UbuntuUpdates.org

Package "ironic"

Name: ironic

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Openstack bare metal provisioning service - API
  • Openstack bare metal provisioning service - daemons
  • Openstack bare metal provisioning service - conductor
  • Openstack bare metal provisioning service - Python 3 library
Latest version: 1:32.0.0-0ubuntu1.1
Release: questing (25.10)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "ironic" in Questing

Repository Area Version
base universe 1:32.0.0-0ubuntu1
security universe 1:32.0.0-0ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:32.0.0-0ubuntu1.1 2026-06-12 00:07:30 UTC

  ironic (1:32.0.0-0ubuntu1.1) questing-security; urgency=high

  [ Myles Penner ]
  * d/gbp.conf: Create stable/2025.2 branch.
  * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
    flamingo.

  [ Hemanth Nakkina ]
  * SECURITY UPDATE: sanitize kernel_append_params to prevent injection
    - d/p/0001-Ensure-kernel_append_params-are-valid-kernel-paramet.patch:
      Validate kernel_append_params against a kernel command line grammar
      and reject malformed
      parameters. Add disable_kernel_parameter_parsing config option.
    - CVE-2026-46447
  * SECURITY UPDATE: disable insecure driver_info pxe_template override
    - d/p/0002-security-disable-driver_info-level-pxe_template-over.patch:
      Remove direct file path support for pxe_template to prevent
      privilege escalation.
    - CVE-2026-44917
  * SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
    - d/p/0003-security-directory-transversal-ISO9660-support.patch:
      Validate ISO9660 path entries to reject directory traversal attempts
      in config drive ISO images.
    - CVE-2026-48681

 -- Hemanth Nakkina <email address hidden> Wed, 03 Jun 2026 14:39:43 +0530
CVE-2026-46447 OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
CVE-2026-44917 OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_templa
CVE-2026-48681 OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.


About   -   Send Feedback to @ubuntu_updates