Your message dated Fri, 15 May 2026 23:04:43 +0000
with message-id <[email protected]>
and subject line Bug#1136655: fixed in ironic 1:35.0.1-3
has caused the Debian Bug report #1136655,
regarding ironic: CVE-2026-44919
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136655
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:35.0.1-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/ironic/+bug/2150332
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ironic.
CVE-2026-44919[0]:
| In OpenStack Ironic through 35.x before a3f6d73, during image
| handling, an infinite loop in checksum calculations can occur via
| the file:///dev/zero URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44919
https://www.cve.org/CVERecord?id=CVE-2026-44919
[1] https://bugs.launchpad.net/ironic/+bug/2150332
[2]
https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 May 2026 00:38:22 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1136655
Changes:
ironic (1:35.0.1-3) unstable; urgency=medium
.
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
6f8da09224a98fdbf2ca9bef643fb83c4edf9fb3 4063 ironic_35.0.1-3.dsc
cb6e8349f8e856bca5315b0cca2fb412207cf39a 23304 ironic_35.0.1-3.debian.tar.xz
e8f7ff2f02d3ff78889c285d74d31e2867b37868 22647 ironic_35.0.1-3_amd64.buildinfo
Checksums-Sha256:
c642b2a49d7023e7cf856a83159e05eb0a1dab7dbde9a77b3f0d87043403f9df 4063
ironic_35.0.1-3.dsc
84b69daabc7b3995b18bc6f93c28ce2450871781029e1e52bf9756c32f6fa5ae 23304
ironic_35.0.1-3.debian.tar.xz
2059bc70cf10cd066d183d924c9a8c2440675360f00abd98ffe67eebf45df62b 22647
ironic_35.0.1-3_amd64.buildinfo
Files:
d971da89fa80da7ee9867e80baaf003f 4063 net optional ironic_35.0.1-3.dsc
1eee4ddab9c2806d7d771fa01d68623c 23304 net optional
ironic_35.0.1-3.debian.tar.xz
8e2b53ab30c0fe7425a4e4dcd35017fd 22647 net optional
ironic_35.0.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoHox8ACgkQ1BatFaxr
Q/4NBQ/9FlhjZ6OnmCOCOPz8tJn/dgXKCd5o+8WHwtbxh7nD2vGoCtXnU6AiBfLm
oMkR0IPdpAOzayBsVWb0AlUnIANk0yD9VxhhqwuNWiP//GI9+H81PDU1pRwzELzy
vJtvjBjajwfBC9XrzsBDqm5H5x6lfUE3SNIRiN9wYYFGm7Rilg5SvMFKRtREXL3e
ULnsXa6MRV9Ehrvy6eb1wGEfvxpsMgTvHxsiNpbxZV/GAZBbicCpXB5JT+nGgbuw
Q/umlZJ+adv0oHl4VRuIWzbIw3zFXfMoZG/NLW7hsojDW12ssCMQnhF1MoKb3WWR
GlkssHWNp+jfuK+Ygk/hhSky1jmQKs+fhG+23bCd24ZB2Q9Nz1nwyHgCzJh9ZQpS
dkUxfKtQCMaQzAQm657BDzCN9NAMcEONMv6ODNgC7JzaI35ws8VW+fDXo4vtFKya
Umx53rh+6n+BrqdIPHD7JcBG77QLLeC3mPw21/K4D87rhOIP0vao9NYS/j71qB/r
9Uggsnso7UzCa3+bL3eFhgfaqHrqPwogGqMijEHgpwuYg1gXLDUpBpXXMOJOOZoq
ZA5JAelULA0ngTpzg/psHEKze9g7OCfkviknpMQUENnFggP9OcW53ib3oQqFr9dq
ImXGVb9nPgX2m/28xDRK4rtXCZQpplH4G2S8QL4KYyzB5iyyEBQ=
=Atn8
-----END PGP SIGNATURE-----
pgpPujm2VF7bC.pgp
Description: PGP signature
--- End Message ---
