blob: 264aad04b03ddeb4cb6d8cb49e39fa7c1d0287e1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
---
security:
- |
Addresses a potential vector in which an system authenticated malicious
actor could leveraged data left on disk in some limited cases to make the
API of the ``ironic-python-agent`` attackable, or possibly break cleaning
processes to prevent the machine from being able to be returned to the
available pool. Please see `story 2008749 <https://storyboard.openstack.org/#!/story/2008749>`_
for more information.
fixes:
- |
Adds validation of Virtual Media devices in order to prevent existing
partitions on the system from being considered as potential sources of IPA
configuration data.
- |
Adds check into the configuration load from virtual media, to ensure it
only occurs when the machine booted from virtual media.
issues:
- |
Logic around virtual media device validation is now much more strict,
and may not work in all cases. Should you discover a case, please provide
the output from ``lsblk -P -O`` with a virtual media device attached to the
Ironic development community via
`Storyboard <https://storyboard.openstack.org/#!/project/947>`_.
- |
Internal logic to copy configuration data from virtual media now requires
the ``boot_method=vmedia`` flag to be set on the kernel command line of
the bootloader for the virtual media. Operators crafting custom boot
ISOs, should ensure that the appropriate command line is being added in
any custom build processes.
|
