Your message dated Thu, 07 May 2026 09:08:30 +0000
with message-id <[email protected]>
and subject line Bug#1135898: fixed in ironic 1:35.0.1-1
has caused the Debian Bug report #1135898,
regarding CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135898
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:29.0.0-7
Severity: serious
Tags: patch
Copying here text from https://security.openstack.org/ossa/OSSA-2026-010.html:
Date:
May 05, 2026
CVE:
CVE-2026-42997
Affects Ironic:
>=17.0.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1
Description:
Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a
vulnerability in Ironic’s configuration mold import code for idrac. When
importing a configuration mold, a user invoking molds can request
authorization to be sent to a remote endpoint. The credential forwarded is a
time-limited Keystone token (which provides access to all OpenStack services
Ironic is authorized for); or basic credentials configured for molds storage.
Operators choose the URL and the attacker has to already be authenticated with
permissions to execute clean/deploy steps, but the arbitrary URL for the
authorization request is user-controlled and not validated by Ironic.
Patches:
https://review.opendev.org/c/openstack/ironic/+/986817 (2023.1/antelope
(unmaintained))
https://review.opendev.org/c/openstack/ironic/+/986816 (2024.1/caracal
(unmaintained))
https://review.opendev.org/c/openstack/ironic/+/986815 (2024.2/dalmatian)
https://review.opendev.org/c/openstack/ironic/+/986767 (2025.1/epoxy)
https://review.opendev.org/c/openstack/ironic/+/986737 (2025.2/flamingo)
https://review.opendev.org/c/openstack/ironic/+/986725 (2026.1/gazpacho)
Credits:
Dmitry Tantsur from Metal3.io Security Team
Tuomo Tanskanen from Metal3.io Security Team
References:
https://bugs.launchpad.net/ironic/+bug/2148317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42997
Notes:
The molds feature was deprecated in the 2024.1 (Caracal) release and has
been removed during development of the 2026.2 (Hibiscus) release.
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 10:01:20 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135898
Changes:
ironic (1:35.0.1-1) unstable; urgency=high
.
* New upstream release. Include fix for CVE-2026-42997 / OSSA-2026-010:
Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac
Configuration molds Feature (Closes: #1135898).
* Removed patch applied upstream:
- CVE-2026-42510_Shell-quote_console_command_passed_to_socat.patch
Checksums-Sha1:
38e95bf4561503d09d1d94f52958eca12ad21650 4063 ironic_35.0.1-1.dsc
085f47208b8f6e53b384b2fdc821af19a34113d4 2145772 ironic_35.0.1.orig.tar.xz
a9d2d811f93a7848bd9aa6319e87704a9c19ae59 18880 ironic_35.0.1-1.debian.tar.xz
b83637454ffc93d919bf3e8c721c84ebd22edbcd 22745 ironic_35.0.1-1_amd64.buildinfo
Checksums-Sha256:
27a6ca152055567981c39bbb8cef93a3c1df5933dabce4e1b588b1cba274f238 4063
ironic_35.0.1-1.dsc
fbb91f1171db0a336d74ddf011efa76980b857c4f4cf91a9e83a15f4d396e76c 2145772
ironic_35.0.1.orig.tar.xz
237d3683994fbeaaaec1272750b481bf4999e0c7a96ea9ba5c68169846778eb8 18880
ironic_35.0.1-1.debian.tar.xz
cbf808c68696df816038f0bc01848a73743ae389be962c51cec1d78f742433ee 22745
ironic_35.0.1-1_amd64.buildinfo
Files:
9ca34c37c61890f8e24ae9d439ce2eeb 4063 net optional ironic_35.0.1-1.dsc
75fd681e991e3ee07dccd53dfc01246d 2145772 net optional ironic_35.0.1.orig.tar.xz
6ec43f2148dd440c118fcb75c422b2f6 18880 net optional
ironic_35.0.1-1.debian.tar.xz
42a4058b2beae028f03ad332d267ccc9 22745 net optional
ironic_35.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn8UZMACgkQ1BatFaxr
Q/7yFA/+NqIlGFqKbTzLlFqfcbWQCnPsaxl94lXVRw1Zr1UsnZR7TQMpuyfIKynz
Cfie0PYXinD8xpw37HCNnhiXagqvGFHD3h3BOVis70HKwrk+8ihYgQJFOzkYo7Ju
A9LIWRmo953zptlycD6R8OBdAOzNkQTzeNZfh2pFSAbyYJ4HhCay9F5N3fzxnJMj
SoOLNJa325JGldR0N1trfQ7RZpjgc9ezFFmL/qZYyJxj6J3qw11/5Z6XlkyWVwmH
HJCR0gf7t5YgRFPHOXWiQ6CUw3phe8AYPR0IpleawGM50FHCgQyb2jQRInkBtzgE
Ar+WqhNeW/JBaQG4XT6nlNGsFl0otzh7lnP4JHjJ/1Lgn8ZHFg4DYbJV5lZyoedq
5sSxB14+Aeq731REx8zhY/ydMvK9kM967kTb6ZGkZWTPyT6P+S3PXCIkI2CcYNXc
6AgMS59PlFZVdIyl2b4M0wY7G5jouu+1yfuYYuIjqWKkmo+0IJcDn8G73L/Li+v3
TujlppwGhLJzs+vB1mmxLPbdmOx802XKwhhv0A5e1/T3eD+YApxBfpCrb2K1bkcn
FgZhXnYfM0CIYmquu+59E9Sg+995HFIkAgNit6Oa0a/VRIORFP1kdtYm9ieIig74
K+hZ4uEN8jA41QAIBu1FJqemeGUI+jeoL0kUgb4XiO9TGCGxihU=
=F6hN
-----END PGP SIGNATURE-----
pgpXP5f598c0n.pgp
Description: PGP signature
--- End Message ---
