Hi,

The following vulnerability was published for ironic-python-agent.

CVE-2026-43003[0]:
| An issue was discovered in OpenStack ironic-python-agent 1.0.0
| through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-
| install from within a chroot of the deployed partition image,
| leading to code execution in the case of a malicious image.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-43003
https://www.cve.org/CVERecord?id=CVE-2026-43003
[1] https://bugs.launchpad.net/ironic-python-agent/+bug/2148310

Regards,
Salvatore

Hi,

According to https://www.openwall.com/lists/oss-security/2026/06/16/11
there is as well a part in ironic to be addressed. So cloning this bug
for the src:ironic part purpose as well.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
ironic-python-agent, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135646@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic-python-agent package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 01 Jun 2026 13:21:49 +0200
Source: ironic-python-agent
Architecture: source
Version: 11.5.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135646
Changes:
 ironic-python-agent (11.5.0-3) unstable; urgency=medium
 .
   * CVE-2026-43003: Command injection via chroot execution of tenant-controlled
     binaries. Applied upstream patch: "Add a flag to disable installing
     bootloaders" (Closes: #1135646).
Checksums-Sha1:
 d975c6e2586e721bcab1ec2e6f06dd876e9b11ae 2658 ironic-python-agent_11.5.0-3.dsc
 5f731e533d06eead1852c49029049fe84f7956cd 7380 ironic-python-agent_11.5.0-3.debian.tar.xz
 b861f903579f4f52b5edf3a938da8464fefedcee 12704 ironic-python-agent_11.5.0-3_amd64.buildinfo
Checksums-Sha256:
 c36498c3b4220e5f72077ed43f1a7e3fa089f7d708ac112163a78370f8e40813 2658 ironic-python-agent_11.5.0-3.dsc
 6e749a9a1087378857365339287c9106953acc74fd3a1fff73ede825d4b030c1 7380 ironic-python-agent_11.5.0-3.debian.tar.xz
 99bc64370c398489826847d7666a94cef2276265e762a98ad4de4aa020ba3d42 12704 ironic-python-agent_11.5.0-3_amd64.buildinfo
Files:
 0fd049728f8ad61083d8ed2b49ef7df2 2658 net optional ironic-python-agent_11.5.0-3.dsc
 cc4b7b38d3b98263fbe181780abb8738 7380 net optional ironic-python-agent_11.5.0-3.debian.tar.xz
 4369640721524a34f0cf269a76d2a3dc 12704 net optional ironic-python-agent_11.5.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoz78gACgkQ1BatFaxr
Q/6vpQ/6AoxjQlzOpG4qRNKwIVtri4CMl2f1eDF+uNcqN/pfL2zAfccMk9lgbXY4
f67JmN67lbbDw1LhcJgnt7TUujVaGbuNB4IHcK0Pdx+95pncC0vZ8+ICeo62vwB3
7ELZ8EoaVGA92wr5ynAWiWQgBCcBU/JZ8blEwVUpbpgtyYPJM++knwf3fmmyLf1D
Z+yZS7RgtJ6BcDCHolC9VG4n8YFWicaczSYNEJxP2OVDZUw8XK685RjEwXm5uvua
tloZa3+4aqwSoZhQzVBje7+mXiWS2eVmx4tRn86KjqifQUlV6ORJPQ7f9ZpopNyd
VJ4A6QwCGvBSwlPZ2uPmnBiXaspyT+mpJ0MhjaTMJNdSLbM0ARsvXQxh8Fe/HCd6
ZH7Fs6pj2IlECHXYhzdKhfNRIVQ0A0HNvwnhkpluZVOZdjcauvePlK9O8lpyoQPk
+wjgumH3ZFtawIFZJw0to3PU1WLV+7YolsKYDAkzgq3CTH6Ha2XImXy4nu4CVL0c
mn9flBwgXxHATimxt0e9kRcPNbDA4G4S+qwvMRPcVLXUjRX362n/VDFQDNdBQLsC
aaV51Aukgs0LMr8T6w1tLrep4bjeelM/yllr7eDN6YzZAarTnldRTG6FWaoCAceC
70PvBp9vIQO8s5yCTIEerN1unM5nCCD1DNHSapyfAudJGNxC91g=
=xCC3
-----END PGP SIGNATURE-----