Your message dated Thu, 18 Jun 2026 16:36:07 +0000
with message-id <[email protected]>
and subject line Bug#1140187: fixed in ironic 1:35.0.1-7
has caused the Debian Bug report #1140187,
regarding ironic: CVE-2026-43003
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140187
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic-python-agent
Version: 11.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/ironic-python-agent/+bug/2148310
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 10.2.0-3
Hi,
The following vulnerability was published for ironic-python-agent.
CVE-2026-43003[0]:
| An issue was discovered in OpenStack ironic-python-agent 1.0.0
| through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-
| install from within a chroot of the deployed partition image,
| leading to code execution in the case of a malicious image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43003
https://www.cve.org/CVERecord?id=CVE-2026-43003
[1] https://bugs.launchpad.net/ironic-python-agent/+bug/2148310
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-7
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Jun 2026 14:24:00 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1140187
Changes:
ironic (1:35.0.1-7) unstable; urgency=medium
.
* CVE-2026-43003: Command injection via chroot execution of tenant-controlled
binaries. Add upstream patch: "Add an agent flag to disable installing
boatloaders" (Closes: #1140187).
Checksums-Sha1:
8e1506bbfd949ab824d73c5d7d37040365e4082a 4063 ironic_35.0.1-7.dsc
9a121e8ce26e3b036ceee27b02ce2c174b44b9ec 47272 ironic_35.0.1-7.debian.tar.xz
8ea0c93e7e523b4d6cb3d5a8666759ea8e174604 22757 ironic_35.0.1-7_amd64.buildinfo
Checksums-Sha256:
9f48c54bc8c1c8d3880bee9b8a184706f16537666afb28360d66d677575f6214 4063
ironic_35.0.1-7.dsc
1dba85bcceaa2ec6fc35fcb716b15708bb22f40f3a06f5c438c0e7af3ea70e3e 47272
ironic_35.0.1-7.debian.tar.xz
99869f5399172f2c84df06074e3d95946eb0f663509ffce8aa2f70c4d300dd07 22757
ironic_35.0.1-7_amd64.buildinfo
Files:
62a140133c20205e70f5c82af00fff18 4063 net optional ironic_35.0.1-7.dsc
7f45ff7b52d9b8242e616e06a40efb6d 47272 net optional
ironic_35.0.1-7.debian.tar.xz
18ec7b7e000f17981a4e209856b88a0c 22757 net optional
ironic_35.0.1-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo0GHMACgkQ1BatFaxr
Q/4G0BAAnTDR94V5GLqzuzDkLhe1zLh/c3xoA0tJRiq3urglUSrBk3y2clUm8BcN
NNwIJB1E5XsXEd5YolAKdjNBVUAz7h2XgN0y/jw8GlISaa9wkYk7KAkD+voRN/y9
16G2gZImKaxxNkPdrpO9AJmT0QDPs0HR11Xwjt8ITyHX5/HvOkMZecSeElk5dgKL
/0QDmyBP/WDBSOjL9EoehFSUX8QwLv2NbQyZeBA+ciqAxam0mPgn4dUaoZ7FhsIt
SU3qzLlgjMHKrekgOKKAStOUvUzmj02uYcc3JeZN7gewk1BTAxCwjLiPYVUYWSen
FAYev5rnzWgP3DTa4kQx2D+DpN1A5/6v2/IGc5x5DodytOPQDfC4gGlCSSoehIg6
PsOwPjKoA8BEON9gMhQmH1ddKVxvmsUm8gCzQXZzmQAljdAbJmZVMLQTjrNFr0jf
IssL8rpBjt2l1MnYG4wpCLTc9oHKJJlluhovTrHyX1nTdI9KxD3G60h02GMOSNuY
Z/noqsqVBD3PtlY9VNG7qUD1w8GYKRVB0NFeJCmotIgEf+Q28D9b53dr/FwNvF2L
SB14tNbS3ZtvB9S0znIrSBob/WDGLTqfEq8dxLOOxFsnZ7HPHuOqdy+mP+N/E+R3
U9AoPUoquwX7wSjEwMh2EYl9Xu0N/ZOKjNljXoI8gJCnpPlCuO8=
=U3Ls
-----END PGP SIGNATURE-----
pgpmmDbySZEp5.pgp
Description: PGP signature
--- End Message ---
