Your message dated Sun, 24 May 2026 09:02:48 +0000
with message-id <[email protected]>
and subject line Bug#1135255: fixed in ironic 1:21.1.0-3+deb12u1
has caused the Debian Bug report #1135255,
regarding CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI
Console Implementations
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135255
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:29.0.0-7
Severity: important
Tags: patch
Copying from:
https://security.openstack.org/ossa/OSSA-2026-008.html
Date:
April 27, 2026
CVE:
CVE-2026-42510
Affects
Ironic: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1,
>=33.0.0 <35.0.1
Description
Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a
vulnerability in Ironic’s IPMI console backends. A project manager for the
project marked as a node.owner can inject arbitrary commands which a conductor
executes on console activation. No console backends are enabled by default in
Ironic. Only installations which have set
[conductor]/enabled_console_interfaces to enable either ipmitool-shellinabox or
ipmitool-socat are vulnerable.
Errata
When the original advisory was published a CVE number was not assigned.
CVE-2026-42510 was assigned on 2026-04-29.
Patches
https://review.opendev.org/c/openstack/ironic/+/986418 (2023.1/antelope
(unmaintained))
https://review.opendev.org/c/openstack/ironic/+/986417 (2024.1/caracal
(unmaintained))
https://review.opendev.org/c/openstack/ironic/+/986363 (2024.2/dalmatian)
https://review.opendev.org/c/openstack/ironic/+/986362 (2025.1/epoxy)
https://review.opendev.org/c/openstack/ironic/+/986361 (2025.2/flamingo)
https://review.opendev.org/c/openstack/ironic/+/986235 (2026.1/gazpacho)
Credits
Dmitry Tantsur from Metal3.io Security Team
Tuomo Tanskanen from Metal3.io Security Team
References
https://launchpad.net/bugs/2148331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42510
Notes
A CVE request was filed with MITRE on 2026-04-27.
Patches for unmaintained branches are provided as a courtesy.
The ipmitool-shellinabox console interface is already scheduled for removal
from Ironic for lack of security support for shellinabox. Security sensitive
operators are strongly encouraged to stop use of this console interface
immediately.
OSSA History
2026-04-29 - Errata 1
2026-04-27 - Original Version
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:21.1.0-3+deb12u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Apr 2026 10:41:21 +0200
Source: ironic
Architecture: source
Version: 1:21.1.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1104964 1135255 1135898 1136005
Changes:
ironic (1:21.1.0-3+deb12u1) bookworm; urgency=medium
.
* CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs.
Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch.
(Closes: #1104964).
* Add qemu-utils as build-depends because of tests from CVE-2025-44021 fix.
* CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
patch validate_molds_url_against_swift_in_keystone_catalog.patch.
(Closes: #1135898).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
Checksums-Sha1:
f577021f779ba187c53e7587c55d661d75b4c4e9 4074 ironic_21.1.0-3+deb12u1.dsc
214c2f489e716104c829d4b79ee86f171cc1da5e 1505820 ironic_21.1.0.orig.tar.xz
b49b8622e3c5b100f5711f02a3ea92e818f64a5d 25548
ironic_21.1.0-3+deb12u1.debian.tar.xz
f662a9e9f7a53da0547451e19c6d67126ff4b4a9 23321
ironic_21.1.0-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
5dd1185d9990307275ac3b1e1039685d306b76fc2d1f7396d1d340327e5d1fb5 4074
ironic_21.1.0-3+deb12u1.dsc
f1440eb42de5619799844a57b243173fe933b5617d9dc35105c203e85bb5630b 1505820
ironic_21.1.0.orig.tar.xz
52eccb0a97e8a1f631480efab41c0d689904786b8db0e144e9c26daabe00119e 25548
ironic_21.1.0-3+deb12u1.debian.tar.xz
1fb772ee844d62d3396ced6f12b977f0d0950dafff608d65bc20cd142e2f9ebe 23321
ironic_21.1.0-3+deb12u1_amd64.buildinfo
Files:
450d600d31f7a9088633215d0520c481 4074 net optional ironic_21.1.0-3+deb12u1.dsc
f6f9a3db7286ed06e564f6c7fe0643ba 1505820 net optional ironic_21.1.0.orig.tar.xz
81fd7e3ef8fd7e196b567c8dab1eebde 25548 net optional
ironic_21.1.0-3+deb12u1.debian.tar.xz
e7e06518666492caf16df597cdf0f844 23321 net optional
ironic_21.1.0-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMEkIACgkQ1BatFaxr
Q/7lCA/9Htfvp8BmzviZuSKSPRtE8myylEWyt90k7Ep81Ux/DwDUawRjlAgRf75A
7afcGbMGsawTw607VeW1faeqgPe2NWZhdhwZWF03Z/K1gMSrVk8T2JiGx5PpX6Jk
4Zg7EmycJlIUy3Mv0oJqoD/PkwzhYUmlbQYzR2BSadImTPzMpjOp3TWjLMwqpx2q
uG8m0wk6hWMx+Ff0fNoVQoT8xKTPuHHfUCbT/Fov1OFEm6sfS5/5QAU/njPO2+8Y
knNnp5jF8wBeEFS8BvpPyM6VGBmk2+HtqFLgNCO2sRWw5uRWGSVBFgA7TXkWF08L
uhfCh2pswhd5md+ooffyyRMk8EtBJ4Z6g6oKUAVF+frJM4fqn0Fb9hSDZot+LRKF
egbsfC/Q46hrn7pPw0l0PcdYLcA+Yy11ZI+Xa3I/oyBdWVU7JHrmDFtwsQY+6qI1
QGaUUtj33Wb3ptXD20OzfHDXV/hPPqRCrbGtKfpM7sRA/cP5XskLUmUd7hW6uuY+
aPcEbz4zLbuP2E4lPIU6PwONwrHYyjTfdTRktQufcGRQ8S5IOhy/2i91+ArRb/EZ
lSGBjmFdQZmYRA7cxb7t+Gar124kpF8HiSWr01Mw9FSEkcOYBG7Dt6lIrigQX4aI
vHAizEn1WVdNeduYTJNN1/5sgYHiWYsgmLDzPUsZD+OS0ycK4xw=
=biG9
-----END PGP SIGNATURE-----
pgp3Dfn7VrvS2.pgp
Description: PGP signature
--- End Message ---
