- Package:
- src:ironic
- Source:
- src:ironic
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-11 20:49:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for ironic. CVE-2026-44919[0]: | In OpenStack Ironic through 35.x before a3f6d73, during image | handling, an infinite loop in checksum calculations can occur via | the file:///dev/zero URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44919 https://www.cve.org/CVERecord?id=CVE-2026-44919 [1] https://bugs.launchpad.net/ironic/+bug/2150332 [2] https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/f33128c5d094522e92f5c0badbde0dba5b658b63 ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/6b311b888b62227b28ca1a5ccd19b18db6ef514b ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/8aa6e66ca6febac48bdd7b1c41ea3b5aab437a92 ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/14e7277f4299590c4457e8ba45a867c07429b50c ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/b0e2e36366043ebbc20891e52725f4384a37a7dc ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
Hello, Bug #1136655 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/06d13208a77b5fd891bf99fd1dd6c6f4d47e8d91 ------------------------------------------------------------------------ * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136655
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 May 2026 00:38:22 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1136655
Changes:
ironic (1:35.0.1-3) unstable; urgency=medium
.
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
6f8da09224a98fdbf2ca9bef643fb83c4edf9fb3 4063 ironic_35.0.1-3.dsc
cb6e8349f8e856bca5315b0cca2fb412207cf39a 23304 ironic_35.0.1-3.debian.tar.xz
e8f7ff2f02d3ff78889c285d74d31e2867b37868 22647 ironic_35.0.1-3_amd64.buildinfo
Checksums-Sha256:
c642b2a49d7023e7cf856a83159e05eb0a1dab7dbde9a77b3f0d87043403f9df 4063 ironic_35.0.1-3.dsc
84b69daabc7b3995b18bc6f93c28ce2450871781029e1e52bf9756c32f6fa5ae 23304 ironic_35.0.1-3.debian.tar.xz
2059bc70cf10cd066d183d924c9a8c2440675360f00abd98ffe67eebf45df62b 22647 ironic_35.0.1-3_amd64.buildinfo
Files:
d971da89fa80da7ee9867e80baaf003f 4063 net optional ironic_35.0.1-3.dsc
1eee4ddab9c2806d7d771fa01d68623c 23304 net optional ironic_35.0.1-3.debian.tar.xz
8e2b53ab30c0fe7425a4e4dcd35017fd 22647 net optional ironic_35.0.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoHox8ACgkQ1BatFaxr
Q/4NBQ/9FlhjZ6OnmCOCOPz8tJn/dgXKCd5o+8WHwtbxh7nD2vGoCtXnU6AiBfLm
oMkR0IPdpAOzayBsVWb0AlUnIANk0yD9VxhhqwuNWiP//GI9+H81PDU1pRwzELzy
vJtvjBjajwfBC9XrzsBDqm5H5x6lfUE3SNIRiN9wYYFGm7Rilg5SvMFKRtREXL3e
ULnsXa6MRV9Ehrvy6eb1wGEfvxpsMgTvHxsiNpbxZV/GAZBbicCpXB5JT+nGgbuw
Q/umlZJ+adv0oHl4VRuIWzbIw3zFXfMoZG/NLW7hsojDW12ssCMQnhF1MoKb3WWR
GlkssHWNp+jfuK+Ygk/hhSky1jmQKs+fhG+23bCd24ZB2Q9Nz1nwyHgCzJh9ZQpS
dkUxfKtQCMaQzAQm657BDzCN9NAMcEONMv6ODNgC7JzaI35ws8VW+fDXo4vtFKya
Umx53rh+6n+BrqdIPHD7JcBG77QLLeC3mPw21/K4D87rhOIP0vao9NYS/j71qB/r
9Uggsnso7UzCa3+bL3eFhgfaqHrqPwogGqMijEHgpwuYg1gXLDUpBpXXMOJOOZoq
ZA5JAelULA0ngTpzg/psHEKze9g7OCfkviknpMQUENnFggP9OcW53ib3oQqFr9dq
ImXGVb9nPgX2m/28xDRK4rtXCZQpplH4G2S8QL4KYyzB5iyyEBQ=
=Atn8
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:05:36 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135255 1135898 1136005 1136655
Changes:
ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium
.
* New upstream release. Include fix for:
- CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature
(Closes: #1135898).
- CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
f65f99602c674b7ebd32fe2518d337125ddf9ac9 4096 ironic_29.0.5-0+deb13u1.dsc
b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
861b413f51470c7d74634caf45856415b4348d4c 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
d659e18399d1047fd4d9e710c3e4e8543f0e36e6 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
db41efc3a56d46d30abbbdbcb0c3424d7be6b84ff4839dc5d12978bae5c1030e 4096 ironic_29.0.5-0+deb13u1.dsc
8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 ironic_29.0.5.orig.tar.xz
570f08844d5d290994de3ec8fb305929b775ca93d8e02e97dcdfe692b5f6426b 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
00c8cb0d608501df1bd92e3ae41d64ee106a8c497bbde80c8ed939c3952477df 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Files:
a0094d72c1e6774be76d420cdfca3b6a 4096 net optional ironic_29.0.5-0+deb13u1.dsc
52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
8182b8b4dcffe3746e649c1d8b3c7582 22568 net optional ironic_29.0.5-0+deb13u1.debian.tar.xz
db660613cdbcfd1134084b10a355ebeb 22929 net optional ironic_29.0.5-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoVV2cACgkQ1BatFaxr
Q/6nUA//Xdu2gqc4jpV2dlyBqxxcBaTUZOSt1SBBuLCUlGEJnE0xyoEsA8ZzqX7R
2nhQ77Babl6MAKtivMttpTbwWKNdPBobaL6UFQziCVhR892PkAy0Q0h3TNPwmHhi
nRkpJkVWdlyKHh7xW6qk2JQu4RHe/vgfQHeUlrUDINmOIv4162bBUOqROo68laj1
xGvJIw76Pf1V4+r+j8q2qwwAAvvmgv6JNOAZNZ44XN4Kb8mW0ulr4i1lCP0LYHWP
bByqojUVRMXFPdF6zVloIycL3eO5A2uGHkY6RqiPO4Xam0kZIoawTwg4pgyqT6Hm
82/GApymfgsHRqxo5wdUTIhIcfNi41LgOVlp44X8LcdaVqVDK+7RYEdF6lqlfEl0
LiAOQ5xvDBOZmPfDZeenBbEXnZvDEIqLtn1FgehZEQp1pi/07dXohzssdelrs3HU
4qxp8l/TpoCDgdLSNKR7PLqwpfCBUMt0uhGMXClQxPS34lDekFGlr5MMU6l6jS6l
pQOCP5Op96gIPYgAADBQJDqokKg7yBPv0qrmg4KvjDhLTz/X1z+TpuNdq1IbBba5
oECtyueUgtkYJ1hZRDUbB/Em+2G2q2j9gBmLylexzUaROMG5m36htLUlOBjwopVv
fc/aJDB7+c/H2p/IN0DZG6fU0/AtwGfH5iZGdtBMbHo4E1lNT7Q=
=ZJRr
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 08 Nov 2024 16:10:43 +0100
Source: ironic
Architecture: source
Version: 1:21.4.4-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135898 1136005 1136655 1138842
Changes:
ironic (1:21.4.4-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream point release. Fixed CVE-2024-44082.
* CVE-2026-44917: Ironic does not validate the location of
node.driver_info[pxe_template], allowing a user who can set it to expose
arbitrary files on an internal Ironic network, such as the servicing,
provisioning, or cleaning networks. Applied upstream patch:
- CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
* CVE-2026-46447: A user with access to add or modify node.driver_info or
node.instance_info can create a crafted value to enable iPXE script
execution during the boot process. Applied upstream patch:
- CVE-2026-46447_Sanitize-kernel_append_parms.patch
* CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
path traversal and overwrite files on a conductor's disk. Applied upstream
patch:
- CVE-2026-48681-directory_transversal_ISO9660_support.patch
(Closes: #1138842)
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
patch validate_molds_url_against_swift_in_keystone_catalog.patch.
(Closes: #1135898).
* (build-)depends on python3-oslo.messaging >= 14.0.3-0+deb12u1~.
Checksums-Sha1:
ef3b4ab2cf2baa6dd7a984e6a0d5e8ed1f3c6cd2 4097 ironic_21.4.4-0+deb12u1.dsc
11a01ab37bd81ba31e2ff1d511a5976ca3bf7651 1573012 ironic_21.4.4.orig.tar.xz
1a3c1f5397a9e2e7cfc55e07164fbae634d2d959 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
ef8ac1f3c346ae4b4414519a0036cef784aed41a 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
88b7d2c9191e7a7f39ab6827bc60444ea282d17f35bc54ed93ea46744cbb7513 4097 ironic_21.4.4-0+deb12u1.dsc
f7e7a771594958ad0355a27854c69dc5c7404acfb301073da980a1c966b4a65f 1573012 ironic_21.4.4.orig.tar.xz
f576c737e5b0e5bf4793e86db437a2e386980cf2ac3d21193f112f5398105548 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
65d0fc0dbd1b5a152ce91ee86bd5d061b8170fda7c2fc6fef581ed09f54b936b 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Files:
2ada772091bc2fe503ad7d203651f838 4097 net optional ironic_21.4.4-0+deb12u1.dsc
3dce1b73c9fc5033a096fd30751439f3 1573012 net optional ironic_21.4.4.orig.tar.xz
7317e7acd75445ee1fca9205b16d5928 62084 net optional ironic_21.4.4-0+deb12u1.debian.tar.xz
e603e9e800a4823736cb4f48c03e9bdd 23332 net optional ironic_21.4.4-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmophJgACgkQ1BatFaxr
Q/53qQ/+JEl12/bV3JGAeUA1EAVSdwhk9KEReaAlZgnH5m+UIee65+QRqGAUtW7i
+HmNU+HrPtxeYf7+rHcl/cCg2k576BW6dyRUnJE/tEkVtNH5Pe/tvL9B27hlQn23
k0tmKjkACqogKlPmnij7tXbhBBrXBO7YlFsKJJnR7CTQbPMEbp1bV/8yG97MWk7N
DzE3uM3oNzHm3vGa43oovSVm7g9reJWhzfR4BI6MLWsRSgl/e475FUkK8m875M3e
26AKCko03F3grEQV44mdVYTERmdfxlTIzhPBgLzi2Gu6yqj6Yy0/nr3UVavWuwYd
MZKio93fwr2V6ck01sFPDcoMHrTznT4rcsWO3gq5e5d6NFQsl1LYq0Qtrv1z1YR3
EvAJ+vZTJ3VdDM54xZDV+u6O/qEOa8F0hWF6/kvpnW6am5ObBO4U5fjoZE44+u/n
sgqoqIzuv12PNBPuYMft2E8l90Uhqlrsx1u4ZtZ9KinQH4MQrREKd7liAn91IFPQ
qXaJx3ef21ADajciJwF+8Qtgb5HkB7TXTJH1KK4ZesnpxDVGWJlMuCcujHw+dlVB
J58BXhiu+INQGAMJySkovamxglhAMd+B+2bVdkLcceyuC7Uu0eRmK9EB7idQlRlv
FpRFBu5ujJh3k2G0ronpEYDp8jSIToSfco2aiwllVyN5M4zbXQM=
=4IY2
-----END PGP SIGNATURE-----