Your message dated Thu, 09 Jul 2026 12:34:29 +0000
with message-id <[email protected]>
and subject line Bug#1141716: fixed in ironic 1:35.0.1-8
has caused the Debian Bug report #1141716,
regarding CVE-2026-44918 / OSSA-2026-026: Insufficient Access Controls in 
Ironic regarding Parent/Child Nodes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141716
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Severity: grave
Tags: patch

As per upstream announce at:
https://security.openstack.org/ossa/OSSA-2026-026.html

Date:
    July 08, 2026
CVE:
    CVE-2026-44918

Affects:
    Ironic: >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0 
<37.0.1

Description:
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)
from the Metal3.io Security Team reported a vulnerability in Ironic’s access
control code.

This OSSA represents multiple related vulnerabilities in Ironic RBAC. An
authenticated project manager can change the node associated with Volume
Connectors or Volume Target objects, potentially changing the project
permitted to access the object. Volume Connectors contain secrets in
environments configuring boot from volume with iSCSI volumes. This is tracked
as bug #2150256.

Objects reparented in this manner cannot be detected via inspection of the
data. Operators who are concerned they may have had this occur are encouraged
to perform a basic audit of node configuration, for instance, insuring the
expected number of volume targets, and volume connectors are present.

Additionally, a project manager with the ability to create nodes can use the
UUID of a node not owned by their project as a parent node when creating a
new node. This mismatched child node can then be used to impact operations on
the parent, such as forcing it to power on. This is tracked as bug #2150450.

Ironic now specifically checks, and requires node parents and children to have
matching node.owner values. This patch contains an enhancement to Ironic’s
upgrade check to detect this mismatched state. Operators can use the provided
ironic-status upgrade check to identify misconfigured nodes.

Patches
    https://review.opendev.org/c/openstack/ironic/+/996479 (2024.1/caracal 
(unmaintained))
    https://review.opendev.org/c/openstack/ironic/+/996478 (2025.1/epoxy)
    https://review.opendev.org/c/openstack/ironic/+/996476 (2025.2/flamingo)
    https://review.opendev.org/c/openstack/ironic/+/996469 (2026.1/gazpacho)
    https://review.opendev.org/c/openstack/ironic/+/996462 (2026.2/hibiscus)
    https://review.opendev.org/c/openstack/ironic/+/996474 (Bugfix/33.0)
    https://review.opendev.org/c/openstack/ironic/+/996471 (Bugfix/34.0)
    https://review.opendev.org/c/openstack/ironic/+/996464 (Bugfix/37.0)

Credits
    Dmitry Tantsur from Red Hat
    Tuomo Tanskanen from Ericsson Software Technology

References
    https://bugs.launchpad.net/ironic/+bug/2150256
    https://bugs.launchpad.net/ironic/+bug/2150450
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44918

Notes
    Volume Targets and Volume Connectors only contain sensitive information in
environments utilizing boot-from-volume with iSCSI volumes.

    These patches also contain hardening logic to prevent this class of
vulnerability in Port and Portgroup objects. This is a defense in depth
measure to provide consistent errors at the API level for invalid data.

    Branch 2024.1/caracal is unmaintained and patches are provided as a
courtesy.

    Bugfix branches will recieve patches in git but will not recieve a updated
release.

--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-8
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jun 2026 11:18:54 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-8
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1141716 1141717
Changes:
 ironic (1:35.0.1-8) unstable; urgency=high
 .
   * CVE-2026-44918: multiple related vulnerabilities in Ironic RBAC. An
     authenticated project manager can change the node associated with Volume
     Connectors or Volume Target objects, potentially changing the project
     permitted to access the object. Volume Connectors contain secrets in
     environments configuring boot from volume with iSCSI volumes. Applied
     upstream patch: "Prevent rehoming resources to nodes with different owner".
     (Closes: #1141716).
   * CVE-2026-54423: A malicious user with access to deploy a node directly via
     Ironic can specify the IPMI `send_raw` deployment step with a malicious
     payload and send commands to that nodes' BMC. Applied upstream patches:
     - Add operator-configurable step disallow lists
     - block vendor.send_raw
     (Closes: #1141717).
Checksums-Sha1:
 7b32af2af84e570b70b714d11966b2f0755a01c0 4063 ironic_35.0.1-8.dsc
 ba0c2c412bc91c9a076bd71b429dfb0f96cc916e 59472 ironic_35.0.1-8.debian.tar.xz
 133f3cd34757667cc3781d330df9f3e0d7763a35 23030 ironic_35.0.1-8_amd64.buildinfo
Checksums-Sha256:
 ffe07659d7ae7193d24021f758a7ad5a3a8f598627b9e121b62ee17ce10fa016 4063 
ironic_35.0.1-8.dsc
 a06daa131052abd9194116f74e5a67a4cfa26dbda943ee408a53bd17be138cde 59472 
ironic_35.0.1-8.debian.tar.xz
 e963d695d01d3ff3e76e415974a1a80ad32b852f7b36e46d2b03e66ae83f2839 23030 
ironic_35.0.1-8_amd64.buildinfo
Files:
 4b8f52a196bbdc9f895deb5e096beaaa 4063 net optional ironic_35.0.1-8.dsc
 89ee0b1b51188f2e32be1de035b98273 59472 net optional 
ironic_35.0.1-8.debian.tar.xz
 7741b488f2e1025d378a5a12783f778e 23030 net optional 
ironic_35.0.1-8_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmpPjo8ACgkQ1BatFaxr
Q/7plRAAjjBaOmsvZKAzjV23s41IpHh5SMU9jW2lIBM8XMshMOfaYMtNxrsIe1Q7
xSqixPHxMwhga3Gmwde9sB4qUYpChr7DYnw5W9PhkEQnpyuGcSijL+1dKoEgD/hJ
MEc8zM9FNaqxgZshG+EPS/NDUzq1KoEDSTuFeobJSfLIIAWtQbjWpdR+uc4zXQ+L
2GdqYX38on2abO21Jz2JtYRt8t8vex9+JQsBfVk2PmtTrFII7LZK5O2d9NEk+/qv
bFHdk11qZCkNGJ62YHMGn/1VNWxbJDWx2zcLIC02GWK3OzTV6Y8/Ej0A2OMjwdtG
s1fKQjPT/NY6m/5pulxEidtN0pdDq3HH6VG00Fi7yrYnofajXVHuds5ZWDJroHei
Hr20hPkowOoWtSm1vsbSeD2J3tEUVZ5iRZAf3VYHIalSYRrjxlAp+IZZI4oTgYnu
g3jHCuMqT6weLTQ63gAGxPnrug7wIWTXxHM2XfFehZvjUTbepPM0RAGzYYVsDu+r
wRTEitHzlnw5y+TnhsQDNZdJrjamX74LlofUirbcxInXW/mVmZHzv5ZC9p1KvFQ5
XyShzpl4uRfZkrt35f69pskslGoB2i5J2HGq342bea5pVCVF/Xh+FwTtEbhCcVSK
yEg8zPkXfU06wMFtzd9bBTF5YZQ2nKEUtjY9rqz/UUJbfNnYknw=
=A1ji
-----END PGP SIGNATURE-----

Attachment: pgp1Ng3sqcne4.pgp
Description: PGP signature


--- End Message ---

Reply via email to