blob: 6127f61e1a73376905a99abdf836c51c7039fd5f (
plain)
1
2
3
4
5
6
7
8
9
10
11
|
---
security:
- A critical security vulnerability (CVE-2016-4985) was fixed in this
release. Previously, a client with network access to the ironic-api service
was able to bypass Keystone authentication and retrieve all information
about any Node registered with Ironic, if they knew (or were able to guess)
the MAC address of a network card belonging to that Node, by sending a
crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru
resource. Ironic's policy.json configuration is now respected when
responding to this request such that, if passwords should be masked for
other requests, they are also masked for this request.
|
