Debian Patches
Status for ironic/1:35.0.1-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| adds-alembic.ini-in-MANIFEST.in.patch | Fixes MANIFEST.in so that alembic.ini is packaged | Thomas Goirand <zigo@debian.org> | no | 2016-03-22 | ||
| fix-initial_grub_cfg.template.patch | Fix initial_grub_cfg.template The default grub.cfg happen /srv/tftp, but tftp-hpa is, in Debian, already doing a chroot in there. |
Thomas Goirand <zigo@debian.org> | no | 2024-09-16 | ||
| do-not-print.patch | Do not print Without this patch, we're getting: . File "/<<PKGBUILDDIR>>/ironic/tests/unit/api/base.py", line 115, in _request_json print(method.upper(), full_path, "WITH", params, "GOT", str(response)) BlockingIOError: [Errno 11] write could not complete without blocking . about 60 times (not always the same number of times...). =================================================================== |
Thomas Goirand <zigo@debian.org> | not-needed | 2023-10-05 | ||
| CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch | CVE-2026-44916 security: Use sandbox rendering for jinja2 Analysis revealed that a malicious attacker with sufficent access to request a node to be provisioned could supply a maliciously crafted kickstart template configuration, which would then be rendered in an unsafe form ultimately. . This is because the underlying render utility was modeled for rendering only admin-suppied files or the in-code tree files. Anaconda had to take this further by allowing the jinja utilized to be user supplied. . Anyhow, an attacker with sufficient access, an ironic deployment with the anaconda deploy interface, a node with the anaconda deployment interface set by an admin, and a malicious template could result in conductor internal data being rendered and if the infrastucture operator is allowing traffic egress for the provisioning network, could have sensitive internal data exfiled out of the environment. . The render helper has been changed to utilize a sandboxed environment. Attacks such as this now internally raise a Jinja2 SecurityError. diff --git a/ironic/common/utils.py b/ironic/common/utils.py index 2e4feb1..18a1dd1 100644 |
Julia Kreger <juliaashleykreger@gmail.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/987774 | 2026-05-08 |
| CVE-2026-44919_move_file_url_validation_up_into_deploy_utils_main_path.patch | CVE-2026-44919: move file url validation up into deploy_utils main path An issue was discovered where we were executing checksums prior to doing file path guard logic. We've moved the check into the same area of the code where we do all other url checks for consistency. . This issue is tracked as CVE-2026-44919. =================================================================== |
Julia Kreger <juliaashleykreger@gmail.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/ironic/+/988355 | 2026-05-16 |
All known versions for source package 'ironic'
- 1:35.0.1-3 (sid)
- 1:35.0.0-2 (forky)
- 1:29.0.0-7 (trixie)
- 1:21.1.0-3 (bookworm)