- Package:
- src:ironic
- Source:
- src:ironic
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-11 20:49:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for ironic. CVE-2026-42997[0]: | An issue was discovered in idrac in OpenStack Ironic before 35.0.1. | During import, a user invoking molds can request authorization to be | sent to a remote endpoint. The credential forwarded is a time- | limited Keystone token (which provides access to all OpenStack | services Ironic is authorized for); or basic credentials configured | for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, | and 35.0.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42997 https://www.cve.org/CVERecord?id=CVE-2026-42997 [1] https://www.openwall.com/lists/oss-security/2026/05/05/10 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135898@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 07 May 2026 10:01:20 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135898
Changes:
ironic (1:35.0.1-1) unstable; urgency=high
.
* New upstream release. Include fix for CVE-2026-42997 / OSSA-2026-010:
Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac
Configuration molds Feature (Closes: #1135898).
* Removed patch applied upstream:
- CVE-2026-42510_Shell-quote_console_command_passed_to_socat.patch
Checksums-Sha1:
38e95bf4561503d09d1d94f52958eca12ad21650 4063 ironic_35.0.1-1.dsc
085f47208b8f6e53b384b2fdc821af19a34113d4 2145772 ironic_35.0.1.orig.tar.xz
a9d2d811f93a7848bd9aa6319e87704a9c19ae59 18880 ironic_35.0.1-1.debian.tar.xz
b83637454ffc93d919bf3e8c721c84ebd22edbcd 22745 ironic_35.0.1-1_amd64.buildinfo
Checksums-Sha256:
27a6ca152055567981c39bbb8cef93a3c1df5933dabce4e1b588b1cba274f238 4063 ironic_35.0.1-1.dsc
fbb91f1171db0a336d74ddf011efa76980b857c4f4cf91a9e83a15f4d396e76c 2145772 ironic_35.0.1.orig.tar.xz
237d3683994fbeaaaec1272750b481bf4999e0c7a96ea9ba5c68169846778eb8 18880 ironic_35.0.1-1.debian.tar.xz
cbf808c68696df816038f0bc01848a73743ae389be962c51cec1d78f742433ee 22745 ironic_35.0.1-1_amd64.buildinfo
Files:
9ca34c37c61890f8e24ae9d439ce2eeb 4063 net optional ironic_35.0.1-1.dsc
75fd681e991e3ee07dccd53dfc01246d 2145772 net optional ironic_35.0.1.orig.tar.xz
6ec43f2148dd440c118fcb75c422b2f6 18880 net optional ironic_35.0.1-1.debian.tar.xz
42a4058b2beae028f03ad332d267ccc9 22745 net optional ironic_35.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn8UZMACgkQ1BatFaxr
Q/7yFA/+NqIlGFqKbTzLlFqfcbWQCnPsaxl94lXVRw1Zr1UsnZR7TQMpuyfIKynz
Cfie0PYXinD8xpw37HCNnhiXagqvGFHD3h3BOVis70HKwrk+8ihYgQJFOzkYo7Ju
A9LIWRmo953zptlycD6R8OBdAOzNkQTzeNZfh2pFSAbyYJ4HhCay9F5N3fzxnJMj
SoOLNJa325JGldR0N1trfQ7RZpjgc9ezFFmL/qZYyJxj6J3qw11/5Z6XlkyWVwmH
HJCR0gf7t5YgRFPHOXWiQ6CUw3phe8AYPR0IpleawGM50FHCgQyb2jQRInkBtzgE
Ar+WqhNeW/JBaQG4XT6nlNGsFl0otzh7lnP4JHjJ/1Lgn8ZHFg4DYbJV5lZyoedq
5sSxB14+Aeq731REx8zhY/ydMvK9kM967kTb6ZGkZWTPyT6P+S3PXCIkI2CcYNXc
6AgMS59PlFZVdIyl2b4M0wY7G5jouu+1yfuYYuIjqWKkmo+0IJcDn8G73L/Li+v3
TujlppwGhLJzs+vB1mmxLPbdmOx802XKwhhv0A5e1/T3eD+YApxBfpCrb2K1bkcn
FgZhXnYfM0CIYmquu+59E9Sg+995HFIkAgNit6Oa0a/VRIORFP1kdtYm9ieIig74
K+hZ4uEN8jA41QAIBu1FJqemeGUI+jeoL0kUgb4XiO9TGCGxihU=
=F6hN
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135898@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:41:21 +0200
Source: ironic
Architecture: source
Version: 1:21.1.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1104964 1135255 1135898 1136005
Changes:
ironic (1:21.1.0-3+deb12u1) bookworm; urgency=medium
.
* CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs.
Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch.
(Closes: #1104964).
* Add qemu-utils as build-depends because of tests from CVE-2025-44021 fix.
* CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
patch validate_molds_url_against_swift_in_keystone_catalog.patch.
(Closes: #1135898).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
Checksums-Sha1:
f577021f779ba187c53e7587c55d661d75b4c4e9 4074 ironic_21.1.0-3+deb12u1.dsc
214c2f489e716104c829d4b79ee86f171cc1da5e 1505820 ironic_21.1.0.orig.tar.xz
b49b8622e3c5b100f5711f02a3ea92e818f64a5d 25548 ironic_21.1.0-3+deb12u1.debian.tar.xz
f662a9e9f7a53da0547451e19c6d67126ff4b4a9 23321 ironic_21.1.0-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
5dd1185d9990307275ac3b1e1039685d306b76fc2d1f7396d1d340327e5d1fb5 4074 ironic_21.1.0-3+deb12u1.dsc
f1440eb42de5619799844a57b243173fe933b5617d9dc35105c203e85bb5630b 1505820 ironic_21.1.0.orig.tar.xz
52eccb0a97e8a1f631480efab41c0d689904786b8db0e144e9c26daabe00119e 25548 ironic_21.1.0-3+deb12u1.debian.tar.xz
1fb772ee844d62d3396ced6f12b977f0d0950dafff608d65bc20cd142e2f9ebe 23321 ironic_21.1.0-3+deb12u1_amd64.buildinfo
Files:
450d600d31f7a9088633215d0520c481 4074 net optional ironic_21.1.0-3+deb12u1.dsc
f6f9a3db7286ed06e564f6c7fe0643ba 1505820 net optional ironic_21.1.0.orig.tar.xz
81fd7e3ef8fd7e196b567c8dab1eebde 25548 net optional ironic_21.1.0-3+deb12u1.debian.tar.xz
e7e06518666492caf16df597cdf0f844 23321 net optional ironic_21.1.0-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMEkIACgkQ1BatFaxr
Q/7lCA/9Htfvp8BmzviZuSKSPRtE8myylEWyt90k7Ep81Ux/DwDUawRjlAgRf75A
7afcGbMGsawTw607VeW1faeqgPe2NWZhdhwZWF03Z/K1gMSrVk8T2JiGx5PpX6Jk
4Zg7EmycJlIUy3Mv0oJqoD/PkwzhYUmlbQYzR2BSadImTPzMpjOp3TWjLMwqpx2q
uG8m0wk6hWMx+Ff0fNoVQoT8xKTPuHHfUCbT/Fov1OFEm6sfS5/5QAU/njPO2+8Y
knNnp5jF8wBeEFS8BvpPyM6VGBmk2+HtqFLgNCO2sRWw5uRWGSVBFgA7TXkWF08L
uhfCh2pswhd5md+ooffyyRMk8EtBJ4Z6g6oKUAVF+frJM4fqn0Fb9hSDZot+LRKF
egbsfC/Q46hrn7pPw0l0PcdYLcA+Yy11ZI+Xa3I/oyBdWVU7JHrmDFtwsQY+6qI1
QGaUUtj33Wb3ptXD20OzfHDXV/hPPqRCrbGtKfpM7sRA/cP5XskLUmUd7hW6uuY+
aPcEbz4zLbuP2E4lPIU6PwONwrHYyjTfdTRktQufcGRQ8S5IOhy/2i91+ArRb/EZ
lSGBjmFdQZmYRA7cxb7t+Gar124kpF8HiSWr01Mw9FSEkcOYBG7Dt6lIrigQX4aI
vHAizEn1WVdNeduYTJNN1/5sgYHiWYsgmLDzPUsZD+OS0ycK4xw=
=biG9
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135898@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:05:36 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135255 1135898 1136005 1136655
Changes:
ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium
.
* New upstream release. Include fix for:
- CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature
(Closes: #1135898).
- CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
f65f99602c674b7ebd32fe2518d337125ddf9ac9 4096 ironic_29.0.5-0+deb13u1.dsc
b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
861b413f51470c7d74634caf45856415b4348d4c 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
d659e18399d1047fd4d9e710c3e4e8543f0e36e6 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
db41efc3a56d46d30abbbdbcb0c3424d7be6b84ff4839dc5d12978bae5c1030e 4096 ironic_29.0.5-0+deb13u1.dsc
8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 ironic_29.0.5.orig.tar.xz
570f08844d5d290994de3ec8fb305929b775ca93d8e02e97dcdfe692b5f6426b 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
00c8cb0d608501df1bd92e3ae41d64ee106a8c497bbde80c8ed939c3952477df 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Files:
a0094d72c1e6774be76d420cdfca3b6a 4096 net optional ironic_29.0.5-0+deb13u1.dsc
52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
8182b8b4dcffe3746e649c1d8b3c7582 22568 net optional ironic_29.0.5-0+deb13u1.debian.tar.xz
db660613cdbcfd1134084b10a355ebeb 22929 net optional ironic_29.0.5-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoVV2cACgkQ1BatFaxr
Q/6nUA//Xdu2gqc4jpV2dlyBqxxcBaTUZOSt1SBBuLCUlGEJnE0xyoEsA8ZzqX7R
2nhQ77Babl6MAKtivMttpTbwWKNdPBobaL6UFQziCVhR892PkAy0Q0h3TNPwmHhi
nRkpJkVWdlyKHh7xW6qk2JQu4RHe/vgfQHeUlrUDINmOIv4162bBUOqROo68laj1
xGvJIw76Pf1V4+r+j8q2qwwAAvvmgv6JNOAZNZ44XN4Kb8mW0ulr4i1lCP0LYHWP
bByqojUVRMXFPdF6zVloIycL3eO5A2uGHkY6RqiPO4Xam0kZIoawTwg4pgyqT6Hm
82/GApymfgsHRqxo5wdUTIhIcfNi41LgOVlp44X8LcdaVqVDK+7RYEdF6lqlfEl0
LiAOQ5xvDBOZmPfDZeenBbEXnZvDEIqLtn1FgehZEQp1pi/07dXohzssdelrs3HU
4qxp8l/TpoCDgdLSNKR7PLqwpfCBUMt0uhGMXClQxPS34lDekFGlr5MMU6l6jS6l
pQOCP5Op96gIPYgAADBQJDqokKg7yBPv0qrmg4KvjDhLTz/X1z+TpuNdq1IbBba5
oECtyueUgtkYJ1hZRDUbB/Em+2G2q2j9gBmLylexzUaROMG5m36htLUlOBjwopVv
fc/aJDB7+c/H2p/IN0DZG6fU0/AtwGfH5iZGdtBMbHo4E1lNT7Q=
=ZJRr
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135898@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 08 Nov 2024 16:10:43 +0100
Source: ironic
Architecture: source
Version: 1:21.4.4-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135898 1136005 1136655 1138842
Changes:
ironic (1:21.4.4-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream point release. Fixed CVE-2024-44082.
* CVE-2026-44917: Ironic does not validate the location of
node.driver_info[pxe_template], allowing a user who can set it to expose
arbitrary files on an internal Ironic network, such as the servicing,
provisioning, or cleaning networks. Applied upstream patch:
- CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
* CVE-2026-46447: A user with access to add or modify node.driver_info or
node.instance_info can create a crafted value to enable iPXE script
execution during the boot process. Applied upstream patch:
- CVE-2026-46447_Sanitize-kernel_append_parms.patch
* CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
path traversal and overwrite files on a conductor's disk. Applied upstream
patch:
- CVE-2026-48681-directory_transversal_ISO9660_support.patch
(Closes: #1138842)
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
patch validate_molds_url_against_swift_in_keystone_catalog.patch.
(Closes: #1135898).
* (build-)depends on python3-oslo.messaging >= 14.0.3-0+deb12u1~.
Checksums-Sha1:
ef3b4ab2cf2baa6dd7a984e6a0d5e8ed1f3c6cd2 4097 ironic_21.4.4-0+deb12u1.dsc
11a01ab37bd81ba31e2ff1d511a5976ca3bf7651 1573012 ironic_21.4.4.orig.tar.xz
1a3c1f5397a9e2e7cfc55e07164fbae634d2d959 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
ef8ac1f3c346ae4b4414519a0036cef784aed41a 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
88b7d2c9191e7a7f39ab6827bc60444ea282d17f35bc54ed93ea46744cbb7513 4097 ironic_21.4.4-0+deb12u1.dsc
f7e7a771594958ad0355a27854c69dc5c7404acfb301073da980a1c966b4a65f 1573012 ironic_21.4.4.orig.tar.xz
f576c737e5b0e5bf4793e86db437a2e386980cf2ac3d21193f112f5398105548 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
65d0fc0dbd1b5a152ce91ee86bd5d061b8170fda7c2fc6fef581ed09f54b936b 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Files:
2ada772091bc2fe503ad7d203651f838 4097 net optional ironic_21.4.4-0+deb12u1.dsc
3dce1b73c9fc5033a096fd30751439f3 1573012 net optional ironic_21.4.4.orig.tar.xz
7317e7acd75445ee1fca9205b16d5928 62084 net optional ironic_21.4.4-0+deb12u1.debian.tar.xz
e603e9e800a4823736cb4f48c03e9bdd 23332 net optional ironic_21.4.4-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmophJgACgkQ1BatFaxr
Q/53qQ/+JEl12/bV3JGAeUA1EAVSdwhk9KEReaAlZgnH5m+UIee65+QRqGAUtW7i
+HmNU+HrPtxeYf7+rHcl/cCg2k576BW6dyRUnJE/tEkVtNH5Pe/tvL9B27hlQn23
k0tmKjkACqogKlPmnij7tXbhBBrXBO7YlFsKJJnR7CTQbPMEbp1bV/8yG97MWk7N
DzE3uM3oNzHm3vGa43oovSVm7g9reJWhzfR4BI6MLWsRSgl/e475FUkK8m875M3e
26AKCko03F3grEQV44mdVYTERmdfxlTIzhPBgLzi2Gu6yqj6Yy0/nr3UVavWuwYd
MZKio93fwr2V6ck01sFPDcoMHrTznT4rcsWO3gq5e5d6NFQsl1LYq0Qtrv1z1YR3
EvAJ+vZTJ3VdDM54xZDV+u6O/qEOa8F0hWF6/kvpnW6am5ObBO4U5fjoZE44+u/n
sgqoqIzuv12PNBPuYMft2E8l90Uhqlrsx1u4ZtZ9KinQH4MQrREKd7liAn91IFPQ
qXaJx3ef21ADajciJwF+8Qtgb5HkB7TXTJH1KK4ZesnpxDVGWJlMuCcujHw+dlVB
J58BXhiu+INQGAMJySkovamxglhAMd+B+2bVdkLcceyuC7Uu0eRmK9EB7idQlRlv
FpRFBu5ujJh3k2G0ronpEYDp8jSIToSfco2aiwllVyN5M4zbXQM=
=4IY2
-----END PGP SIGNATURE-----