Merge pull request #81 from stackhpc/upstream/xena-2024-09-16

priteau · web-flow · commit 321946522b1d · 2024-09-16T09:33:31.000+02:00
Synchronise xena with upstream
diff --git a/README.rst b/README.rst
@@ -11,6 +11,11 @@ Team and repository tags
 Overview
 ========
 
+*WARNING:* The Ironic-Python-Agent version in this branch is vulnerable to
+CVE-2024-44082. Do not run this in production unless using a patched
+conductor with ``[conductor]/conductor_always_validate_images`` set to
+``True``.
+
 An agent for controlling and deploying Ironic controlled baremetal nodes.
 
 The ironic-python-agent works with the agent driver in Ironic to provision
diff --git a/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml b/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml
@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable to
+    CVE-2024-44082, tracked in
+    `bug 2071740 <https://bugs.launchpad.net/bugs/2071740>_`. Deployers of
+    Ironic versions Zed or older must apply CVE-2024-44082 fixes to their
+    Ironic environment and leave (default for all releases Zed and older)
+    ``[conductor]/conductor_always_validates_images`` set to ``True``. This
+    ensures the conductor will security check the image because
+    Ironic-Python-Agent will not.
