Your message dated Fri, 08 May 2026 15:05:19 +0000
with message-id <[email protected]>
and subject line Bug#1136005: fixed in ironic 1:35.0.1-2
has caused the Debian Bug report #1136005,
regarding ironic: CVE-2026-44916
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ironic.
CVE-2026-44916[0]:
| In OpenStack Ironic through 35.x, instance_info['ks_template'] is
| rendered without sandboxing.
https://bugs.launchpad.net/ironic/+bug/2148307
https://review.opendev.org/c/openstack/ironic/+/987514
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44916
https://www.cve.org/CVERecord?id=CVE-2026-44916
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 May 2026 16:27:56 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1136005
Changes:
ironic (1:35.0.1-2) unstable; urgency=medium
.
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
Checksums-Sha1:
cbbf067089ab708bab8b8976d07f590ea351601c 4063 ironic_35.0.1-2.dsc
d75724e037db25b2fb0138df790b46ed84f637aa 20888 ironic_35.0.1-2.debian.tar.xz
9a5612d294a2eae26f027c281a1e5de1d68df359 22745 ironic_35.0.1-2_amd64.buildinfo
Checksums-Sha256:
0ff1b1714cc6f0d9a1ea960f78608bc06f1cc32da8b3369453dbb6786fc99faf 4063
ironic_35.0.1-2.dsc
337790ba93eaf75ea2e8902d09fbd0a7265d0bc37aa296e529fa742b70bbe4f3 20888
ironic_35.0.1-2.debian.tar.xz
64a2b56bc5d7bb7ece215dcfdae9139520945af8078b3fcf8fc78fdac8b481dc 22745
ironic_35.0.1-2_amd64.buildinfo
Files:
91a42bb0e649342523ad653f37714caf 4063 net optional ironic_35.0.1-2.dsc
5b7d9ff38150f3016a7d4a62b9c93b9a 20888 net optional
ironic_35.0.1-2.debian.tar.xz
58f7ee20729c6b9f0cdb2ea008016167 22745 net optional
ironic_35.0.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn99dUACgkQ1BatFaxr
Q/7HOw/8D2jtMfmWe6XUd+H4V0cXQUIW5fe7mzqiJg6Yohmd1c9vkXAiISTeTaPp
RGGafBIamniUMaa24K9CBMOR2yh913pnXPawJjERbKo8GOXYSLQ6WtsvXDibrgra
+b6aqjq1mmdF2aDBNr/r0nlrYYae6dy7fmG8dhPPDuzd9OQeU3ql3BoSv9CSs2HQ
VQ9hErGf8jnv/9tyuReOKN0AMV1UEu0ziGzM8FB7OFPFBLbOhu49n3MdZ70gZvsG
P6shb8/ekH/Tr800NJwBi3SV4VDEqPaAd+8cSp6knTd1OZ1wxsP6so09FJ65x275
QGkUrxW8k3TlHRJtHPHm1KxE0uCjnBUOTMnVoFtxfjDkeKrVbdh23nlHU+WlXxgQ
bkTT4L6fF18OmuykXq6NAriSm3clQOLBMGOKcHULHZdIo2QqALyRTwdIM7wAtkEK
guEoJh31dPpFUxMZD7zjMcsh047+eV8oXEnbtXdr+lyxBjmB3bJKifZNqeO9Fm6B
LN5OJDBOK1sAX3r2SxjmLn9lXR+NPkY6RCqj0NYMCdpU9qykZqI/szMPtW4SXYHL
sl0jDSnrquNmg2UVVvZHgogIkbGWjdKnrX9X10F2oeL1DqbX++NDRFKr+X4JHzUM
0wA/zmvX9IwLepHjjcVe4ooQH4njG6DlDFYdi7Djt66ayb24g0A=
=KIKo
-----END PGP SIGNATURE-----
pgpeC8fUyhP6t.pgp
Description: PGP signature
--- End Message ---
