Accepted ironic 1:21.4.4-0+deb12u1 (source) into oldstable-proposed-updates

Debian FTP Masters Thu, 11 Jun 2026 13:48:25 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Nov 2024 16:10:43 +0100
Source: ironic
Architecture: source
Version: 1:21.4.4-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135898 1136005 1136655 1138842
Changes:
 ironic (1:21.4.4-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream point release. Fixed CVE-2024-44082.
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
   * CVE-2026-44919: during image handling, an infinite loop in checksum
     calculations can occur via the file:///dev/zero URL. Add upstream patch:
     move_file_url_validation_up_into_deploy_utils_main_path.patch.
     (Closes: #1136655).
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
   * CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
     Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
     patch validate_molds_url_against_swift_in_keystone_catalog.patch.
     (Closes: #1135898).
   * (build-)depends on python3-oslo.messaging >= 14.0.3-0+deb12u1~.
Checksums-Sha1:
 ef3b4ab2cf2baa6dd7a984e6a0d5e8ed1f3c6cd2 4097 ironic_21.4.4-0+deb12u1.dsc
 11a01ab37bd81ba31e2ff1d511a5976ca3bf7651 1573012 ironic_21.4.4.orig.tar.xz
 1a3c1f5397a9e2e7cfc55e07164fbae634d2d959 62084 
ironic_21.4.4-0+deb12u1.debian.tar.xz
 ef8ac1f3c346ae4b4414519a0036cef784aed41a 23332 
ironic_21.4.4-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 88b7d2c9191e7a7f39ab6827bc60444ea282d17f35bc54ed93ea46744cbb7513 4097 
ironic_21.4.4-0+deb12u1.dsc
 f7e7a771594958ad0355a27854c69dc5c7404acfb301073da980a1c966b4a65f 1573012 
ironic_21.4.4.orig.tar.xz
 f576c737e5b0e5bf4793e86db437a2e386980cf2ac3d21193f112f5398105548 62084 
ironic_21.4.4-0+deb12u1.debian.tar.xz
 65d0fc0dbd1b5a152ce91ee86bd5d061b8170fda7c2fc6fef581ed09f54b936b 23332 
ironic_21.4.4-0+deb12u1_amd64.buildinfo
Files:
 2ada772091bc2fe503ad7d203651f838 4097 net optional ironic_21.4.4-0+deb12u1.dsc
 3dce1b73c9fc5033a096fd30751439f3 1573012 net optional ironic_21.4.4.orig.tar.xz
 7317e7acd75445ee1fca9205b16d5928 62084 net optional 
ironic_21.4.4-0+deb12u1.debian.tar.xz
 e603e9e800a4823736cb4f48c03e9bdd 23332 net optional 
ironic_21.4.4-0+deb12u1_amd64.buildinfo
pgpJcGehwi2Jb.pgp
Description: PGP signature
Accepted ironic 1:21.4.4-0+deb12u1 (source) into oldstable-proposed-updates

Reply via email to
