12 lines
677 B
YAML
12 lines
677 B
YAML
---
|
|
security:
|
|
- A critical security vulnerability (CVE-2016-4985) was fixed in this
|
|
release. Previously, a client with network access to the ironic-api service
|
|
was able to bypass Keystone authentication and retrieve all information
|
|
about any Node registered with Ironic, if they knew (or were able to guess)
|
|
the MAC address of a network card belonging to that Node, by sending a
|
|
crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru
|
|
resource. Ironic's policy.json configuration is now respected when
|
|
responding to this request such that, if passwords should be masked for
|
|
other requests, they are also masked for this request.
|