[ubuntu/resolute-security] ironic 1:35.0.0-0ubuntu2.1 (Accepted)
Federico Quattrin
federico.quattrin at canonical.com
Thu Jun 11 19:18:28 UTC 2026
ironic (1:35.0.0-0ubuntu2.1) resolute-security; urgency=high
[ Myles Penner ]
* d/gbp.conf: Create stable/2026.1 branch.
[ Hemanth Nakkina ]
* SECURITY UPDATE: sanitize kernel_append_params to prevent injection
- d/p/0001-Ensure-kernel_append_params-are-valid-kernel-paramet.patch:
Validate kernel_append_params against a kernel command line grammar
and reject malformed
parameters. Add disable_kernel_parameter_parsing config option.
- CVE-2026-46447
* SECURITY UPDATE: disable insecure driver_info pxe_template override
- d/p/0002-security-disable-driver_info-level-pxe_template-over.patch:
Remove direct file path support for pxe_template to prevent
privilege escalation.
- CVE-2026-44917
* SECURITY UPDATE: prevent directory traversal in ISO9660 image handling
- d/p/0003-security-directory-transversal-ISO9660-support.patch:
Validate ISO9660 path entries to reject directory traversal attempts
in config drive ISO images.
- CVE-2026-48681
Date: 2026-06-05 16:59:42.604110+00:00
Changed-By: Hemanth Nakkina <hemanth.nakkina at canonical.com>
Signed-By: Federico Quattrin <federico.quattrin at canonical.com>
https://launchpad.net/ubuntu/+source/ironic/1:35.0.0-0ubuntu2.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Resolute-changes
mailing list