-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Apr 2026 10:41:21 +0200
Source: ironic
Binary: ironic-api ironic-common ironic-conductor ironic-doc python3-ironic
Architecture: all
Version: 1:21.1.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 ironic-api - bare metal hypervisor API for OpenStack - API server
 ironic-common - bare metal hypervisor API for OpenStack - common files
 ironic-conductor - bare metal hypervisor API for OpenStack - conductor
 ironic-doc - bare metal hypervisor API for OpenStack - doc
 python3-ironic - bare metal hypervisor API for OpenStack - Python lib
Closes: 1104964 1135255 1135898 1136005
Changes:
 ironic (1:21.1.0-3+deb12u1) bookworm; urgency=medium
 .
   * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
     Implementations. Applied upstream patch: "Shell-quote console command
     passed to socat" (Closes: #1135255).
   * CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs.
     Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch.
     (Closes: #1104964).
   * Add qemu-utils as build-depends because of tests from CVE-2025-44021 fix.
   * CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
     Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
     patch validate_molds_url_against_swift_in_keystone_catalog.patch.
     (Closes: #1135898).
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
Checksums-Sha1:
 eedd8929dbc8ca3679b6120bd7b766d88c4b04f9 20328 ironic-api_21.1.0-3+deb12u1_all.deb
 8447e909fff066b5d66ca0937028fb75471e1607 60444 ironic-common_21.1.0-3+deb12u1_all.deb
 10d528f1eda06d0993239b4582cfe482cfcf5561 8104 ironic-conductor_21.1.0-3+deb12u1_all.deb
 16061911b0280b1a417459d817f4c718f241c5f3 2875916 ironic-doc_21.1.0-3+deb12u1_all.deb
 0d08e34c6a5e7dc618daa311222d3b813e2cf850 22704 ironic_21.1.0-3+deb12u1_all-buildd.buildinfo
 f2168fbe6105de49b8c14043fedb0533a4cc8349 939564 python3-ironic_21.1.0-3+deb12u1_all.deb
Checksums-Sha256:
 a6f6691c9d1b096d48fea7d77530b8656a729c2eda1877e3a8dd1eddb0e6394b 20328 ironic-api_21.1.0-3+deb12u1_all.deb
 6648eaf246d38658d52e6ad164f7df07505dc145cecb7a1bd46f6959726e281f 60444 ironic-common_21.1.0-3+deb12u1_all.deb
 fca12de4ce4092d9484ee3937473428e48d57fdef31cee3247fb652c69b8d6a5 8104 ironic-conductor_21.1.0-3+deb12u1_all.deb
 ac6fe6f128af2a39ea2e2e3511baa963d3b593b4e729865da740c6509d5efa81 2875916 ironic-doc_21.1.0-3+deb12u1_all.deb
 3a49a6dcfd390c55c8cba4338b6330cd0e7f81ac13d0ec089093a4105680df45 22704 ironic_21.1.0-3+deb12u1_all-buildd.buildinfo
 d60c2a4bb0795a768c20e222ce09ebd2e53ccab80f2cac3d7dd96acb41a16142 939564 python3-ironic_21.1.0-3+deb12u1_all.deb
Files:
 fd3878dff7fb7c7d55762e76aff02aad 20328 net optional ironic-api_21.1.0-3+deb12u1_all.deb
 f3d2bd45ef40b7fbb28a4b9c6dee2089 60444 net optional ironic-common_21.1.0-3+deb12u1_all.deb
 57e13d31e5a2ed29ae43f6d259030b0a 8104 net optional ironic-conductor_21.1.0-3+deb12u1_all.deb
 acb07a5e812a1c47b121baf4fec40ce9 2875916 doc optional ironic-doc_21.1.0-3+deb12u1_all.deb
 853c62d3de6d683d017d06bb099cb034 22704 net optional ironic_21.1.0-3+deb12u1_all-buildd.buildinfo
 2980e9535d4ad767e0f3ddd81829bfb4 939564 python optional python3-ironic_21.1.0-3+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmoSwtQACgkQmgPNRvTf
/zfJ3xAAoGlddyXDKJDim3mb+WTw6LRyw9EBLWc7sjbWG24Fn36sVGh+EUIB2NuV
/pNozoo5CTKZ20XQhQfFHtjWkzJQo0zBQTEsn8pDhQ56ibM03msWtQU5b8HZjrn9
RSvQaikK+yu365fkUUokUakU09LX0W6ypX3ohwywhRvLhRISV/ofWUkWvWXMBe6D
Fzu4LYo1MI/Pf45p10VICNsU5Al1EfMydWXCFhqcGe1XxYGVwNc9u/C6cQwi4qOf
uanNNp4ZWUunJLjGpgEWeQc3l2adVpV6pxaOjvdVci5NQdtOOH6ySxgzJkPVPZxn
EY7A3XEYi2hoLlHIC+GqllKmarZ8OroFai2M3aH660lV6NDk8ruewNRjFtwXPE8Y
ilb8OWe+jaJ1kangXM8ILPFSlrpXYkXGaZp9rWKjtJFtxe5+FOC83xi2yqWb3A30
u+agqLvGUlb2N4wMmakyW8AAmLWZDR+IGZiHGDhmLiHSWRPooI2CkvEHmN9Bjc8+
aweKFtm2QraQdOsEKVTZ7oprVYKzKYUan+UfKJ/y7JPZS3b7jIeuVg8WcxZKXr83
iSVvXSCWVrqngk0eUVcRANI3iMeF7kQEWJ2VvbgmtyodXhlh1TxDatiKi1MG45ja
uzUolxO4YN/N47XIy0+b2ze4htEg6urgdeYiUofWnTuUHpM7n14=
=v6di
-----END PGP SIGNATURE-----