#1135911 trixie-pu: package ironic/1:29.0.0-7

#1135911#5
Date:
2026-05-07 10:05:44 UTC
From:
To:
Hi,

The security team told me to go through p-u, so here it is.

I'd like to update Ironic in Trixie to the latest point
release from upstream, ie: 29.0.5.

[ Reason ]
This version includes fixes for CVE-2026-42997 and CVE-2026-42510,
which are both serious security issues (ie: shell injection, and
credential forwarding to arbitrary endpoint).

[ Impact ]
See above: grave security impact if untrusted users have access
to the deployment.

[ Tests ]
Upstream runs a large amount of functional tests, and the Ironic
package runs a lot of unit tests (10k+ tests), so I'm confident
there will be no regression.

[ Risks ]
It is IMO less risky to upgrade to upstream 29.0.5 rather than
just applying patches. 29.0.0 -> 29.0.5 only contains bugfixes,
no new feature.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please let me upload Ironic 29.0.5-1~debu13u1.

Cheers,

Thomas Goirand (zigo)

#1135911#12
Date:
2026-05-07 17:07:20 UTC
From:
To:
Control: tags -1 + confirmed

+ironic (1:29.0.5-1~debu13u1) trixie; urgency=medium

That version implies that it's a backport of a 1:29.0.5-1 package from
a higher suite, which is not the case. Please make the version
1:29.0.5-0+deb13u1 instead, and feel free to go ahead with that change
made.

Regards,

Adam

#1135911#19
Date:
2026-05-19 07:24:24 UTC
From:
To:
FYI, the version I uploaded also fixes:
- CVE-2026-44916
- CVE-2026-44919

(I added 2 patches from upstream)

Cheers,

Thomas Goirand (zigo)

#1135911#24
Date:
2026-05-24 08:30:10 UTC
From:
To:
Hi Thomas,

You've uploaded with a stray extra 'u' in the version still; I will reject
so you can upload again.

Thanks,

#1135911#31
Date:
2026-05-26 08:21:43 UTC
From:
To:
Hi Jonathan,

Sorry for my mistake, corrected and re-uploaded.
Please accept the package.

Cheers,

Thomas Goirand (zigo)

#1135911#36
Date:
2026-05-26 21:15:09 UTC
From:
To:
package release.debian.org
tags 1135911 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: ironic
Version: 29.0.5-0+deb13u1

Explanation: fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states

#1135911#41
Date:
2026-05-26 21:15:09 UTC
From:
To:
package release.debian.org
tags 1135911 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: ironic
Version: 29.0.5-0+deb13u1

Explanation: fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states