- Package:
- src:ironic
- Source:
- src:ironic
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-18 16:37:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for ironic-python-agent. CVE-2026-43003[0]: | An issue was discovered in OpenStack ironic-python-agent 1.0.0 | through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub- | install from within a chroot of the deployed partition image, | leading to code execution in the case of a malicious image. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-43003 https://www.cve.org/CVERecord?id=CVE-2026-43003 [1] https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 Regards, Salvatore
Hi, According to https://www.openwall.com/lists/oss-security/2026/06/16/11 there is as well a part in ironic to be addressed. So cloning this bug for the src:ironic part purpose as well. Regards, Salvatore
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/bd34dea42beaaf0c24e0f5e45fd65270288430c3 ------------------------------------------------------------------------ * CVE-2026-43003: Command injection via chroot execution of tenant-controlled binaries. Add upstream patch: :Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/301f26e90413eb19fb9a7732d1ea90b8ead613ae ------------------------------------------------------------------------ * CVE-2026-43003: Command injection via chroot execution of tenant-controlled binaries. Add upstream patch: :Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/8325982ccb37a1be671bfecdece8580cb1f4d82d ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/582185d0be2ff6bf5c7e262158ac706752f8928a ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/5ef47545f25e1a9c0aea1e9668090adfbf7687c4 ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/b70d8274cd34da6b8547bd13d6b731f3b4b61543 ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/359b496e144d36a017232914e02eb63b1ccb743b ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/e2a43d92d7f1fc75169817dc57c6c913d7f94ada ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/1a519263ad504213385e0a19fcc4ff50ad439290 ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/fea65a3751651e281a8498e7499937b3feab9114 ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
Hello, Bug #1140187 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/0623cb7e2f95330df06d3e376e76a99f92b6ab6c ------------------------------------------------------------------------ * CVE-2026-43003 / OSSN-2026-0100: Command injection via chroot execution of tenant-controlled binaries. Added upstream patch: "Add an agent flag to disable installing boatloaders" (Closes: #1140187). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140187
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 17 Jun 2026 14:24:00 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1140187
Changes:
ironic (1:35.0.1-7) unstable; urgency=medium
.
* CVE-2026-43003: Command injection via chroot execution of tenant-controlled
binaries. Add upstream patch: "Add an agent flag to disable installing
boatloaders" (Closes: #1140187).
Checksums-Sha1:
8e1506bbfd949ab824d73c5d7d37040365e4082a 4063 ironic_35.0.1-7.dsc
9a121e8ce26e3b036ceee27b02ce2c174b44b9ec 47272 ironic_35.0.1-7.debian.tar.xz
8ea0c93e7e523b4d6cb3d5a8666759ea8e174604 22757 ironic_35.0.1-7_amd64.buildinfo
Checksums-Sha256:
9f48c54bc8c1c8d3880bee9b8a184706f16537666afb28360d66d677575f6214 4063 ironic_35.0.1-7.dsc
1dba85bcceaa2ec6fc35fcb716b15708bb22f40f3a06f5c438c0e7af3ea70e3e 47272 ironic_35.0.1-7.debian.tar.xz
99869f5399172f2c84df06074e3d95946eb0f663509ffce8aa2f70c4d300dd07 22757 ironic_35.0.1-7_amd64.buildinfo
Files:
62a140133c20205e70f5c82af00fff18 4063 net optional ironic_35.0.1-7.dsc
7f45ff7b52d9b8242e616e06a40efb6d 47272 net optional ironic_35.0.1-7.debian.tar.xz
18ec7b7e000f17981a4e209856b88a0c 22757 net optional ironic_35.0.1-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo0GHMACgkQ1BatFaxr
Q/4G0BAAnTDR94V5GLqzuzDkLhe1zLh/c3xoA0tJRiq3urglUSrBk3y2clUm8BcN
NNwIJB1E5XsXEd5YolAKdjNBVUAz7h2XgN0y/jw8GlISaa9wkYk7KAkD+voRN/y9
16G2gZImKaxxNkPdrpO9AJmT0QDPs0HR11Xwjt8ITyHX5/HvOkMZecSeElk5dgKL
/0QDmyBP/WDBSOjL9EoehFSUX8QwLv2NbQyZeBA+ciqAxam0mPgn4dUaoZ7FhsIt
SU3qzLlgjMHKrekgOKKAStOUvUzmj02uYcc3JeZN7gewk1BTAxCwjLiPYVUYWSen
FAYev5rnzWgP3DTa4kQx2D+DpN1A5/6v2/IGc5x5DodytOPQDfC4gGlCSSoehIg6
PsOwPjKoA8BEON9gMhQmH1ddKVxvmsUm8gCzQXZzmQAljdAbJmZVMLQTjrNFr0jf
IssL8rpBjt2l1MnYG4wpCLTc9oHKJJlluhovTrHyX1nTdI9KxD3G60h02GMOSNuY
Z/noqsqVBD3PtlY9VNG7qUD1w8GYKRVB0NFeJCmotIgEf+Q28D9b53dr/FwNvF2L
SB14tNbS3ZtvB9S0znIrSBob/WDGLTqfEq8dxLOOxFsnZ7HPHuOqdy+mP+N/E+R3
U9AoPUoquwX7wSjEwMh2EYl9Xu0N/ZOKjNljXoI8gJCnpPlCuO8=
=U3Ls
-----END PGP SIGNATURE-----