[ubuntu/questing-updates] ironic 1:32.0.0-0ubuntu1.1 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Thu Jun 11 22:02:18 UTC 2026
ironic (1:32.0.0-0ubuntu1.1) questing-security; urgency=high
[ Myles Penner ]
* d/gbp.conf: Create stable/2025.2 branch.
* d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
flamingo.
[ Hemanth Nakkina ]
* SECURITY UPDATE: sanitize kernel_append_params to prevent injection
- d/p/0001-Ensure-kernel_append_params-are-valid-kernel-paramet.patch:
Validate kernel_append_params against a kernel command line grammar
and reject malformed
parameters. Add disable_kernel_parameter_parsing config option.
- CVE-2026-46447
* SECURITY UPDATE: disable insecure driver_info pxe_template override
- d/p/0002-security-disable-driver_info-level-pxe_template-over.patch:
Remove direct file path support for pxe_template to prevent
privilege escalation.
- CVE-2026-44917
* SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
- d/p/0003-security-directory-transversal-ISO9660-support.patch:
Validate ISO9660 path entries to reject directory traversal attempts
in config drive ISO images.
- CVE-2026-48681
Date: 2026-06-05 17:00:19.391077+00:00
Changed-By: Hemanth Nakkina <hemanth.nakkina at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/ironic/1:32.0.0-0ubuntu1.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list