Bug#1138842: marked as done (Multiple vulnerabilities: CVE-2026-46447 CVE-2026-48681 CVE-2026-44917)

[Debian Bug Tracking System]

Your message dated Thu, 11 Jun 2026 20:47:06 +0000
with message-id <e1wxmis-0000000eunz-0...@fasolo.debian.org>
and subject line Bug#1138842: fixed in ironic 1:29.0.5-0+deb13u2
has caused the Debian Bug report #1138842,
regarding Multiple vulnerabilities: CVE-2026-46447 CVE-2026-48681 CVE-2026-44917
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1138842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138842
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ironic
Version: 1:29.0.0-7
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Multiple vulnerabilities have been found on Ironic. Details here:
https://security.openstack.org/ossa/OSSA-2026-017.html
https://security.openstack.org/ossa/OSSA-2026-018.html
https://security.openstack.org/ossa/OSSA-2026-019.html

--- End Message ---

--- Begin Message ---

Source: ironic
Source-Version: 1:29.0.5-0+deb13u2
Done: Thomas Goirand <z...@debian.org>

We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Jun 2026 09:59:53 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1138842
Changes:
 ironic (1:29.0.5-0+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
Checksums-Sha1:
 70aade674903b0ded38aa860f06758790763d067 4096 ironic_29.0.5-0+deb13u2.dsc
 b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
 429d4a7c86c46e60305de1f9f2ac7083f2c88720 57556 
ironic_29.0.5-0+deb13u2.debian.tar.xz
 c281e764433eb557e0689a7bab0927e125887b59 22929 
ironic_29.0.5-0+deb13u2_amd64.buildinfo
Checksums-Sha256:
 644051745f51ae28144feada9955fdebdaa384c2396209c60e37bbed46bdb395 4096 
ironic_29.0.5-0+deb13u2.dsc
 8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 
ironic_29.0.5.orig.tar.xz
 f3d0bdc0238e59ddfc681ffffe72168f08476ee5f2ef5f44e8cb8dbfcd2d1787 57556 
ironic_29.0.5-0+deb13u2.debian.tar.xz
 1febe90e906d54b85341345899a79d87b3d9d753503c0df4b89e412d9c8f3827 22929 
ironic_29.0.5-0+deb13u2_amd64.buildinfo
Files:
 c7ba1099609a518d6e7d1f6297438145 4096 net optional ironic_29.0.5-0+deb13u2.dsc
 52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
 109508b9c136ee0d34242d43fe9adf7d 57556 net optional 
ironic_29.0.5-0+deb13u2.debian.tar.xz
 c2dbe9d4061fab20e096ace9f3e3ca4e 22929 net optional 
ironic_29.0.5-0+deb13u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopbyYACgkQ1BatFaxr
Q/4Y8w/8Cruvve6dGTkUTZsatuSNgjN+MG3CKpBYlX2UMb+kZQGTjuBu24a0KeZ2
KJqkAfISn4rTPeQrUbhMbwxS31vBYq7rIXm5kNbWUWey3W7I4al/g6CHiGZugPZB
vqiVVhffLCrampHg4fWhFAHJSkh4gKcs97qNVD5HVZijGUhxIC9BI4ou2Q/OYHKH
cdqw0+kiMlnByM/zuzV/EJnrSa1sURHiF1alQpG6GY23NxeMb3GLDnO5RmxpYZ4y
PqQbNw3u0Fj1ml76JhIJQJ2psWOviSrFa9Budii/CDCFPn+6e1vwj3hgGjYfVEEE
NwXCDzfbyoEkD6MOtWjaF4y66YdTy5ZGDWoG3emzRf4VqJN3wWlpPoDf34k+pHbV
wekqFlUc/N8WBRpwJFYAFhXFS4bORQ+QU+XZgkdvwxFEoDMftRykIy6WMVOXsi8d
Thg5WPF/ucKnig5eyUzxx1ujXP/o/et19TKngA/gve7oRD27+P1T4RClNIlN9WkW
92hKNe6FmQQDpdR5xAJN4Fwse0vbs+5rCTsFigv7FNwOurnOCDLxug6ylC3VFOeZ
mvPzR5eSR6+LRcpXC+M24I6KPTShgGStxy005PfKt9Trz7sHoC86tp0JORQVU5J5
8ZFX7SZ8gFL20e7QGxCw2BnqrFbJB9W4guZhd1LdHyYARmC84CQ=
=VvVP
-----END PGP SIGNATURE-----

pgp6vw6W_peC2.pgp
Description: PGP signature

--- End Message ---