-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Nov 2024 16:10:43 +0100
Source: ironic
Binary: ironic-api ironic-common ironic-conductor ironic-doc python3-ironic
Architecture: all
Version: 1:21.4.4-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 ironic-api - bare metal hypervisor API for OpenStack - API server
 ironic-common - bare metal hypervisor API for OpenStack - common files
 ironic-conductor - bare metal hypervisor API for OpenStack - conductor
 ironic-doc - bare metal hypervisor API for OpenStack - doc
 python3-ironic - bare metal hypervisor API for OpenStack - Python lib
Closes: 1135898 1136005 1136655 1138842
Changes:
 ironic (1:21.4.4-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream point release. Fixed CVE-2024-44082.
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
   * CVE-2026-44919: during image handling, an infinite loop in checksum
     calculations can occur via the file:///dev/zero URL. Add upstream patch:
     move_file_url_validation_up_into_deploy_utils_main_path.patch.
     (Closes: #1136655).
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
   * CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
     Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
     patch validate_molds_url_against_swift_in_keystone_catalog.patch.
     (Closes: #1135898).
   * (build-)depends on python3-oslo.messaging >= 14.0.3-0+deb12u1~.
Checksums-Sha1:
 e32c37669a97ecbd9218faef0200135ccd44170d 20844 ironic-api_21.4.4-0+deb12u1_all.deb
 694ace50fb860c734c8216fdfbd964194cf957d0 63084 ironic-common_21.4.4-0+deb12u1_all.deb
 1b4c559106dab0f6489c42f8335c33b8474583fb 8620 ironic-conductor_21.4.4-0+deb12u1_all.deb
 ed8d27ce647330623874e6ff96c1a13065ccfbf2 2965916 ironic-doc_21.4.4-0+deb12u1_all.deb
 cad79c54b640dcd3a54a710e9c8f3e5919317a8f 22727 ironic_21.4.4-0+deb12u1_all-buildd.buildinfo
 6c517cbf2ed63779a6a38e1fea8623dd2c9c0244 1016168 python3-ironic_21.4.4-0+deb12u1_all.deb
Checksums-Sha256:
 470f21bf03343cef88bf2a3b4fd23e19b73b8a7d6a47324fb1d6405ee16ac647 20844 ironic-api_21.4.4-0+deb12u1_all.deb
 f54bab0fb21d8c9307420b1400e997f3e173f0368fec664b19e38078fbe3a06b 63084 ironic-common_21.4.4-0+deb12u1_all.deb
 7da37ffcaa9a8ec12f14df95101b4771d2e7a24b1167ff9b0107c897c509ef07 8620 ironic-conductor_21.4.4-0+deb12u1_all.deb
 175e9b3f9fe125d1a4ffdc0a9132bcde538432fd725519dd5bc107c95326f61a 2965916 ironic-doc_21.4.4-0+deb12u1_all.deb
 3f41be538046044f22aaedb536aeac352cc08f8f2504a3cab0d0a4497f0809d1 22727 ironic_21.4.4-0+deb12u1_all-buildd.buildinfo
 dd8190962f66550f1efb0887d6321990f1f63b2a98b4aafa891beada91e53cf0 1016168 python3-ironic_21.4.4-0+deb12u1_all.deb
Files:
 529e43ad7ffb1cb8ed257835594e42d8 20844 net optional ironic-api_21.4.4-0+deb12u1_all.deb
 8e570598d6b09ea9d63a4e4c9e35b494 63084 net optional ironic-common_21.4.4-0+deb12u1_all.deb
 2bbce293a0ec962aefab8894cc8627ad 8620 net optional ironic-conductor_21.4.4-0+deb12u1_all.deb
 6bc0ff996e9b0f8202e6697e44dfdbd2 2965916 doc optional ironic-doc_21.4.4-0+deb12u1_all.deb
 561fa83507e834b808433a49b76f01cd 22727 net optional ironic_21.4.4-0+deb12u1_all-buildd.buildinfo
 656d68d1916bf7d3051879c82b23a72e 1016168 python optional python3-ironic_21.4.4-0+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmopjTcACgkQmgPNRvTf
/zfRBw/8DH91menKP5rmwlLjNiMKaTeQfykXsiuA40EOKnadb0MwlOdv4rqyBlow
dgNk8WIxeUspVtemFgtkvsGEylWS/F6RulJ3GDPBeUQCxc1IsCwbE+4P6O+0Tenr
CB0NeYCpTd1pshpoPVP/DLUiE0ypko7GAjTqCXpBt3avj/JuupBVwnTs6QnJWSy3
36Tgw8PMAhW3A0R+bw9X7jEb4KLjLQuMvJ9HOPoCzBhZbDO45AkdgMBCchhajbt1
lbjhqCoIbRtugT1t80mRYME5IH3sj2hl2fkXICEfogRqd+xmxFcpITte4fMQ9qBs
uKxj1aku/nb1UWu99e6DogRgWZGqRqHObNErwxcqStvNeGpSmp2dDnoZencqfifn
BjZ8CZtnhLyiN5h0k+BUmw+VhXZFXhRl1qswqZWz0LCzgerWJxwdtnV86YrOCxdh
Cm9860QtvpCVcKk99jZAuVimezuUKNFwQbAgbeYSMiEX6hJGI4VHrzrSN2dPi2Pv
yzuuKhuCpP1OxI3XrCrIcndsB+mDAaBP1VVpH+vXpN8GxDDTKPK1qrOb8Hd+ir9u
koEKGKslVJpEYtBrP3mBtRMd/UW97S2OmZIszC1GLiMCnnAofYFQf8z5EZY25aAZ
jul4CFCUVBweeF1ueHqdrg7AmSmLAZCNr0ny6De8u90pW3Ds7Vw=
=TkN0
-----END PGP SIGNATURE-----