-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Jun 2026 09:59:53 +0200
Source: ironic
Binary: ironic-api ironic-common ironic-conductor ironic-doc ironic-novncproxy python3-ironic
Architecture: all
Version: 1:29.0.5-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 ironic-api - bare metal hypervisor API for OpenStack - API server
 ironic-common - bare metal hypervisor API for OpenStack - common files
 ironic-conductor - bare metal hypervisor API for OpenStack - conductor
 ironic-doc - bare metal hypervisor API for OpenStack - doc
 ironic-novncproxy - bare metal hypervisor API for OpenStack - NoVNC proxy
 python3-ironic - bare metal hypervisor API for OpenStack - Python lib
Closes: 1138842
Changes:
 ironic (1:29.0.5-0+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
Checksums-Sha1:
 5b4c615c0c2b307f6dd9721c4fdfa2964601721d 24272 ironic-api_29.0.5-0+deb13u2_all.deb
 857e2994833d1a335a2e294aeca685dc254f17e8 166200 ironic-common_29.0.5-0+deb13u2_all.deb
 bd0620963ba13c7afdc3d41a987fdf0817e3f924 10608 ironic-conductor_29.0.5-0+deb13u2_all.deb
 0e7909c56a15ba054f7f3860839e3052bc24250a 3374604 ironic-doc_29.0.5-0+deb13u2_all.deb
 489daeb7c5ce1803ab300c1f6d30e4d1e0303a7c 10540 ironic-novncproxy_29.0.5-0+deb13u2_all.deb
 09ff5c019b6cb6c02dfdd72f6dc2f2ec89ca8943 22692 ironic_29.0.5-0+deb13u2_all-buildd.buildinfo
 ae9b4039231b89a1284e363b3ff126b3623fb8c2 1151740 python3-ironic_29.0.5-0+deb13u2_all.deb
Checksums-Sha256:
 843af713fb79e4053f73dbee727b959a2ac45a80f98abd62437944207910d0b6 24272 ironic-api_29.0.5-0+deb13u2_all.deb
 e00daeccfa9a346929f3707fc80462f8c9f9084620bb42be676c5c7be277706c 166200 ironic-common_29.0.5-0+deb13u2_all.deb
 3263dd2d523f5a3a066da457b902d650e20b48d80a170627f7db6394174b460d 10608 ironic-conductor_29.0.5-0+deb13u2_all.deb
 753909bad7576d78aeae5e30274044e6a84f1b882e4e785a8c3eace8731f835f 3374604 ironic-doc_29.0.5-0+deb13u2_all.deb
 aa49e7af040fa9bec48b756c9759c4ac9710534b7572723cc4e6b594f0229b17 10540 ironic-novncproxy_29.0.5-0+deb13u2_all.deb
 7cf8e8be547261bea21a9f5fbe929da7e7bf4916545368e7b520e53ebdfdd22f 22692 ironic_29.0.5-0+deb13u2_all-buildd.buildinfo
 d1edc23ff5dc5183976b83d60e45a20b79691c149c830c739f246f3421e806a9 1151740 python3-ironic_29.0.5-0+deb13u2_all.deb
Files:
 cca81422512a4cbf48d8a4073defb8e7 24272 net optional ironic-api_29.0.5-0+deb13u2_all.deb
 84ad302444dc59ff304406166f11b2c8 166200 net optional ironic-common_29.0.5-0+deb13u2_all.deb
 e9431cc271ee3b86cf6ec0cf39c69072 10608 net optional ironic-conductor_29.0.5-0+deb13u2_all.deb
 e7c2b41e61b2f5e92a4e18105c2f4d7d 3374604 doc optional ironic-doc_29.0.5-0+deb13u2_all.deb
 eb1c72fd40dc28f04b90119746389b53 10540 net optional ironic-novncproxy_29.0.5-0+deb13u2_all.deb
 49c6da392d842563bfa249d150638a25 22692 net optional ironic_29.0.5-0+deb13u2_all-buildd.buildinfo
 0592b71456c64e47c767a0d6a5f38ec8 1151740 python optional python3-ironic_29.0.5-0+deb13u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmopdcMACgkQaBVi67oX
tfmAQg/+Mhcm1DIr1kclm6RifE9XmVwmTXs/1pEmk80Fens2rgCSFt7KoHAF7Sfm
5Q8rGvR/uoI+/UcGFLERMW3Gy1iqgqu4Z3v5RUNvc478XSjdVkYuhuStMlaAGMAA
sZf5gbnKnsKPrkw576RBwR5WnWasZLMV2UcbWams0lqlnUyTGDATQeCKC2twOk52
m/t9HUX8hZnjYAPOYezAdXIKgR0QUzC7cphkSaVcLrx4Y+x/PgyUIJA2V/m5SDj4
qZqSsgsRULpMyhyyWTPX+lc5A8dK4nDiNYkT01ScacQik2MV2helx01KOY3KPrdR
YOo93tue082MJLN2YpFloMx/9Ft2uNbh+Jn9Fc0N8yLPZovp97u6+opvu9B4HpgX
vg2QHgjKTrXPrJrja1uXuv5zBcVHsFH2rKnAjNXYoNyP0r0sa9VaVyH53tNcVaU2
47ahS+R/L8tpnlXrEAtSmcrsf5Gs9m+1Uc8B0OYP4DWgUCKOXmLhzB78MuD6pXoa
jqxyO7pMB5foDNMmcgmW1pDy9PJlozH8NQwWL6Y8tJuZpLToNoHb/v4jgwvkKQcr
pk/p7XkcVHgya3mbjn+45ryeujzhSOvlpPsH0l0O6JFd6aG0j2mCdlJZgi/NnlDZ
XeGkusGftjYrEn5X+hVRtIEqt9/qhhO2785Piy2ULBsXKnb9sAM=
=av8V
-----END PGP SIGNATURE-----