Bug 1348817

Summary: CVE-2016-4985 openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users [openstack-rdo]
Product: [Community] RDO Reporter: Adam Mariš <amaris>
Component: openstack-ironicAssignee: Alan Pevec <apevec>
Status: CLOSED CURRENTRELEASE QA Contact: Toure Dunnon <tdunnon>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chris.brown, chrisw, cvsbot-xmlrpc, jschluet, lhh, lpeer, markmc, rbryant, sclewis, tdecacqu
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: trunk   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-ironic-4.2.5-1.el7 openstack-ironic-5.1.2-1.el7 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-18 07:38:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1346193    

Description Adam Mariš 2016-06-22 07:21:04 UTC 
This as an RDO Project security tracking bug against openstack-ironic. It was created
to ensure that one or more security vulnerabilities are fixed.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

[bug automatically created by: add-tracking-bugs]
Comment 1 Dmitry Tantsur 2016-06-22 10:57:33 UTC 
Hi Alan!

Could you please rebase Ironic on all supported branches to fix this CVE? The versions are: Liberty - 4.2.5, Mitaka - 5.1.2, Newton - 6.0.0 (probably not needed).
Comment 2 Alan Pevec 2016-06-22 14:42:09 UTC 
Newton is continuously built in RDO Trunk master repo, I'll build liberty and newton in CBS.