Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted ironic 1:35.0.1-2 (source) into unstable
Date: Fri, 08 May 2026 15:05:19 +0000
Signed by: Thomas Goirand <zigo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 May 2026 16:27:56 +0200
Source: ironic
Architecture: source
Version: 1:35.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1136005
Changes:
 ironic (1:35.0.1-2) unstable; urgency=medium
 .
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
Checksums-Sha1:
 cbbf067089ab708bab8b8976d07f590ea351601c 4063 ironic_35.0.1-2.dsc
 d75724e037db25b2fb0138df790b46ed84f637aa 20888 ironic_35.0.1-2.debian.tar.xz
 9a5612d294a2eae26f027c281a1e5de1d68df359 22745 ironic_35.0.1-2_amd64.buildinfo
Checksums-Sha256:
 0ff1b1714cc6f0d9a1ea960f78608bc06f1cc32da8b3369453dbb6786fc99faf 4063 ironic_35.0.1-2.dsc
 337790ba93eaf75ea2e8902d09fbd0a7265d0bc37aa296e529fa742b70bbe4f3 20888 ironic_35.0.1-2.debian.tar.xz
 64a2b56bc5d7bb7ece215dcfdae9139520945af8078b3fcf8fc78fdac8b481dc 22745 ironic_35.0.1-2_amd64.buildinfo
Files:
 91a42bb0e649342523ad653f37714caf 4063 net optional ironic_35.0.1-2.dsc
 5b7d9ff38150f3016a7d4a62b9c93b9a 20888 net optional ironic_35.0.1-2.debian.tar.xz
 58f7ee20729c6b9f0cdb2ea008016167 22745 net optional ironic_35.0.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn99dUACgkQ1BatFaxr
Q/7HOw/8D2jtMfmWe6XUd+H4V0cXQUIW5fe7mzqiJg6Yohmd1c9vkXAiISTeTaPp
RGGafBIamniUMaa24K9CBMOR2yh913pnXPawJjERbKo8GOXYSLQ6WtsvXDibrgra
+b6aqjq1mmdF2aDBNr/r0nlrYYae6dy7fmG8dhPPDuzd9OQeU3ql3BoSv9CSs2HQ
VQ9hErGf8jnv/9tyuReOKN0AMV1UEu0ziGzM8FB7OFPFBLbOhu49n3MdZ70gZvsG
P6shb8/ekH/Tr800NJwBi3SV4VDEqPaAd+8cSp6knTd1OZ1wxsP6so09FJ65x275
QGkUrxW8k3TlHRJtHPHm1KxE0uCjnBUOTMnVoFtxfjDkeKrVbdh23nlHU+WlXxgQ
bkTT4L6fF18OmuykXq6NAriSm3clQOLBMGOKcHULHZdIo2QqALyRTwdIM7wAtkEK
guEoJh31dPpFUxMZD7zjMcsh047+eV8oXEnbtXdr+lyxBjmB3bJKifZNqeO9Fm6B
LN5OJDBOK1sAX3r2SxjmLn9lXR+NPkY6RCqj0NYMCdpU9qykZqI/szMPtW4SXYHL
sl0jDSnrquNmg2UVVvZHgogIkbGWjdKnrX9X10F2oeL1DqbX++NDRFKr+X4JHzUM
0wA/zmvX9IwLepHjjcVe4ooQH4njG6DlDFYdi7Djt66ayb24g0A=
=KIKo
-----END PGP SIGNATURE-----

News for package ironic