cyborg (13.0.0-3~bpo12+1) UNRELEASED; urgency=medium

  [ Thomas Goirand ]
  * CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default
    policy for multiple API endpoints. This unconditionally authorizes any
    request carrying a valid Keystone token regardless of roles, project
    membership, or scope. An authenticated user with zero role assignments can
    complete various actions such as reprogramming FPGA bitstreams on arbitrary
    compute nodes via agent RPC.
    CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project
    ownership at any layer. The project_id column in the database is never
    populated (NULL for every ARQ), database queries have no project filtering,
    and policy checks are self-referential (the authorize_wsgi decorator
    compares the caller's project_id with itself rather than the target
    resource). Any authenticated non-admin user can complete various actions
    such as deleting ARQs bound to other projects' instances, aka cross-tenant
    denial of service.
    Applied upstream patches:
    - Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch
    - Fix_cyborg-status_upgrade_check_tests.patch
    - Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch
    - Set_project_id_on_ARQ_creation_and_binding.patch
    - Refactor_session_handling_and_align_test_contexts.patch
    - Add_project_id_backfill_for_existing_ARQs.patch
    - Enforce_project-scoped_access_for_ARQs.patch
    - Require_service_token_for_bound_ARQ_operations.patch
    (Closes: #1136006).

  [ Jenkins ]
  * Rebuilt by bop.

 -- Jenkins <jenkins@bookworm-dalmatian.debian.net>  Mon, 08 Jun 2026 19:45:13 +0000

cyborg (13.0.0-2) unstable; urgency=medium

  * Switch to pybuild (Closes: #1090407).

 -- Thomas Goirand <zigo@debian.org>  Thu, 19 Dec 2024 17:14:11 +0100

cyborg (13.0.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Wed, 02 Oct 2024 15:54:14 +0200

cyborg (13.0.0~rc1-1) unstable; urgency=medium

  * New upstream release.

 -- Thomas Goirand <zigo@debian.org>  Mon, 23 Sep 2024 11:52:35 +0200

cyborg (12.0.0-1) unstable; urgency=medium

  * Initial packaging (Closes: #1080389).

 -- Thomas Goirand <zigo@debian.org>  Tue, 03 Sep 2024 11:52:23 +0200
