- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Thomas Goirand
- Date:
- 2026-05-26 21:17:02 UTC
- Severity:
- normal
- Tags:
Hi, The security team told me to go through p-u, so here it is. I'd like to update Ironic in Trixie to the latest point release from upstream, ie: 29.0.5. [ Reason ] This version includes fixes for CVE-2026-42997 and CVE-2026-42510, which are both serious security issues (ie: shell injection, and credential forwarding to arbitrary endpoint). [ Impact ] See above: grave security impact if untrusted users have access to the deployment. [ Tests ] Upstream runs a large amount of functional tests, and the Ironic package runs a lot of unit tests (10k+ tests), so I'm confident there will be no regression. [ Risks ] It is IMO less risky to upgrade to upstream 29.0.5 rather than just applying patches. 29.0.0 -> 29.0.5 only contains bugfixes, no new feature. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Please let me upload Ironic 29.0.5-1~debu13u1. Cheers, Thomas Goirand (zigo)
Control: tags -1 + confirmed +ironic (1:29.0.5-1~debu13u1) trixie; urgency=medium That version implies that it's a backport of a 1:29.0.5-1 package from a higher suite, which is not the case. Please make the version 1:29.0.5-0+deb13u1 instead, and feel free to go ahead with that change made. Regards, Adam
FYI, the version I uploaded also fixes: - CVE-2026-44916 - CVE-2026-44919 (I added 2 patches from upstream) Cheers, Thomas Goirand (zigo)
Hi Thomas, You've uploaded with a stray extra 'u' in the version still; I will reject so you can upload again. Thanks,
Hi Jonathan, Sorry for my mistake, corrected and re-uploaded. Please accept the package. Cheers, Thomas Goirand (zigo)
package release.debian.org tags 1135911 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: ironic Version: 29.0.5-0+deb13u1 Explanation: fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states
package release.debian.org tags 1135911 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: ironic Version: 29.0.5-0+deb13u1 Explanation: fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states