Your message dated Tue, 26 May 2026 21:17:05 +0000
with message-id <[email protected]>
and subject line Bug#1136005: fixed in ironic 1:29.0.5-0+deb13u1
has caused the Debian Bug report #1136005,
regarding ironic: CVE-2026-44916
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ironic.
CVE-2026-44916[0]:
| In OpenStack Ironic through 35.x, instance_info['ks_template'] is
| rendered without sandboxing.
https://bugs.launchpad.net/ironic/+bug/2148307
https://review.opendev.org/c/openstack/ironic/+/987514
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44916
https://www.cve.org/CVERecord?id=CVE-2026-44916
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:29.0.5-0+deb13u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Apr 2026 10:05:36 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135255 1135898 1136005 1136655
Changes:
ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium
.
* New upstream release. Include fix for:
- CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature
(Closes: #1135898).
- CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
f65f99602c674b7ebd32fe2518d337125ddf9ac9 4096 ironic_29.0.5-0+deb13u1.dsc
b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
861b413f51470c7d74634caf45856415b4348d4c 22568
ironic_29.0.5-0+deb13u1.debian.tar.xz
d659e18399d1047fd4d9e710c3e4e8543f0e36e6 22929
ironic_29.0.5-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
db41efc3a56d46d30abbbdbcb0c3424d7be6b84ff4839dc5d12978bae5c1030e 4096
ironic_29.0.5-0+deb13u1.dsc
8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376
ironic_29.0.5.orig.tar.xz
570f08844d5d290994de3ec8fb305929b775ca93d8e02e97dcdfe692b5f6426b 22568
ironic_29.0.5-0+deb13u1.debian.tar.xz
00c8cb0d608501df1bd92e3ae41d64ee106a8c497bbde80c8ed939c3952477df 22929
ironic_29.0.5-0+deb13u1_amd64.buildinfo
Files:
a0094d72c1e6774be76d420cdfca3b6a 4096 net optional ironic_29.0.5-0+deb13u1.dsc
52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
8182b8b4dcffe3746e649c1d8b3c7582 22568 net optional
ironic_29.0.5-0+deb13u1.debian.tar.xz
db660613cdbcfd1134084b10a355ebeb 22929 net optional
ironic_29.0.5-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoVV2cACgkQ1BatFaxr
Q/6nUA//Xdu2gqc4jpV2dlyBqxxcBaTUZOSt1SBBuLCUlGEJnE0xyoEsA8ZzqX7R
2nhQ77Babl6MAKtivMttpTbwWKNdPBobaL6UFQziCVhR892PkAy0Q0h3TNPwmHhi
nRkpJkVWdlyKHh7xW6qk2JQu4RHe/vgfQHeUlrUDINmOIv4162bBUOqROo68laj1
xGvJIw76Pf1V4+r+j8q2qwwAAvvmgv6JNOAZNZ44XN4Kb8mW0ulr4i1lCP0LYHWP
bByqojUVRMXFPdF6zVloIycL3eO5A2uGHkY6RqiPO4Xam0kZIoawTwg4pgyqT6Hm
82/GApymfgsHRqxo5wdUTIhIcfNi41LgOVlp44X8LcdaVqVDK+7RYEdF6lqlfEl0
LiAOQ5xvDBOZmPfDZeenBbEXnZvDEIqLtn1FgehZEQp1pi/07dXohzssdelrs3HU
4qxp8l/TpoCDgdLSNKR7PLqwpfCBUMt0uhGMXClQxPS34lDekFGlr5MMU6l6jS6l
pQOCP5Op96gIPYgAADBQJDqokKg7yBPv0qrmg4KvjDhLTz/X1z+TpuNdq1IbBba5
oECtyueUgtkYJ1hZRDUbB/Em+2G2q2j9gBmLylexzUaROMG5m36htLUlOBjwopVv
fc/aJDB7+c/H2p/IN0DZG6fU0/AtwGfH5iZGdtBMbHo4E1lNT7Q=
=ZJRr
-----END PGP SIGNATURE-----
pgpErwSporYho.pgp
Description: PGP signature
--- End Message ---
