On 06/22/2016 07:57 AM, Salvatore Bonaccorso wrote: > Source: ironic > Version: 1:5.1.0-1 > Severity: grave > Tags: security upstream > > Hi, > > the following vulnerability was published for ironic. > > Setting security to grave, since looks it would allow to expose > credentials to unauthenticated users. > > CVE-2016-4985[0]: > Ironic node information including credentials exposed to unathenticated users > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-4985 > [1] http://www.openwall.com/lists/oss-security/2016/06/21/6 > > Regards, > Salvatore
FYI, I pushed upstream new releases which include the fixes: - 5.1.2 to Sid (with urgency high) - 4.2.5 to jessie-backports. Please update the tracker. Ironic isn't in Stable (because at the time of the freeze, Nova didn't have support for it, so it was useless). Cheers, Thomas Goirand (zigo)