Your message dated Tue, 16 Jun 2026 10:05:25 +0000
with message-id <[email protected]>
and subject line Bug#1140012: fixed in ironic 1:35.0.1-6
has caused the Debian Bug report #1140012,
regarding ironic: CVE-2026-54421
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140012
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Version: 1:35.0.1-5
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/ironic/+bug/2155049
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ironic.
CVE-2026-54421[0]:
| In OpenStack Ironic through 35.0.1, when applying a PATCH to update
| fields in volume properties the user is authorized for, Ironic can
| return unredacted sensitive information (such as iSCSI credentials).
| The PATCH outcome is a security issue; the POST outcome is not a
| security issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-54421
https://www.cve.org/CVERecord?id=CVE-2026-54421
[1] https://bugs.launchpad.net/ironic/+bug/2155049
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-6
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 11:13:40 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1140012
Changes:
ironic (1:35.0.1-6) unstable; urgency=medium
.
* Add follow-up patch for CVE-2026-46447 (erata1): "Fix kernel parameter
parsing for quoted values and whitespace".
* CVE-2026-54421: Sensitive properties returned unredacted in POST and PATCH
HTTP responses. Added upstream patch: "Fix sensitive properties returned on
volume targets" (Closes: #1140012).
Checksums-Sha1:
129336881ede327afc1fa88a368ae4a83c10f34f 4063 ironic_35.0.1-6.dsc
4fd3e905a82f51db3c10c001c90f37a930e1573f 46184 ironic_35.0.1-6.debian.tar.xz
5b64a1a1e0c86fe8e2043779813481e5740c8022 22754 ironic_35.0.1-6_amd64.buildinfo
Checksums-Sha256:
db25ddbcc78511151d49a43c3a5b53937098de6ee50695ec9e6c2f9000bf9286 4063
ironic_35.0.1-6.dsc
5cbe52535db7602be80dfc13e1ca28f9b2330451e27f958029ac40b9e2f6294c 46184
ironic_35.0.1-6.debian.tar.xz
e315a505319de2ccbe6c0ccbc143705658da0ceb56649fc08354c7b197386fbc 22754
ironic_35.0.1-6_amd64.buildinfo
Files:
57efa7e1cd03e31c060b7319e12c0de7 4063 net optional ironic_35.0.1-6.dsc
de3810b9d5f2ae43570d08e86eb3c74b 46184 net optional
ironic_35.0.1-6.debian.tar.xz
684d3bfc29a33fa59b1c723eabe73d6f 22754 net optional
ironic_35.0.1-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoxGrIACgkQ1BatFaxr
Q/4yqQ/8C7hTi1HjYszfTv5L7vIzt4z7bhsoFbNGQzwvJYYglJA1cslRmk0Lt9P0
7GmouthwX+3u3kyCGDhdKC7/msYrcZSrg5v82LkoTWvRzm4i8cu/besH4X7yvRqm
yMfyzZcJjWiZG7YgNMu0dFlF2tY8RIMHYtf1NSp50dFzYibMnDWNQnrEV6ufxCPK
ePWw/q3bQxFnrbVKNN/YxFm0yUkAbx7FaKz4zLsTwtFzqXi3fVRNsVkDa4ayyAGr
26PNqvQS1AJN4q312wwL+L4Azbc7/LIvjkSdtW2tcCVYwGmqoohd8YmLqz1ivVuk
sNW/If5IvOvi6UQwUBjriY8hoLvCuKaH5VWNx9sH2oaVxYFqf9mfPcGJVAni9F9l
UStqLnFWPtMyhMNnQkG3Bp/wlXfXK4kZ5WLCsHMSjO5lbyTl8PYChvMr6HTfQtXR
DrXh38PqUtuZGuADJzQkPc7gnqStZMv8+mb3bz00tEnWVdUCu/XGvSj28KhtGQk8
aoS1adB813byPJEahItx1lSUuTcUFYBoygZdhU+hxIzAXAVfi2pc5wXZ+oKQV0WO
ksiZxRmy0MJ0SbshUtFQjAt41iUtQSq9Nfqudr5gqk/siGt1LDCqgIbd4fJVDI2s
Ty+Uphb6P4GleoDSGupCqwsD6yP4nw1PXhd7b0GtYaBMNYg/ZYA=
=cQ3x
-----END PGP SIGNATURE-----
pgpNVqxgL1aCu.pgp
Description: PGP signature
--- End Message ---
