- Yaook - lists.alasca.cloud

[Security Advisory][CVE-2026-33551] Restricted application credentials can create EC2 credentials
by Stefan Hoffmann April 8, 2026

April 8, 2026

Hi, yesterday OpenStack published a security advisory for keystone. The vulnerability is at Keystone’s EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user’s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. keystone version 3.0.81 has the fixed version. With yaook release 1.4.2 and 2.0.1 this will be also fixed in the pinned_versions of the operators. (still in building) You can patch your keystone with this version pin: values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/keystone-2025.1: registry.yaook.cloud/yaook/keystone-2025.1:3.0.81 Also see our advisory: https://yaook.cloud/security-advisories-cve-2026-33551 Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

Yaook is at OpenInfra PGT
by Stefan Hoffmann March 24, 2026

March 24, 2026

Hi yaook devs, we are invited to take part at the OpenInfra Project Team Gathering. I planned a session so we can meet and discuss further steps. We will have a session at 23.04.2026 13-15UTC[1] If you have already topics we can talk about, add them to the etherpad[2] Meeting link will be [3] Best Regards Stefan [1] https://ptg.opendev.org/ptg.html [2] https://etherpad.opendev.org/p/apr2026-ptg-yaook [3] https://meetpad.opendev.org/apr2026-ptg-yaook -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

[CVE][OSSA-2026-004] Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality
by Stefan Hoffmann March 19, 2026

March 19, 2026

Hi yaook and OpenStack Users, today a new security advisory was published by OpenStack and yaook now has a fix for it. Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the ‚web-download‘ and ‚glance-download‘ import methods are subject to this vulnerability, as is the optional (not enabled by default) ‚ovf_process‘ image import plugin. The following images are vulnerable: glance images BEFORE 1.1.156 Yaook versions <= v1.4.0 and 1.5.0 If any of these images are used in your cluster, the cluster is vulnerable. A new stable release 1.4.1 will be published today. You can upgrade to that release simply by updating your operators. Release 1.5.1 will also have this fix. If you don’t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed): values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/glance-2025.1: registry.yaook.cloud/yaook/glance-2025.1:1.1.156 See also https://yaook.cloud/security-advisories-ossa-2026-004/ Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

Help needed: 3-Minute Survey for FOSS Backstage Talk
by Daniel Gerber March 5, 2026

March 5, 2026

Dear ALASCA members, developers, supporters and friends, In a few days I will be giving a talk at this years FOSS Backstage in Berlin. To ensure that I represent the perspectives and priorities of our community accurately, as well as help guiding ALASCA’s work going forward, I would appreciate it if you could take a moment to answer this short survey: https://nextcloud.cloudandheat.com/apps/forms/s/qMYM4FiNfjkzfCzybSGcoFYM It should not take you more then 3 minutes, the answer are anonymous and can be given till Friday the 13th of March, 23:59. Please excuse duplicate notification of this survey and please share it within our community. Cheers, Daniel P.S: In case you need an English version please contact me directly! —— Dr. Daniel Gerber Softwaredeveloper ALASCA - Verband für betriebsfähige, offene Cloud-Infrastrukturen e.V. c/o Cloud&Heat Technologies GmbH Königsbrücker Straße 96 | 01099 Dresden +49 351 479 367 00 daniel.gerber(a)alasca.cloud | https://alasca.cloud/ Let's learn. Let's discuss. Let's inspire. Let's tech-talk. Alle News zu den ALASCA-Tech-Talks gibt es hier: https://alasca.cloud/alasca-tech-talks/ Verantwortliche i.S.d. § 55 Abs. 2 RStV: Dr. Marius Feldmann (Vorsitzender | Cloud&Heat Technologies GmbH) Josephine Seifert (Stellvertretende Vorsitzende) Steffen Brauß (Schatzmeister | Schwarz IT KG) Registergericht: Amtsgericht Dresden Registernummer: VR 12961 Steuernummer: 202/140/21049

1 0

Yaook at OpenInfra PTG
by Stefan Hoffmann March 4, 2026

March 4, 2026

Hi everyone, for the first time, yaook is part of the OpenInfra ProjectTeamGathering in April.[1] Currently the time of our session is not fixed, but the PTG will take plase at 20-24 April 2026, I will create a 2-4h session for us. Feel free to already register[2] so we know whom to expect and OpenInfra sees, the session is used. Soon we will share a etherpad where topics can be added. If you have wishes for a specific timeframe/day contact me. Best Regards Stefan [1] lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org /thread/NDYECQOHPBHRNSBSSQCHAIB7LDPDC5XO/ [2] https://ptg.openinfra.org/

1 0

[v1.2.1] Bug at release update when computenodes in creating
by Stefan Hoffmann Feb. 20, 2026

Feb. 20, 2026

Hi all, we found a bug with nova-compute nodes in creating since release v1.2.1 You will run into that issue when updating yaook to 1.2.1 or any newer version, if you have computenodes in state creating while updating the nova-compute-operator. We will try to build a fix, but maybe we just keep it as is. A workaround can be found in the issue[1] and after the upgrade and fixing once, the issue don't occur again. Also it is hopefully for the most environments possible to do the update when all nodes are finished with creation. If you want a fix, of cause, you can comment at the issue[1] or reply here. Best regards Stefan [1] https://gitlab.com/yaook/operator/-/issues/653

1 0

[Security Advisory] OSSA-2026-002
by Stefan Hoffmann Feb. 17, 2026

Feb. 17, 2026

Hi, today OpenStack announced that there is a CVE at nova, when using flat image backend [1]. We have further information at our Advisory [2]. If you DON'T have `use_cow_images=False` configured in nova.conf you should be not affected. To mitigate this issue, upgrade to yaook release v1.3.0 (will be released tomorrow) or pin the nova-compute image at nova-operator like described here[2] to registry.yaook.cloud/yaook/nova-compute-2025.1- ubuntu:4.1.183 Best regards Stefan [1] https://security.openstack.org/ossa/OSSA-2026-002.html [2] https://yaook.cloud/security-advisories-cve-2026-24708/

1 1

ALASCA Community Goal - SBOM
by Stefan Hoffmann Feb. 3, 2026

Feb. 3, 2026

Hi yaook folks, some days ago, we discussed with the ALASCA TSC what the community goal for 2026 could be. As already some projects are working on it, as well as yaook, we decided to create a SBOM for each project. The "official" goal is called: By the end of 2026, all of our ALASCA projects should have an SBOM or a tool to generate their SBOM.[1] I'm happy, that there is already some effort to implement that. Best regards Stefan [1] https://gitlab.com/alasca.cloud/governance/governance/-/blob/main/docs/alas… -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

Participate with yaook at OpenStack PTG
by Stefan Hoffmann Feb. 3, 2026

Feb. 3, 2026

Hi, at the last OpenInfra summit or so, we asked, if it would be possible to take part at the OpenStack ProjectTeamGathering with our yaook project. We have the opportunity now to do so, I just would need to register us. Do you want to have such a meeting, where we discuss, what the next steps are for the project? As we are not forced to follow the OpenStack release cycle, we are quite free, what to do there and for what time frame to discuss stuff. But I would like to discuss open tasks at the SBOM and image build streamline process. Maybe there are other topics as well. Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

Yaook SCS Operator hackathon 2026-02-26, Hamburg - save the date!
by Friedrich Zahn Feb. 3, 2026

Feb. 3, 2026

Hi, the ALASCA-FOCIS team, supported by Dataport, UhuruTec and other community members, is planning a one day hackathon to work on a Yaook SCS Operator that will make it easier to run SCS-IaaS compliant Yaook cloud offerings. Save the date: 2026-02-26 in Hamburg. More details will follow soon, stay tuned! Feel free to get back to me with any questions or suggestions. Best regards Friedrich

1 1