| Name | CVE-2024-44082 |
| Description | In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ironic (PTS) | bullseye | 1:16.0.3-1 | vulnerable |
| bookworm | 1:21.1.0-3 | vulnerable | |
| sid, trixie | 1:26.1.1-4 | fixed | |
| ironic-python-agent (PTS) | sid, trixie | 9.14.0-5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ironic | source | (unstable) | 1:26.1.0-1 | |||
| ironic-python-agent | source | (unstable) | 9.14.0-1 |
[bookworm] - ironic <no-dsa> (Minor issue)
[bullseye] - ironic <postponed> (Minor issue; can be fixed in next update)
https://www.openwall.com/lists/oss-security/2024/09/04/4
https://bugs.launchpad.net/ironic/+bug/2071740