Source: ironic Version: 1:29.0.0-3 Severity: grave Tags: security upstream Forwarded: https://bugs.launchpad.net/ironic/+bug/2107847 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ironic. CVE-2025-44021[0]: | OpenStack Ironic before 29.0.1 can write unintended files to a | target node disk during image handling (if a deployment was | performed via the API). A malicious project assigned as a node owner | can provide a path to any local file (readable by ironic-conductor), | which may then be written to the target node disk. This is difficult | to exploit in practice, because a node deployed in this manner | should never reach the ACTIVE state, but it still represents a | danger in environments running with non-default, insecure | configurations such as with automated cleaning disabled. The fixed | versions are 24.1.3, 26.1.1, and 29.0.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-44021 https://www.cve.org/CVERecord?id=CVE-2025-44021 [1] https://bugs.launchpad.net/ironic/+bug/2107847 [2] https://www.openwall.com/lists/oss-security/2025/05/08/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
