UbuntuUpdates.org

Package "ironic"

Name: ironic

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Openstack bare metal provisioning service - API
  • Openstack bare metal provisioning service - daemons
  • Openstack bare metal provisioning service - conductor
  • Openstack bare metal provisioning service - Python 3 library
Latest version: 1:20.1.0-0ubuntu1.3
Release: jammy (22.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "ironic" in Jammy

Repository Area Version
base universe 1:20.1.0-0ubuntu1
updates universe 1:20.1.0-0ubuntu1.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:20.1.0-0ubuntu1.3 2026-06-11 22:07:50 UTC

  ironic (1:20.1.0-0ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: sanitize kernel_append_params to prevent injection
    - debian/patches/CVE-2026-46447.patch: Validate kernel_append_params
      against a kernel command line grammar and reject malformed
      parameters. Add disable_kernel_parameter_parsing config option.
    - CVE-2026-46447
  * SECURITY UPDATE: disable insecure driver_info pxe_template override
    - debian/patches/CVE-2026-44917.patch: Remove direct file path support
      for pxe_template to prevent privilege escalation.
    - CVE-2026-44917
  * SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
    - debian/patches/CVE-2026-48681.patch: Validate ISO9660 path entries
      to reject directory traversal attempts in config drive ISO images.
    - CVE-2026-48681

 -- Federico Quattrin <email address hidden> Thu, 11 Jun 2026 10:35:32 -0300
Source diff to previous version
CVE-2026-46447 OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
CVE-2026-44917 OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_templa
CVE-2026-48681 OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.

Version: 1:20.1.0-0ubuntu1.2 2024-09-04 18:07:00 UTC

  ironic (1:20.1.0-0ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: ensure underlying environment details not leaked when a
    maliciously crafted image is used (LP: #2071740).
    - d/p/CVE-2024-44082.patch: Harden all image handling and conversion code.
    - d/control: Add qemu-utils to Build-Depends to allow unit tests to run
      qemu-img.
    - CVE-2024-44082

 -- Felipe Reyes <email address hidden> Tue, 03 Sep 2024 16:09:13 +0100
Source diff to previous version
2071740 [OSSA-2024-003] Unvalidated image data passed to qemu-img (CVE-2024-44082)

Version: 1:20.1.0-0ubuntu1.1 2023-07-24 15:07:07 UTC

  ironic (1:20.1.0-0ubuntu1.1) jammy-security; urgency=medium

  * d/gbp.conf: Create stable/yoga branch.
  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Fix Cinder Integration
      fallout from CVE-2023-2088
    - CVE-2023-2088

 -- Corey Bryant <email address hidden> Wed, 31 May 2023 16:16:26 -0400
CVE-2023-2088 OSSA-2023-003: Unauthorized volume access through deleted volume attachments


About   -   Send Feedback to @ubuntu_updates