Your message dated Fri, 05 Jun 2026 22:04:35 +0000
with message-id <[email protected]>
and subject line Bug#1138908: fixed in ironic 1:35.0.1-5
has caused the Debian Bug report #1138908,
regarding OSSN-0099: Denial of Service in Ironic under reduced process stack
size
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138908
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:29.0.0-7
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
https://wiki.openstack.org/wiki/OSSN/OSSN-0099
Summary
An unauthenticated malicious user could submit a specially crafted JSON string
to certain endpoints on the API service or the JSON-RPC endpoint if enabled,
and cause a service crash until the service is restarted. This was due to the
memory allocation exceeding the stack size of the Python runtime due to
Ironic's reduced default stack size prior to the initial payload validation.
Affected Services / Software
ironic: >=32.0.0, <37.0.0
Discussion
The Ironic project has introduced a customized size check middleware which
looks for excessive and invalid recursive JSON data structures while also
enforcing path awareness and endpoint size limits based upon the intended
patterns of interaction with Ironic.
Recommended Actions
Apply the provided Ironic patches.
Review the newly provided configuration variables defaults in context of your
cluster.
Several options were added related to permitted JSON body sizing. The defaults
should be sufficient for most clouds but can be adjusted:
'[api]/max_json_body_depth', default 25, will reject requests with JSON
documents with more recursion depth than this.
'[api]/max_json_body_size', default 1024, is the maximum size, in KiB, the
API service will accept for any endpoint except
the node provision state and continue_inspection
endpoints. Requests with a larger content-length
will receive an HTTP 413 response.
'[api]/max_json_body_size_provision', default 65536 (64MiB), is the max
size, in KiB, for the node provision
state endpoint. The larger default is
due to the need to accomodate
configdrives or deploy_steps.
'[api]/max_json_body_size_inspection', default 16384 (16MiB), is the max
size, in KiB, for the
continue_inspection endpoint. The
larger default is due to the need to
accomodate inspection data from the
ramdisk, which can include system
logs and data larger than normal API
requests.
Operators unable or unwilling to patch their Ironic installations can work
around the issue by increasing the process stack size by setting the
environment variable 'IRONIC_THREAD_STACK_SIZE=8388608' before starting Ironic
services.
Patches
The following reviews contain the fix for this issue:
2026.2/hibiscus (master):
https://review.opendev.org/c/openstack/ironic/+/991717
2026.1/gazpacho: https://review.opendev.org/c/openstack/ironic/+/991854
2025.2/flamingo: https://review.opendev.org/c/openstack/ironic/+/991858
bugfix/34.0: https://review.opendev.org/c/openstack/ironic/+/991856
bugfix/33.0: https://review.opendev.org/c/openstack/ironic/+/991857
Credits
Dmitry Tantsur, Red Hat Tuomo Tanskanen, Ericsson Software Technology
Metal3.io Security Team Contacts / References
Authors:
Jay Faulkner, G-Research Open Source Software (GR-OSS)
Julia Kreger, Red Hat
This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0099
Original Launchpad bug: https://bugs.launchpad.net/ironic/+bug/2154288
Mailing List : [security-sig] tag on [email protected]
OpenStack Security : https://security.openstack.org/
CVE: CVE-2026-50589
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-5
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2026 19:14:00 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138908
Changes:
ironic (1:35.0.1-5) unstable; urgency=medium
.
* CVE-2026-50589 / OSSN-0099: Denial of Service in Ironic under reduced
process stack size. Added upstream patch: "Add JSON body depth and size
limiting middleware" (Closes: #1138908).
Checksums-Sha1:
1fb278676edd5ea73420d4aeea398a079da66c11 4063 ironic_35.0.1-5.dsc
d4b3b0e13a20c7ef0c18ca13590782fcfd80f5ba 42856 ironic_35.0.1-5.debian.tar.xz
4bac0bfa7845d123994131d3223deafb8a9d3cea 22640 ironic_35.0.1-5_amd64.buildinfo
Checksums-Sha256:
6b59ca78d9b49ac005eb6d31b411b4b897e26e8aaf9043dfa2bd1a476bbaa0fc 4063
ironic_35.0.1-5.dsc
ca0e89aedf8e79ce407f05c9be8de634bc1f532b63b7c4788843447aa34e4a26 42856
ironic_35.0.1-5.debian.tar.xz
b822ce5a282e2cec6258c686d4a9847f1f382271b424f6d968406369b16fa484 22640
ironic_35.0.1-5_amd64.buildinfo
Files:
dfd17c4e928764e7f9ec543072366904 4063 net optional ironic_35.0.1-5.dsc
b4782c41d3ba5927053f159786083b02 42856 net optional
ironic_35.0.1-5.debian.tar.xz
da1e72678aca8a584fe1860f1e248c60 22640 net optional
ironic_35.0.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmojQowACgkQ1BatFaxr
Q/7Lmw//UaFdGFeujpqcwCfP9Izwfn1c6tabI+UUVDUc70VWin0zICb8Uy6LO/mR
SbEfJaGV13pqFnZqWMzjdRpiJv9r+aCDsB/EV29kCqdWiXSf3qDc5VAu5OpWnFtz
ZNrbIm86ie7cGlxQwD6gJk3+IdQcbOOC0iSS/IesnMOr0DUxM1M2/KO07QgqxFaN
GJJQluB6oReSdDJX8wytGSESS79XgvnRODfYOS89xbR+XM4tiQ3Gc/b/pAGtQyoy
uZaSjcFgmv5FKXODik3NsoEJ2cCcj6oCpa4uDiTaM9fKQWQNJT2HPnpzm0z66O40
Um01oISgdjj8KC+JbC1Ey77F8G189x106ESpGB4MDeiHC96eibZlf3DwkkEZVsXh
P+QvPsgZtL/FMT1Jxg4PkjlRqbb3asiVzs+LaQmcWhviEN1qKsvF//4eN2rEseUE
4OQCM9S9vhTuDKZ0ImWWDAsDQMQJau0dFmLUFGEA2b0QQ8jpX0HotiTjxyzW/w8o
OeA7LGIJLi3Hk77B34AA5Gg3Qb6tz1YSqx0odkeUHR7uBr6zg/DZC6Rrf9f/3Cl5
DrxWeE3Da82yT0BjfG/Iet+lbflVDiHefTnpxAi+J/z2Xft0eFWnWLD8JPH/4c/Y
/KUh209L4hIRIrhlxbhSM/wT5em+qKaAFSEpEJ4msrgpDBZk2mQ=
=Mb/x
-----END PGP SIGNATURE-----
pgp6h5BGEt5r5.pgp
Description: PGP signature
--- End Message ---
