Warn about CVE-2024-44082

jayofdoom · jayofdoom · commit 823f1f68cc1e · 2024-09-06T21:37:07.000Z
Unmaintained Ironic-Python-Agent branches will not be patched against
CVE-2024-44082. This patch updates the release notes and readme
instructing deployers how to mitigate their risk using the provided
Ironic conductor patches.

Related-Bug: 2071740
Change-Id: Ie4aeef4af01ead5c18b359a22ab488de0c35248a
diff --git a/README.rst b/README.rst
@@ -11,6 +11,11 @@ Team and repository tags
 Overview
 ========
 
+*WARNING:* The Ironic-Python-Agent version in this branch is vulnerable to
+CVE-2024-44082. Do not run this in production unless using a patched
+conductor with ``[conductor]/conductor_always_validate_images`` set to
+``True``.
+
 An agent for controlling and deploying Ironic controlled baremetal nodes.
 
 The ironic-python-agent works with the agent driver in Ironic to provision
diff --git a/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml b/releasenotes/notes/cve-2024-44082-image-security-warning-37ac1ac7647a806a.yaml
@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Ironic-Python-Agent versions prior to the 2023.1 release are vulnerable to
+    CVE-2024-44082, tracked in
+    `bug 2071740 <https://bugs.launchpad.net/bugs/2071740>_`. Deployers of
+    Ironic versions Zed or older must apply CVE-2024-44082 fixes to their
+    Ironic environment and leave (default for all releases Zed and older)
+    ``[conductor]/conductor_always_validates_images`` set to ``True``. This
+    ensures the conductor will security check the image because
+    Ironic-Python-Agent will not.
