Your message dated Thu, 09 Jul 2026 12:34:29 +0000
with message-id <[email protected]>
and subject line Bug#1141717: fixed in ironic 1:35.0.1-8
has caused the Debian Bug report #1141717,
regarding CVE-2026-54423 / OSSA-2026-025: RBAC Bypass in IPMI Raw Command 
Execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141717
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ironic
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

As per upstream announce at:
https://security.openstack.org/ossa/OSSA-2026-025.html


Date:
    July 08, 2026
CVE:
    CVE-2026-54423

Affects
    Ironic: >=22.1.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0 
<37.0.1

Description
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) of
the Metal3.io Security Team descovered a vulnerability around IPMI
management_interface. A malicious user with access to deploy a node directly
via Ironic can specify the IPMI send_raw deployment step with a malicious
payload and send commands to that nodes’ BMC. IPMI send_raw capability is
exposed multiple ways, including via our VendorPassthru interfaces (restricted
to system admin) and other step based flows such as cleaning or servicing.
This also means any malicious user with the ability to initate manual cleaning
and servicing flows with arbitrary steps can also execute this vulnerability.
Operators can fix this issue by applying the provided patches which apply a
blocklist forbidding use of the IPMI send_raw functionality in certain
provisioning methods. Clouds currently using IPMI send_raw functionality
should carefully review the behavior changes in the provided patches to ensure
their workflows are not broken.

Patches
    https://review.opendev.org/c/openstack/ironic/+/996477 (2025.1/epoxy)
    https://review.opendev.org/c/openstack/ironic/+/992732 (2025.1/epoxy)
    https://review.opendev.org/c/openstack/ironic/+/996475 (2025.2/flamingo)
    https://review.opendev.org/c/openstack/ironic/+/992719 (2025.2/flamingo)
    https://review.opendev.org/c/openstack/ironic/+/996466 (2026.1/gazpacho)
    https://review.opendev.org/c/openstack/ironic/+/992516 (2026.1/gazpacho)
    https://review.opendev.org/c/openstack/ironic/+/996461 (2026.2/hibiscus 
(development))
    https://review.opendev.org/c/openstack/ironic/+/989017 (2026.2/hibiscus 
(development))
    https://review.opendev.org/c/openstack/ironic/+/996473 (Bugfix/33.0)
    https://review.opendev.org/c/openstack/ironic/+/992718 (Bugfix/33.0)
    https://review.opendev.org/c/openstack/ironic/+/996470 (Bugfix/34.0)
    https://review.opendev.org/c/openstack/ironic/+/992717 (Bugfix/34.0)
    https://review.opendev.org/c/openstack/ironic/+/996463 (Bugfix/37.0)

    The prerequisite patch was merged before bugfix/37.0 was tagged.
(Bugfix/37.0)

Credits
    Dmitry Tantsur from Red Hat
    Tuomo Tanskanen from Ericcson Software Technology

References
    https://bugs.launchpad.net/ironic/+bug/2150458
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-54423

Notes
    Ironic bugfix branch patches will be available in git for interested
operators. We will not perform an additional release from these branches.

--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:35.0.1-8
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jun 2026 11:18:54 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-8
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1141716 1141717
Changes:
 ironic (1:35.0.1-8) unstable; urgency=high
 .
   * CVE-2026-44918: multiple related vulnerabilities in Ironic RBAC. An
     authenticated project manager can change the node associated with Volume
     Connectors or Volume Target objects, potentially changing the project
     permitted to access the object. Volume Connectors contain secrets in
     environments configuring boot from volume with iSCSI volumes. Applied
     upstream patch: "Prevent rehoming resources to nodes with different owner".
     (Closes: #1141716).
   * CVE-2026-54423: A malicious user with access to deploy a node directly via
     Ironic can specify the IPMI `send_raw` deployment step with a malicious
     payload and send commands to that nodes' BMC. Applied upstream patches:
     - Add operator-configurable step disallow lists
     - block vendor.send_raw
     (Closes: #1141717).
Checksums-Sha1:
 7b32af2af84e570b70b714d11966b2f0755a01c0 4063 ironic_35.0.1-8.dsc
 ba0c2c412bc91c9a076bd71b429dfb0f96cc916e 59472 ironic_35.0.1-8.debian.tar.xz
 133f3cd34757667cc3781d330df9f3e0d7763a35 23030 ironic_35.0.1-8_amd64.buildinfo
Checksums-Sha256:
 ffe07659d7ae7193d24021f758a7ad5a3a8f598627b9e121b62ee17ce10fa016 4063 
ironic_35.0.1-8.dsc
 a06daa131052abd9194116f74e5a67a4cfa26dbda943ee408a53bd17be138cde 59472 
ironic_35.0.1-8.debian.tar.xz
 e963d695d01d3ff3e76e415974a1a80ad32b852f7b36e46d2b03e66ae83f2839 23030 
ironic_35.0.1-8_amd64.buildinfo
Files:
 4b8f52a196bbdc9f895deb5e096beaaa 4063 net optional ironic_35.0.1-8.dsc
 89ee0b1b51188f2e32be1de035b98273 59472 net optional 
ironic_35.0.1-8.debian.tar.xz
 7741b488f2e1025d378a5a12783f778e 23030 net optional 
ironic_35.0.1-8_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmpPjo8ACgkQ1BatFaxr
Q/7plRAAjjBaOmsvZKAzjV23s41IpHh5SMU9jW2lIBM8XMshMOfaYMtNxrsIe1Q7
xSqixPHxMwhga3Gmwde9sB4qUYpChr7DYnw5W9PhkEQnpyuGcSijL+1dKoEgD/hJ
MEc8zM9FNaqxgZshG+EPS/NDUzq1KoEDSTuFeobJSfLIIAWtQbjWpdR+uc4zXQ+L
2GdqYX38on2abO21Jz2JtYRt8t8vex9+JQsBfVk2PmtTrFII7LZK5O2d9NEk+/qv
bFHdk11qZCkNGJ62YHMGn/1VNWxbJDWx2zcLIC02GWK3OzTV6Y8/Ej0A2OMjwdtG
s1fKQjPT/NY6m/5pulxEidtN0pdDq3HH6VG00Fi7yrYnofajXVHuds5ZWDJroHei
Hr20hPkowOoWtSm1vsbSeD2J3tEUVZ5iRZAf3VYHIalSYRrjxlAp+IZZI4oTgYnu
g3jHCuMqT6weLTQ63gAGxPnrug7wIWTXxHM2XfFehZvjUTbepPM0RAGzYYVsDu+r
wRTEitHzlnw5y+TnhsQDNZdJrjamX74LlofUirbcxInXW/mVmZHzv5ZC9p1KvFQ5
XyShzpl4uRfZkrt35f69pskslGoB2i5J2HGq342bea5pVCVF/Xh+FwTtEbhCcVSK
yEg8zPkXfU06wMFtzd9bBTF5YZQ2nKEUtjY9rqz/UUJbfNnYknw=
=A1ji
-----END PGP SIGNATURE-----

Attachment: pgpecg4u4GnSH.pgp
Description: PGP signature


--- End Message ---

Reply via email to