========================================================================== Ubuntu Security Notice USN-8421-1 June 11, 2026
ironic vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Ironic. Software Description: - ironic: OpenStack service which provides the capability to orchestrate bare metal servers Details: Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic did not properly validate file paths when handling ISO images. A privileged authenticated remote user could use this issue to perform path traversal via a crafted ISO image and overwrite arbitrary files on the Ironic conductor. (CVE-2026-48681) Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic did not properly validate kernel command line parameters. A privileged authenticated remote user could use this issue to inject scripts during node boot and possibly execute arbitrary code. (CVE-2026-46447) Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic incorrectly restricted access to custom PXE templates. A privileged authenticated remote user could use this issue to read arbitrary sensitive files on the Ironic conductor. (CVE-2026-44917) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS ironic-api 1:35.0.0-0ubuntu2.1 ironic-common 1:35.0.0-0ubuntu2.1 ironic-conductor 1:35.0.0-0ubuntu2.1 python3-ironic 1:35.0.0-0ubuntu2.1 Ubuntu 25.10 ironic-api 1:32.0.0-0ubuntu1.1 ironic-common 1:32.0.0-0ubuntu1.1 ironic-conductor 1:32.0.0-0ubuntu1.1 python3-ironic 1:32.0.0-0ubuntu1.1 Ubuntu 24.04 LTS ironic-api 1:24.1.1-0ubuntu1.3 ironic-common 1:24.1.1-0ubuntu1.3 ironic-conductor 1:24.1.1-0ubuntu1.3 python3-ironic 1:24.1.1-0ubuntu1.3 Ubuntu 22.04 LTS ironic-api 1:20.1.0-0ubuntu1.3 ironic-common 1:20.1.0-0ubuntu1.3 ironic-conductor 1:20.1.0-0ubuntu1.3 python3-ironic 1:20.1.0-0ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8421-1 CVE-2026-44917, CVE-2026-46447, CVE-2026-48681 Package Information: https://launchpad.net/ubuntu/+source/ironic/1:35.0.0-0ubuntu2.1 https://launchpad.net/ubuntu/+source/ironic/1:32.0.0-0ubuntu1.1 https://launchpad.net/ubuntu/+source/ironic/1:24.1.1-0ubuntu1.3 https://launchpad.net/ubuntu/+source/ironic/1:20.1.0-0ubuntu1.3
signature.asc
Description: OpenPGP digital signature
