Your message dated Mon, 12 May 2025 07:49:14 +0000
with message-id <e1uenuu-003qh0...@fasolo.debian.org>
and subject line Bug#1104964: fixed in ironic 1:29.0.0-6
has caused the Debian Bug report #1104964,
regarding ironic: CVE-2025-44021
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104964: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104964
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ironic
Version: 1:29.0.0-3
Severity: grave
Tags: security upstream
Forwarded: https://bugs.launchpad.net/ironic/+bug/2107847
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for ironic.
CVE-2025-44021[0]:
| OpenStack Ironic before 29.0.1 can write unintended files to a
| target node disk during image handling (if a deployment was
| performed via the API). A malicious project assigned as a node owner
| can provide a path to any local file (readable by ironic-conductor),
| which may then be written to the target node disk. This is difficult
| to exploit in practice, because a node deployed in this manner
| should never reach the ACTIVE state, but it still represents a
| danger in environments running with non-default, insecure
| configurations such as with automated cleaning disabled. The fixed
| versions are 24.1.3, 26.1.1, and 29.0.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-44021
https://www.cve.org/CVERecord?id=CVE-2025-44021
[1] https://bugs.launchpad.net/ironic/+bug/2107847
[2] https://www.openwall.com/lists/oss-security/2025/05/08/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ironic
Source-Version: 1:29.0.0-6
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 12 May 2025 09:03:43 +0200
Source: ironic
Architecture: source
Version: 1:29.0.0-6
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1104964
Changes:
ironic (1:29.0.0-6) unstable; urgency=high
.
* CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs.
Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch.
(Closes: #1104964).
Checksums-Sha1:
b4a6cc3055f231ec9776bf3eff42928c5203668a 4064 ironic_29.0.0-6.dsc
15172b4f766d0fe8d915e4d26455aee962afee15 22412 ironic_29.0.0-6.debian.tar.xz
97cb81e5b74fdc120bbd1651387225e1027d0ce6 22303 ironic_29.0.0-6_amd64.buildinfo
Checksums-Sha256:
717c17472686985536732c82c56a2847c98532187737904ba60254c84585ddc3 4064
ironic_29.0.0-6.dsc
331ee26a5ffc6fde97b2306688b77f00267e025081e9190ad389ce326db9f96e 22412
ironic_29.0.0-6.debian.tar.xz
270f3e0f286a0c1d4ab445e3ab0072d0779ee9031426321e6e354056a73476bf 22303
ironic_29.0.0-6_amd64.buildinfo
Files:
60765b2c869766bc5d73502a2db70716 4064 net optional ironic_29.0.0-6.dsc
2d9c97aba9f561bf643badd17154ccf5 22412 net optional
ironic_29.0.0-6.debian.tar.xz
613b2119264266c0a33a9a86176a142d 22303 net optional
ironic_29.0.0-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmghoeMACgkQ1BatFaxr
Q/7yiw/+O54HxQlh2rZpaoVX0EQFGj6ZgVcADgnMC26pHP4rFGLt612dZVRXwJ6h
OzeRi1XbJm0PwWNFxzyYbrwnDqZYv+JU4Xq/BL9wOy6RHcTuhdomjfbBcmBFUqSx
rqc1zNtHpAJKkr00uI932VNt77Gda1pq9sVO2KsSqFxkBjglxTVEeE8UKzpGOGjs
04CBD15MQOQ914OuqW9etZqOpHFfqqhx26li6opszSsATAKIOIrjqV5rb70JPcxQ
W9HLbm4Ho5APW0+XZBGKqFgIw1pp7nrQwrMLM3XmAfIFzdCRTiW/OlJnreZwongD
37BW3w3cILu7jI1ibzqDR4ZYIeyEIWmaimoo5NYKVm7mB5XzOoD6EKy24l5Dg8D6
N1u1QUsQQqhX1hYwNfxXuVTvXlMy/KzZDp+3erOltbJ0ftxZ5SLPcelysJOU5nWM
os+x3O1Htf2dQyRM6lozTPPo31DbRlo+uALd1FJDk9MMLTTTw8Ex9eEdFtYexiQE
MCxRFlkY4Ce4D1wl3TVnMyo+yCx7KAeqTlYHgW8/u+rLENq7q3tuBXRdUAR8XTvj
KGySvmlq3SbEda7cF3rTQrSeGSANpyEwtgm3egF8lFnZfRyggoRAKKq7QlE5wNfg
XX/CD6av7VKmUwRFq0tm8HlSN5N/n1xBAHzuoh3j9XCK3AyDdtI=
=KmKp
-----END PGP SIGNATURE-----
pgpfAUdiJfLnN.pgp
Description: PGP signature
--- End Message ---
