Your message dated Thu, 07 May 2026 09:08:30 +0000
with message-id <[email protected]>
and subject line Bug#1135898: fixed in ironic 1:35.0.1-1
has caused the Debian Bug report #1135898,
regarding ironic: CVE-2026-42997
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135898
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:35.0.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ironic.
CVE-2026-42997[0]:
| An issue was discovered in idrac in OpenStack Ironic before 35.0.1.
| During import, a user invoking molds can request authorization to be
| sent to a remote endpoint. The credential forwarded is a time-
| limited Keystone token (which provides access to all OpenStack
| services Ironic is authorized for); or basic credentials configured
| for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1,
| and 35.0.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42997
https://www.cve.org/CVERecord?id=CVE-2026-42997
[1] https://www.openwall.com/lists/oss-security/2026/05/05/10
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 10:01:20 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135898
Changes:
ironic (1:35.0.1-1) unstable; urgency=high
.
* New upstream release. Include fix for CVE-2026-42997 / OSSA-2026-010:
Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac
Configuration molds Feature (Closes: #1135898).
* Removed patch applied upstream:
- CVE-2026-42510_Shell-quote_console_command_passed_to_socat.patch
Checksums-Sha1:
38e95bf4561503d09d1d94f52958eca12ad21650 4063 ironic_35.0.1-1.dsc
085f47208b8f6e53b384b2fdc821af19a34113d4 2145772 ironic_35.0.1.orig.tar.xz
a9d2d811f93a7848bd9aa6319e87704a9c19ae59 18880 ironic_35.0.1-1.debian.tar.xz
b83637454ffc93d919bf3e8c721c84ebd22edbcd 22745 ironic_35.0.1-1_amd64.buildinfo
Checksums-Sha256:
27a6ca152055567981c39bbb8cef93a3c1df5933dabce4e1b588b1cba274f238 4063
ironic_35.0.1-1.dsc
fbb91f1171db0a336d74ddf011efa76980b857c4f4cf91a9e83a15f4d396e76c 2145772
ironic_35.0.1.orig.tar.xz
237d3683994fbeaaaec1272750b481bf4999e0c7a96ea9ba5c68169846778eb8 18880
ironic_35.0.1-1.debian.tar.xz
cbf808c68696df816038f0bc01848a73743ae389be962c51cec1d78f742433ee 22745
ironic_35.0.1-1_amd64.buildinfo
Files:
9ca34c37c61890f8e24ae9d439ce2eeb 4063 net optional ironic_35.0.1-1.dsc
75fd681e991e3ee07dccd53dfc01246d 2145772 net optional ironic_35.0.1.orig.tar.xz
6ec43f2148dd440c118fcb75c422b2f6 18880 net optional
ironic_35.0.1-1.debian.tar.xz
42a4058b2beae028f03ad332d267ccc9 22745 net optional
ironic_35.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn8UZMACgkQ1BatFaxr
Q/7yFA/+NqIlGFqKbTzLlFqfcbWQCnPsaxl94lXVRw1Zr1UsnZR7TQMpuyfIKynz
Cfie0PYXinD8xpw37HCNnhiXagqvGFHD3h3BOVis70HKwrk+8ihYgQJFOzkYo7Ju
A9LIWRmo953zptlycD6R8OBdAOzNkQTzeNZfh2pFSAbyYJ4HhCay9F5N3fzxnJMj
SoOLNJa325JGldR0N1trfQ7RZpjgc9ezFFmL/qZYyJxj6J3qw11/5Z6XlkyWVwmH
HJCR0gf7t5YgRFPHOXWiQ6CUw3phe8AYPR0IpleawGM50FHCgQyb2jQRInkBtzgE
Ar+WqhNeW/JBaQG4XT6nlNGsFl0otzh7lnP4JHjJ/1Lgn8ZHFg4DYbJV5lZyoedq
5sSxB14+Aeq731REx8zhY/ydMvK9kM967kTb6ZGkZWTPyT6P+S3PXCIkI2CcYNXc
6AgMS59PlFZVdIyl2b4M0wY7G5jouu+1yfuYYuIjqWKkmo+0IJcDn8G73L/Li+v3
TujlppwGhLJzs+vB1mmxLPbdmOx802XKwhhv0A5e1/T3eD+YApxBfpCrb2K1bkcn
FgZhXnYfM0CIYmquu+59E9Sg+995HFIkAgNit6Oa0a/VRIORFP1kdtYm9ieIig74
K+hZ4uEN8jA41QAIBu1FJqemeGUI+jeoL0kUgb4XiO9TGCGxihU=
=F6hN
-----END PGP SIGNATURE-----
pgpHT2ZmWdvkO.pgp
Description: PGP signature
--- End Message ---
