-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 May 2026 10:00:13 +0200 Source: cyborg Binary: cyborg-agent cyborg-api cyborg-common cyborg-conductor cyborg-doc python3-cyborg Architecture: all Version: 14.0.0-3+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Thomas Goirand Description: cyborg-agent - OpenStack Acceleration as a Service - processor cyborg-api - OpenStack Acceleration as a Service - API server cyborg-common - OpenStack Acceleration as a Service - common files cyborg-conductor - OpenStack Acceleration as a Service - conductor cyborg-doc - OpenStack Acceleration as a Service - Documentation python3-cyborg - OpenStack Acceleration as a Service - Python library Closes: 1136006 Changes: cyborg (14.0.0-3+deb13u1) trixie-security; urgency=medium . * CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service. Applied upstream patches: - Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch - Fix_cyborg-status_upgrade_check_tests.patch - Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch - Set_project_id_on_ARQ_creation_and_binding.patch - Refactor_session_handling_and_align_test_contexts.patch - Add_project_id_backfill_for_existing_ARQs.patch - Enforce_project-scoped_access_for_ARQs.patch - Require_service_token_for_bound_ARQ_operations.patch (Closes: #1136006). Checksums-Sha1: 987323f17bfdf30c58e23ac9eab365b30b0aa33e 7108 cyborg-agent_14.0.0-3+deb13u1_all.deb 9113721db805aeb694cd0239a8418f65eabb9130 25112 cyborg-api_14.0.0-3+deb13u1_all.deb cffeb6ea455faa2fb827f2a79e362386facef088 40212 cyborg-common_14.0.0-3+deb13u1_all.deb 764de5453066fb46cef67ebe1533be05494ef328 7100 cyborg-conductor_14.0.0-3+deb13u1_all.deb 1c4eadf4c90c2fdaf9d413df10e44f494b281bbf 1074516 cyborg-doc_14.0.0-3+deb13u1_all.deb 722158e4d056f453d9aa2b5e624ab76ac84fca74 21839 cyborg_14.0.0-3+deb13u1_all-buildd.buildinfo 8f24e5b3586cfd240b391c2d850d8b650e3254fe 172020 python3-cyborg_14.0.0-3+deb13u1_all.deb Checksums-Sha256: 184225c8df0fdb5c63eb91284377636965dd4e9593ddd5eeea085eadc85cf3e4 7108 cyborg-agent_14.0.0-3+deb13u1_all.deb aaaf6e570cdcf916644aac9814a88f5e1587cdd22e2008ba6e69fb1c955ad713 25112 cyborg-api_14.0.0-3+deb13u1_all.deb e957f94de05feec3842b8778abc53d3536ca548ba0f95d11be9f97e4e4d65caa 40212 cyborg-common_14.0.0-3+deb13u1_all.deb 6798f533875c27120b202be23ddadcb18d64e07870fc52dbd05538a9cc68aa1d 7100 cyborg-conductor_14.0.0-3+deb13u1_all.deb 78dc7aef191d2d44475276d4513d2a45591d9a1811ab4ceade060a6461fe0a88 1074516 cyborg-doc_14.0.0-3+deb13u1_all.deb 72bf110b5485c33c17cde059f82333ac659342c06422cb96d6b451289d5cda0f 21839 cyborg_14.0.0-3+deb13u1_all-buildd.buildinfo a97167311bb2dfed57a5f80d51ee9796c15c693a3ac7d2034981d79d2525c303 172020 python3-cyborg_14.0.0-3+deb13u1_all.deb Files: 7a390dc01be111ced51f76c8804c18e2 7108 net optional cyborg-agent_14.0.0-3+deb13u1_all.deb e8789d39ea81b0eda4c8933eb00ca505 25112 net optional cyborg-api_14.0.0-3+deb13u1_all.deb 30e6867503d51d4f1fa14379b771a70d 40212 net optional cyborg-common_14.0.0-3+deb13u1_all.deb 83c47866188837e1ee70d05c21941f38 7100 net optional cyborg-conductor_14.0.0-3+deb13u1_all.deb aa1503c66730b9c884f78f115a5f3b9a 1074516 doc optional cyborg-doc_14.0.0-3+deb13u1_all.deb 7821b5dad5f4eceb55b65a2159ee1017 21839 net optional cyborg_14.0.0-3+deb13u1_all-buildd.buildinfo 0318da0c914be9936d901a6d6ec74352 172020 python optional python3-cyborg_14.0.0-3+deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmobRnAACgkQmgPNRvTf /zf6FBAAhhFpXz41i1PyoZd36dDR0wE/rjA6Zdtk4AiD1jEjJY2517RScopmdRqE xMzJvbNURPNd8tPp4y35uiuMLsTM75sUdyaquawcR+bMZqbyLpfRxKHjt/B7ldjS hbEAewsVgccFQBg91nEVQBgG83iqyCp33DPQ8NWYWgNQouPMObbsjMXhi53W8Hqe X7cFsMn3oWuvVjR7CRk3aGq+AKvRp5X4VzKBAtg/AXTKE/wjTeBXYhd/DZxzV6X0 rOIR41e+vGWI3y+NGZiUz++JYmq8RXNzzYZc9htN+tY+B7zOkV1tV6Zzt/ariWey bWM/t8cU43mHthZUp4hheLq+b6PKOoPQkYoft4LBzu8M7CMsOheaQDMBAArTqLE5 teWjrzH3t3XeGhPleg8PaxvmSUu7sEpTQWB50704gy+WFpjoafSdi5NI55FV9eyx 6zMbPS4f64ASaH78hCxzF37yDNwO0B5O001Ty8fCQq/e34fG0vBr2jV7hq0YHsmB AtpNvJ26MR2Ue5tc6AtsQhX1NuFUfqeSQeXTQBGzzYmndtNE7irOoFxSzM1nhtey RQE56Pv0yuJUjwVIh1mrRrxlTFfK/4y8eE0Tq5OYzqj0h6BBU5TOWCQGjoRHOPkl dfJbipqXfkgV/nuM4KUiYZ0/Ih6cXzihCm6kUXPb9yf/wWTA+P4= =LrnV -----END PGP SIGNATURE-----