mirror of
https://opendev.org/openstack/ironic.git
synced 2026-01-16 23:01:47 +00:00
336d76a111
While working another issue, we discovered that support added to the ironic-conductor process combined the image_download_source option of "local" with the "force_raw" option resulted in a case where Ironic had no concept to checksum the files *before* the conductor process triggered an image format conversion and then records new checksum values. In essence, this opened the user requested image file to be suspetible to a theoretical man-in-the-middle attack OR the remote server replacing the content with an unknown file, such as a new major version. The is at odds with Ironic's security model where we do want to ensure the end user of ironic is asserting a known checksum for the image artifact they are deploying, so they are aware of the present state. Due to the risk, we chose to raise this as a CVE, as infrastructure operators should likely apply this patch. As a note, if your *not* forcing all images to be raw format through the conductor, then this issue is likely not a major issue for you, but you should still apply the patch. This is being tracked as CVE-2024-47211. Closes-Bug: 2076289 Change-Id: Id6185b317aa6e4f4363ee49f77e688701995323a Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com> |
||
|---|---|---|
| .. | ||
| modules | ||
| __init__.py | ||
| base.py | ||
| drac.py | ||
| fake_hardware.py | ||
| generic.py | ||
| hardware_type.py | ||
| ibmc.py | ||
| ilo.py | ||
| intel_ipmi.py | ||
| ipmi.py | ||
| irmc.py | ||
| raid_config_schema.json | ||
| redfish.py | ||
| snmp.py | ||
| utils.py | ||
| xclarity.py | ||