Control: tag -1 pending Hello,
Bug #1141716 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/5229538f393abe62b3664a71af3dda69030ca6e9 ------------------------------------------------------------------------ * CVE-2026-44918: multiple related vulnerabilities in Ironic RBAC. An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume with iSCSI volumes. Applied upstream patch: "Prevent rehoming resources to nodes with different owner". (Closes: #1141716). * CVE-2026-54423: A malicious user with access to deploy a node directly via Ironic can specify the IPMI `send_raw` deployment step with a malicious payload and send commands to that nodes' BMC. Applied upstream patches: - Add operator-configurable step disallow lists - block vendor.send_raw (Closes: #1141717). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1141716

