Package "ironic-common"
| Name: |
ironic-common
|
Description: |
Openstack bare metal provisioning service - daemons
|
| Latest version: |
1:32.0.0-0ubuntu1.1 |
| Release: |
questing (25.10) |
| Level: |
updates |
| Repository: |
universe |
| Head package: |
ironic |
| Homepage: |
https://opendev.org/openstack/ironic |
Links
Download "ironic-common"
Other versions of "ironic-common" in Questing
Changelog
|
ironic (1:32.0.0-0ubuntu1.1) questing-security; urgency=high
[ Myles Penner ]
* d/gbp.conf: Create stable/2025.2 branch.
* d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
flamingo.
[ Hemanth Nakkina ]
* SECURITY UPDATE: sanitize kernel_append_params to prevent injection
- d/p/0001-Ensure-kernel_append_params-are-valid-kernel-paramet.patch:
Validate kernel_append_params against a kernel command line grammar
and reject malformed
parameters. Add disable_kernel_parameter_parsing config option.
- CVE-2026-46447
* SECURITY UPDATE: disable insecure driver_info pxe_template override
- d/p/0002-security-disable-driver_info-level-pxe_template-over.patch:
Remove direct file path support for pxe_template to prevent
privilege escalation.
- CVE-2026-44917
* SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
- d/p/0003-security-directory-transversal-ISO9660-support.patch:
Validate ISO9660 path entries to reject directory traversal attempts
in config drive ISO images.
- CVE-2026-48681
-- Hemanth Nakkina <email address hidden> Wed, 03 Jun 2026 14:39:43 +0530
|
| CVE-2026-46447 |
OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. |
| CVE-2026-44917 |
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_templa |
| CVE-2026-48681 |
OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. |
|
About
-
Send Feedback to @ubuntu_updates
