- Package:
- src:ironic
- Source:
- src:ironic
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-16 10:07:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for ironic. CVE-2026-54421[0]: | In OpenStack Ironic through 35.0.1, when applying a PATCH to update | fields in volume properties the user is authorized for, Ironic can | return unredacted sensitive information (such as iSCSI credentials). | The PATCH outcome is a security issue; the POST outcome is not a | security issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54421 https://www.cve.org/CVERecord?id=CVE-2026-54421 [1] https://bugs.launchpad.net/ironic/+bug/2155049 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1140012 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/a0d931dcb05deb650688d7832e8e56fd56c33d00 ------------------------------------------------------------------------ * CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH HTTP responses. Added upstream patch: "Fix sensitive properties returned on volume targets" (Closes: #1140012). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140012
Hello, Bug #1140012 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/aa979347975eaaaf12b5a1364257dd7478013a4b ------------------------------------------------------------------------ * CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH HTTP responses. Added upstream patch: "Fix sensitive properties returned on volume targets" (Closes: #1140012). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140012
Hello, Bug #1140012 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/3d1c7cbea73564f869df4d705db3fb0f4e98c68c ------------------------------------------------------------------------ * CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH HTTP responses. Added upstream patch: "Fix sensitive properties returned on volume targets" (Closes: #1140012). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140012
Hello, Bug #1140012 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/9ebdd976c179edbca60041a967c2babf11bbe12a ------------------------------------------------------------------------ * Add follow-up patch for CVE-2026-46447 (erata1): "Fix kernel parameter parsing for quoted values and whitespace". * CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH HTTP responses. Added upstream patch: "Fix sensitive properties returned on volume targets" (Closes: #1140012). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140012
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 16 Jun 2026 11:13:40 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1140012
Changes:
ironic (1:35.0.1-6) unstable; urgency=medium
.
* Add follow-up patch for CVE-2026-46447 (erata1): "Fix kernel parameter
parsing for quoted values and whitespace".
* CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH
HTTP responses. Added upstream patch: "Fix sensitive properties returned on
volume targets" (Closes: #1140012).
Checksums-Sha1:
129336881ede327afc1fa88a368ae4a83c10f34f 4063 ironic_35.0.1-6.dsc
4fd3e905a82f51db3c10c001c90f37a930e1573f 46184 ironic_35.0.1-6.debian.tar.xz
5b64a1a1e0c86fe8e2043779813481e5740c8022 22754 ironic_35.0.1-6_amd64.buildinfo
Checksums-Sha256:
db25ddbcc78511151d49a43c3a5b53937098de6ee50695ec9e6c2f9000bf9286 4063 ironic_35.0.1-6.dsc
5cbe52535db7602be80dfc13e1ca28f9b2330451e27f958029ac40b9e2f6294c 46184 ironic_35.0.1-6.debian.tar.xz
e315a505319de2ccbe6c0ccbc143705658da0ceb56649fc08354c7b197386fbc 22754 ironic_35.0.1-6_amd64.buildinfo
Files:
57efa7e1cd03e31c060b7319e12c0de7 4063 net optional ironic_35.0.1-6.dsc
de3810b9d5f2ae43570d08e86eb3c74b 46184 net optional ironic_35.0.1-6.debian.tar.xz
684d3bfc29a33fa59b1c723eabe73d6f 22754 net optional ironic_35.0.1-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoxGrIACgkQ1BatFaxr
Q/4yqQ/8C7hTi1HjYszfTv5L7vIzt4z7bhsoFbNGQzwvJYYglJA1cslRmk0Lt9P0
7GmouthwX+3u3kyCGDhdKC7/msYrcZSrg5v82LkoTWvRzm4i8cu/besH4X7yvRqm
yMfyzZcJjWiZG7YgNMu0dFlF2tY8RIMHYtf1NSp50dFzYibMnDWNQnrEV6ufxCPK
ePWw/q3bQxFnrbVKNN/YxFm0yUkAbx7FaKz4zLsTwtFzqXi3fVRNsVkDa4ayyAGr
26PNqvQS1AJN4q312wwL+L4Azbc7/LIvjkSdtW2tcCVYwGmqoohd8YmLqz1ivVuk
sNW/If5IvOvi6UQwUBjriY8hoLvCuKaH5VWNx9sH2oaVxYFqf9mfPcGJVAni9F9l
UStqLnFWPtMyhMNnQkG3Bp/wlXfXK4kZ5WLCsHMSjO5lbyTl8PYChvMr6HTfQtXR
DrXh38PqUtuZGuADJzQkPc7gnqStZMv8+mb3bz00tEnWVdUCu/XGvSj28KhtGQk8
aoS1adB813byPJEahItx1lSUuTcUFYBoygZdhU+hxIzAXAVfi2pc5wXZ+oKQV0WO
ksiZxRmy0MJ0SbshUtFQjAt41iUtQSq9Nfqudr5gqk/siGt1LDCqgIbd4fJVDI2s
Ty+Uphb6P4GleoDSGupCqwsD6yP4nw1PXhd7b0GtYaBMNYg/ZYA=
=cQ3x
-----END PGP SIGNATURE-----