD7DHSwAEzT6bNI9iaO2CbCyADbUai
jixcN9KLg4POhAQlOOTTbODLymgEqd0zfU06nUKz0vM40Yj6PGtLOFDH/aU5GlRc
bIQNj/WzPqB7BtMQ/T6xoBgKFx6MJrsKpdnSdSlV5PbNTey/F/wtnEzSjPbicFw0
kksbUUh49+wh4DOSYy83h0zDIH7Zdwp6BnbgvwaVhYhtGII2Ht3VvNDT4dwXYrD6
9ODNw9A3+sXSnTX+qDERF/HA/mJQNy2SR/NL/fZd5MO8X0c8iwlF60VRIwl1l17+
WRZOiefXVop+KknmA3OSVKMI/8te9V2Lb2wHDfo352Cusx7ZSilme9lIj4ycHpvK
SG5MzJ8xmwYKXVQktMZ45L4IqYmOfZtM65Zmzn48QiYOi4eqzew=
=xPrR
-----END PGP SIGNATURE-----
pgp8niwU1axfE.pgp
Description: PGP signature
--- End Message ---
