-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Apr 2026 10:05:36 +0200
Source: ironic
Binary: ironic-api ironic-common ironic-conductor ironic-doc ironic-novncproxy python3-ironic
Architecture: all
Version: 1:29.0.5-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 ironic-api - bare metal hypervisor API for OpenStack - API server
 ironic-common - bare metal hypervisor API for OpenStack - common files
 ironic-conductor - bare metal hypervisor API for OpenStack - conductor
 ironic-doc - bare metal hypervisor API for OpenStack - doc
 ironic-novncproxy - bare metal hypervisor API for OpenStack - NoVNC proxy
 python3-ironic - bare metal hypervisor API for OpenStack - Python lib
Closes: 1135255 1135898 1136005 1136655
Changes:
 ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium
 .
   * New upstream release. Include fix for:
     - CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
       Endpoints via Ironic’s idrac Configuration molds Feature
       (Closes: #1135898).
     - CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
       Implementations. Applied upstream patch: "Shell-quote console command
       passed to socat" (Closes: #1135255).
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
   * CVE-2026-44919: during image handling, an infinite loop in checksum
     calculations can occur via the file:///dev/zero URL. Add upstream patch:
     move_file_url_validation_up_into_deploy_utils_main_path.patch.
     (Closes: #1136655).
Checksums-Sha1:
 7532b0d7a6742a8b1c42572da39ebf385ccc6792 23912 ironic-api_29.0.5-0+deb13u1_all.deb
 d01fc9c494f26b9bd0eb62e96b784de1c4bcecfb 165644 ironic-common_29.0.5-0+deb13u1_all.deb
 eb3476863506a00edb466ff9d76e6c2062c1d99b 10260 ironic-conductor_29.0.5-0+deb13u1_all.deb
 dc2d75609f9f49b6ddf7376f74de9fa224f4cfc0 3365656 ironic-doc_29.0.5-0+deb13u1_all.deb
 b5e4d6da7031b0304d305d1a5e512bc4cceb5801 10184 ironic-novncproxy_29.0.5-0+deb13u1_all.deb
 b0462c1f9227126a170e27dc1264b10ef716a8b4 22692 ironic_29.0.5-0+deb13u1_all-buildd.buildinfo
 29be45db081eba5055d13dec0253f7a91d45b497 1123604 python3-ironic_29.0.5-0+deb13u1_all.deb
Checksums-Sha256:
 3b7f07c4a80266d308a7f078d86a4e30dd30049cf1ac4290cfbf63b5f629f3ec 23912 ironic-api_29.0.5-0+deb13u1_all.deb
 97ff6baa871301ed375e9da17f52fb53b58c561a8067b0ce10edab15e37ac1a5 165644 ironic-common_29.0.5-0+deb13u1_all.deb
 1dc50f0b389ecdf5b62fd66bbf0e898b3ae94d494a4feb861af5753a20dd642a 10260 ironic-conductor_29.0.5-0+deb13u1_all.deb
 b9215d87aa78a963d9bddbfc42e6366c7ab0fdc985d544809b497fd6e642d285 3365656 ironic-doc_29.0.5-0+deb13u1_all.deb
 d7277e745143704198d304a192b3d0f48f1fd3d6426a30f26e7f6e290b6bd2fa 10184 ironic-novncproxy_29.0.5-0+deb13u1_all.deb
 fcff2b329f39ef2e814792c87607037c9cc1d28c8122b357a9ebc0276e28b3e6 22692 ironic_29.0.5-0+deb13u1_all-buildd.buildinfo
 ec53b5d978504501602524491bcc890f90bad3c4dd60487c8311ac049e0e5c24 1123604 python3-ironic_29.0.5-0+deb13u1_all.deb
Files:
 48ad31cdc5cf88edf6f53361019e7316 23912 net optional ironic-api_29.0.5-0+deb13u1_all.deb
 3c40434cee79bfee05c93a1b829dc505 165644 net optional ironic-common_29.0.5-0+deb13u1_all.deb
 7f81ea8898306996d3217f6b2bed968d 10260 net optional ironic-conductor_29.0.5-0+deb13u1_all.deb
 7445508bbf41f2f458383abc0c2ee712 3365656 doc optional ironic-doc_29.0.5-0+deb13u1_all.deb
 fd8ed416a1ff7a22febf951e774800b9 10184 net optional ironic-novncproxy_29.0.5-0+deb13u1_all.deb
 654158b3fe8afab4f5177690e0bc1668 22692 net optional ironic_29.0.5-0+deb13u1_all-buildd.buildinfo
 026b1b7e81ba2227c175ccc06c2fea09 1123604 python optional python3-ironic_29.0.5-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmoWFT4ACgkQmgPNRvTf
/zdKNxAAkuRV6dnb5NC9Rp9wC3MZOjzop1ayrmT88AGJJafUknfjm1Alvw7yVR7z
b7ngzBC9zjn4wEYRlPRi6reMwDf7FrcLsUb5/LUMgCQEohyJBTnwwVf3jyTBsxS9
ryf2WuMtYSz7mFS/0y3f9DZb7FRL+InPXnRb0FWmVAWpNVFex/FKLwMf7moxaLTz
zGq1n2+f/iGZu+6fAh+IPTC6T27UMPbxka5yFag46vGjZsuVRPBsOhgNKxrgXtZ+
hCGHe44G1B0w7Sns74ZbwEhB3qstlVaCPJC5HjAjmKCJIqT2feesZQWOBFKr0TBV
DWl+0Co44kjzvTn/hUhisRln5LwSQe82GMYtvUw4saF/U5NnC/YWAD8tvZfQtNgB
0MOoUh/yDB2W4CxFrakGzLT78i1kEE2t+xBINxVRXWzDnyqY4sisJnoSfln6jXaK
6Pc1drN7iHoKQMgLoh8pJNj96liSK2YhDUV70kSytHkOiMRPQmNC1EDJgwgeiXkg
UtejCY33H7gR00ictqiZVnl1bV25BJ3NI64/iQX71HmCy7VeFY9ob3+3wUDcmCOc
rWsnPwmq6mkpFQ7OzLD/3gcSDb3RgQFOGU7I9vgEImiciRGDNsi7kgWBQOfxV0K7
aoZ95SN+kbVfDLKAmMXMhfvBs2to5aJjnkYkvPBUzIqBpbE2G/g=
=5Nti
-----END PGP SIGNATURE-----