Merge pull request #1268 from stackhpc/ossa-2024-003-antelope

Fix CVE-2024-44082 / OSSA-2024-003
stackhpc · Sep 9, 2024 · 69012ee · 69012ee
2 parents 96eb985 + 3a97322
commit 69012ee
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml
@@ -14,6 +14,9 @@ kolla_image_tags:
     ubuntu-jammy: 2023.1-ubuntu-jammy-20240701T123544
   haproxy_ssh:
     ubuntu-jammy: 2023.1-ubuntu-jammy-20240509T102329
+  ironic:
+    rocky-9: 2023.1-rocky-9-20240906T144646
+    ubuntu-jammy: 2023.1-ubuntu-jammy-20240906T144646
   kolla_toolbox:
     rocky-9: 2023.1-rocky-9-20240809T102431
   letsencrypt:

diff --git a/releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml b/releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml
@@ -0,0 +1,12 @@
+---
+security:
+  - |
+    Fixes `CVE-2024-44082
+    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44082>`_ with updated
+    container images for Ironic services. Note that Ironic Python Agent images
+    also need to be updated to fully fix this vulnerability. If this is not
+    possible, a new configuration option
+    ``[conductor]conductor_always_validates_images`` is available. See the
+    `OSSA-2024-003 description
+    <https://security.openstack.org/ossa/OSSA-2024-003.html>`_ for more
+    details.