-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Apr 2026 10:05:36 +0200 Source: ironic Architecture: source Version: 1:29.0.5-0+deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1135255 1135898 1136005 1136655 Changes: ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium . * New upstream release. Include fix for: - CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac Configuration molds Feature (Closes: #1135898). - CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). * CVE-2026-44916: instance_info['ks_template'] is rendered without sandboxing. An attacker with sufficient access, an ironic deployment with the anaconda deploy interface, a node with the anaconda deployment interface set by an admin, and a malicious template could result in conductor internal data being rendered and if the infrastucture operator is allowing traffic egress for the provisioning network, could have sensitive internal data exfiled out of the environment. Applied upstream patch: - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch (Closes: #1136005). * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). Checksums-Sha1: f65f99602c674b7ebd32fe2518d337125ddf9ac9 4096 ironic_29.0.5-0+deb13u1.dsc b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz 861b413f51470c7d74634caf45856415b4348d4c 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz d659e18399d1047fd4d9e710c3e4e8543f0e36e6 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo Checksums-Sha256: db41efc3a56d46d30abbbdbcb0c3424d7be6b84ff4839dc5d12978bae5c1030e 4096 ironic_29.0.5-0+deb13u1.dsc 8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 ironic_29.0.5.orig.tar.xz 570f08844d5d290994de3ec8fb305929b775ca93d8e02e97dcdfe692b5f6426b 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz 00c8cb0d608501df1bd92e3ae41d64ee106a8c497bbde80c8ed939c3952477df 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo Files: a0094d72c1e6774be76d420cdfca3b6a 4096 net optional ironic_29.0.5-0+deb13u1.dsc 52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz 8182b8b4dcffe3746e649c1d8b3c7582 22568 net optional ironic_29.0.5-0+deb13u1.debian.tar.xz db660613cdbcfd1134084b10a355ebeb 22929 net optional ironic_29.0.5-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoVV2cACgkQ1BatFaxr Q/6nUA//Xdu2gqc4jpV2dlyBqxxcBaTUZOSt1SBBuLCUlGEJnE0xyoEsA8ZzqX7R 2nhQ77Babl6MAKtivMttpTbwWKNdPBobaL6UFQziCVhR892PkAy0Q0h3TNPwmHhi nRkpJkVWdlyKHh7xW6qk2JQu4RHe/vgfQHeUlrUDINmOIv4162bBUOqROo68laj1 xGvJIw76Pf1V4+r+j8q2qwwAAvvmgv6JNOAZNZ44XN4Kb8mW0ulr4i1lCP0LYHWP bByqojUVRMXFPdF6zVloIycL3eO5A2uGHkY6RqiPO4Xam0kZIoawTwg4pgyqT6Hm 82/GApymfgsHRqxo5wdUTIhIcfNi41LgOVlp44X8LcdaVqVDK+7RYEdF6lqlfEl0 LiAOQ5xvDBOZmPfDZeenBbEXnZvDEIqLtn1FgehZEQp1pi/07dXohzssdelrs3HU 4qxp8l/TpoCDgdLSNKR7PLqwpfCBUMt0uhGMXClQxPS34lDekFGlr5MMU6l6jS6l pQOCP5Op96gIPYgAADBQJDqokKg7yBPv0qrmg4KvjDhLTz/X1z+TpuNdq1IbBba5 oECtyueUgtkYJ1hZRDUbB/Em+2G2q2j9gBmLylexzUaROMG5m36htLUlOBjwopVv fc/aJDB7+c/H2p/IN0DZG6fU0/AtwGfH5iZGdtBMbHo4E1lNT7Q= =ZJRr -----END PGP SIGNATURE-----