Bug #2021980 “Unauthorized volume access through deleted volume ...” : Bugs : nova package : Ubuntu

Corey Bryant (corey.bryant) on 2023-05-31

Changed in nova (Ubuntu Jammy):
status:	New → Triaged
importance:	Undecided → High
Changed in nova (Ubuntu Kinetic):
status:	New → Triaged
importance:	Undecided → High
Changed in nova (Ubuntu Lunar):
status:	New → Triaged
importance:	Undecided → High
Changed in nova (Ubuntu Mantic):
status:	New → Triaged
importance:	Undecided → High
Changed in cinder (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Triaged
Changed in cinder (Ubuntu Kinetic):
importance:	Undecided → High
status:	New → Triaged
Changed in cinder (Ubuntu Lunar):
importance:	Undecided → High
status:	New → Triaged
Changed in cinder (Ubuntu Mantic):
importance:	Undecided → High
status:	New → Triaged
no longer affects:	cloud-archive/ussuri

Corey Bryant (corey.bryant) on 2023-05-31

Changed in ironic (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Triaged
Changed in ironic (Ubuntu Kinetic):
importance:	Undecided → High
status:	New → Triaged
Changed in ironic (Ubuntu Lunar):
importance:	Undecided → High
status:	New → Triaged
Changed in ironic (Ubuntu Mantic):
importance:	Undecided → High
status:	New → Triaged
Changed in python-glance-store (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Triaged
Changed in python-glance-store (Ubuntu Kinetic):
importance:	Undecided → High
status:	New → Triaged
Changed in python-glance-store (Ubuntu Lunar):
importance:	Undecided → High
status:	New → Triaged
Changed in python-glance-store (Ubuntu Mantic):
importance:	Undecided → High
status:	New → Triaged
Changed in python-os-brick (Ubuntu Mantic):
importance:	Undecided → High
status:	New → Triaged
Changed in python-os-brick (Ubuntu Lunar):
importance:	Undecided → High
status:	New → Triaged
Changed in python-os-brick (Ubuntu Kinetic):
importance:	Undecided → High
status:	New → Triaged
Changed in python-os-brick (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Triaged
no longer affects:	cloud-archive/victoria
description:	updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-05-31:

#1

This bug was fixed in the package cinder - 2:22.0.0-0ubuntu4

---------------
cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
      attachment calls.
    - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Fri, 26 May 2023 16:16:03 -0400

Changed in cinder (Ubuntu Mantic):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-05-31:

#2

This bug was fixed in the package ironic - 1:21.4.0-0ubuntu2

---------------
ironic (1:21.4.0-0ubuntu2) mantic; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Fix Cinder Integration
      fallout from CVE-2023-2088
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 14:42:54 -0400

Changed in ironic (Ubuntu Mantic):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-05-31:

#3

This bug was fixed in the package nova - 3:27.0.0-0ubuntu4

---------------
nova (3:27.0.0-0ubuntu4) mantic; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
      disconnect during delete.
    - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
      token with admin context.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 12:11:02 -0400

Changed in nova (Ubuntu Mantic):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-06-01:

#4

This bug was fixed in the package python-glance-store - 4.3.0-0ubuntu4

---------------
python-glance-store (4.3.0-0ubuntu4) mantic; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Add force to os-brick
      disconnect.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 14:53:17 -0400

Changed in python-glance-store (Ubuntu Mantic):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-06-01:

#5

This bug was fixed in the package python-os-brick - 6.2.0-0ubuntu5

---------------
python-os-brick (6.2.0-0ubuntu5) mantic; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Support force disconnect for
      fibre channel.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 15:05:40 -0400

Changed in python-os-brick (Ubuntu Mantic):
status:	Triaged → Fix Released

Corey Bryant (corey.bryant) on 2023-06-01

Changed in cloud-archive:
status:	Triaged → Fix Committed

Revision history for this message

Corey Bryant (corey.bryant) wrote on 2023-06-14:

#6

This bug was fixed in the package cinder - 2:22.0.0-0ubuntu4~cloud0
---------------

cinder (2:22.0.0-0ubuntu4~cloud0) jammy-bobcat; urgency=medium
.
   * New update for the Ubuntu Cloud Archive.
.
cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
       attachment calls.
     - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
     - CVE-2023-2088

Changed in cloud-archive:
status:	Fix Committed → Fix Released

Corey Bryant (corey.bryant) on 2023-07-18

Changed in cinder (Ubuntu Bionic):
status:	New → Won't Fix
Changed in cinder (Ubuntu Focal):
status:	New → Won't Fix
Changed in ironic (Ubuntu Bionic):
status:	New → Won't Fix
Changed in ironic (Ubuntu Focal):
status:	New → Won't Fix
Changed in nova (Ubuntu Bionic):
status:	New → Won't Fix
Changed in nova (Ubuntu Focal):
status:	New → Won't Fix
Changed in python-glance-store (Ubuntu Bionic):
status:	New → Won't Fix
Changed in python-glance-store (Ubuntu Focal):
status:	New → Won't Fix
Changed in python-os-brick (Ubuntu Bionic):
status:	New → Won't Fix
Changed in python-os-brick (Ubuntu Focal):
status:	New → Won't Fix

Revision history for this message

Corey Bryant (corey.bryant) wrote on 2023-07-18:

#8

Please see documentation for this issue at: https://discourse.ubuntu.com/t/cve-2023-2088-for-charmed-openstack/37051

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#9

This bug was fixed in the package cinder - 2:20.2.0-0ubuntu1.1

---------------
cinder (2:20.2.0-0ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
      attachment calls.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 16:26:58 -0400

Changed in cinder (Ubuntu Jammy):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#10

This bug was fixed in the package cinder - 2:22.0.0-0ubuntu1.3

---------------
cinder (2:22.0.0-0ubuntu1.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
      attachment calls.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 12:03:07 -0400

Changed in cinder (Ubuntu Lunar):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#11

This bug was fixed in the package nova - 3:25.1.1-0ubuntu1.1

---------------
nova (3:25.1.1-0ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
      disconnect during delete.
    - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
      token with admin context.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 16:43:41 -0400

Changed in nova (Ubuntu Jammy):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#12

This bug was fixed in the package ironic - 1:21.4.0-0ubuntu1.1

---------------
ironic (1:21.4.0-0ubuntu1.1) lunar-security; urgency=medium

  * d/gbp.conf: Create stable/2023.1 branch.
  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Fix Cinder Integration
      fallout from CVE-2023-2088
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 16:10:46 -0400

Changed in ironic (Ubuntu Lunar):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#13

This bug was fixed in the package python-glance-store - 3.0.0-0ubuntu1.3

---------------
python-glance-store (3.0.0-0ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Add force to os-brick
      disconnect.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 15:48:16 -0400

Changed in python-glance-store (Ubuntu Jammy):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#14

This bug was fixed in the package python-os-brick - 6.2.0-0ubuntu2.3

---------------
python-os-brick (6.2.0-0ubuntu2.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Support force disconnect for
      fibre channel.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 15:19:28 -0400

Changed in python-os-brick (Ubuntu Lunar):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#15

This bug was fixed in the package python-glance-store - 4.3.0-0ubuntu1.3

---------------
python-glance-store (4.3.0-0ubuntu1.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Add force to os-brick
      disconnect.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 15:42:32 -0400

Changed in python-glance-store (Ubuntu Lunar):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#16

This bug was fixed in the package nova - 3:27.0.0-0ubuntu1.3

---------------
nova (3:27.0.0-0ubuntu1.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
      disconnect during delete.
    - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
      token with admin context.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 16:32:03 -0400

Changed in nova (Ubuntu Lunar):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#17

This bug was fixed in the package python-os-brick - 5.2.2-0ubuntu1.2

---------------
python-os-brick (5.2.2-0ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Support force disconnect for
      fibre channel.
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 15:37:17 -0400

Changed in python-os-brick (Ubuntu Jammy):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-07-24:

#18

This bug was fixed in the package ironic - 1:20.1.0-0ubuntu1.1

---------------
ironic (1:20.1.0-0ubuntu1.1) jammy-security; urgency=medium

  * d/gbp.conf: Create stable/yoga branch.
  * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
    - debian/patches/CVE-2023-2088.patch: Fix Cinder Integration
      fallout from CVE-2023-2088
    - CVE-2023-2088

-- Corey Bryant <email address hidden> Wed, 31 May 2023 16:16:26 -0400

Changed in ironic (Ubuntu Jammy):
status:	Triaged → Fix Released

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2023-08-10:

#19

Ubuntu 22.10 (Kinetic Kudu) has reached end of life, so this bug will not be fixed for that specific release.

Changed in nova (Ubuntu Kinetic):
status:	Triaged → Won't Fix
Changed in cinder (Ubuntu Kinetic):
status:	Triaged → Won't Fix
Changed in python-os-brick (Ubuntu Kinetic):
status:	Triaged → Won't Fix
Changed in python-glance-store (Ubuntu Kinetic):
status:	Triaged → Won't Fix
Changed in ironic (Ubuntu Kinetic):
status:	Triaged → Won't Fix

Revision history for this message

James Page (james-page) wrote on 2024-07-08: Update Released

#24

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#25

Download full text (4.2 KiB)

This bug was fixed in the package cinder - 2:23.0.0-0ubuntu1.4~cloud0
---------------

cinder (2:23.0.0-0ubuntu1.4~cloud0) jammy; urgency=medium
.
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
.
cinder (2:23.0.0-0ubuntu1.4) mantic-security; urgency=medium
.
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
.
cinder (2:23.0.0-0ubuntu1.2) mantic; urgency=medium
.
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
.
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
.
cinder (2:23.0.0-0ubuntu1.1) mantic; urgency=medium
.
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
.
   [ Edward Hope-Morley ]
   * revert driver assister volume retype (LP: #2019190)
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
.
cinder (2:23.0.0-0ubuntu1) mantic; urgency=medium
.
   * New upstream release for OpenStack Bobcat.
.
cinder (2:23.0.0~rc1-0ubuntu1) mantic; urgency=medium
.
   * New upstream release candidate for OpenStack Bobcat.
.
cinder (2:22.1.0+git2023090509.f79048d2-0ubuntu1) mantic; urgency=medium
.
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     cinder/db/alembic.ini.
.
cinder (2:22.1.0+git2023071214.c1a18fcd-0ubuntu1) mantic; urgency=medium
.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Dropped. No longer needed.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
.
cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
       attachment calls.
     - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
     - CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu3) mantic; urgency=medium
.
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu2) mantic; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu1) lunar; urgency=medium
.
   * New upstream release for OpenStack Antelope.
   * d/p/s...

This bug was fixed in the package cinder - 2:23.0.0-0ubuntu1.4~cloud0
---------------

cinder (2:23.0.0-0ubuntu1.4~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 cinder (2:23.0.0-0ubuntu1.4) mantic-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
 .
 cinder (2:23.0.0-0ubuntu1.2) mantic; urgency=medium
 .
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
 .
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
 .
 cinder (2:23.0.0-0ubuntu1.1) mantic; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
 .
   [ Edward Hope-Morley ]
   * revert driver assister volume retype (LP: #2019190)
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
 .
 cinder (2:23.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 cinder (2:23.0.0~rc1-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release candidate for OpenStack Bobcat.
 .
 cinder (2:22.1.0+git2023090509.f79048d2-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     cinder/db/alembic.ini.
 .
 cinder (2:22.1.0+git2023071214.c1a18fcd-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Dropped. No longer needed.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
 .
 cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
       attachment calls.
     - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu3) mantic; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu2) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023030309.3ddce92b-0ubuntu1) lunar; urgency=medium
 .
   * d/control: Drop min version of python3-mypy to enable backport
     to cloud-archive.
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023022212.0af3df67-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.1.0+git2023012815.c9e65529-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.0.0+git2023011009.2db3fc3e-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Skip tests that are affected by
     "Cannot spec a Mock object" failure.
 .
 cinder (2:21.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 21.x.
   * New upstream release for OpenStack Zed.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#26

The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#27

Download full text (3.6 KiB)

This bug was fixed in the package nova - 3:28.0.1-0ubuntu1.3~cloud0
---------------

nova (3:28.0.1-0ubuntu1.3~cloud0) jammy; urgency=medium
.
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
.
nova (3:28.0.1-0ubuntu1.3) mantic-security; urgency=medium
.
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
.
nova (3:28.0.1-0ubuntu1) mantic; urgency=medium
.
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New stable point release for OpenStack Bobcat (LP: #2046359).
.
nova (3:28.0.0-0ubuntu1) mantic; urgency=medium
.
   * New upstream release for OpenStack Bobcat.
.
nova (3:27.1.0+git2023090509.82a17a37-0ubuntu1) mantic; urgency=medium
.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/drop-actdiag.patch: Temporarily drop actdiag until bug fixed upstream.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     nova/db/api/alembic.ini and nova/db/main/alembic.ini.
.
nova (3:27.1.0+git2023071215.f7ce4df5-0ubuntu1) mantic; urgency=medium
.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * d/p/skip-if-https-proxy.patch: Test skipped if https-proxy is set
     as lpci builds in .launchpad.yaml do.
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
.
nova (3:27.0.0-0ubuntu4) mantic; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
.
nova (3:27.0.0-0ubuntu3) mantic; urgency=medium
.
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
.
nova (3:27.0.0-0ubuntu2) mantic; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
.
nova (3:27.0.0-0ubuntu1) lunar; urgency=medium
.
   * New upstream release for OpenStack Antelope.
.
nova (3:26.1.0+git2023030309.59f7a524-0ubuntu2) lunar; urgency=medium
.
   * d/nova-compute-qemu.postinst: Add nova user to kvm group (LP: #2011535).
.
nova (3:26.1.0+git2023030309.59f7a524-0ubuntu1) lunar; urgency=medium
.
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
.
nova (3:26....

This bug was fixed in the package nova - 3:28.0.1-0ubuntu1.3~cloud0
---------------

nova (3:28.0.1-0ubuntu1.3~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 nova (3:28.0.1-0ubuntu1.3) mantic-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
 .
 nova (3:28.0.1-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New stable point release for OpenStack Bobcat (LP: #2046359).
 .
 nova (3:28.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 nova (3:27.1.0+git2023090509.82a17a37-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/drop-actdiag.patch: Temporarily drop actdiag until bug fixed upstream.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     nova/db/api/alembic.ini and nova/db/main/alembic.ini.
 .
 nova (3:27.1.0+git2023071215.f7ce4df5-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * d/p/skip-if-https-proxy.patch: Test skipped if https-proxy is set
     as lpci builds in .launchpad.yaml do.
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
 .
 nova (3:27.0.0-0ubuntu4) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu3) mantic; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu2) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
 .
 nova (3:26.1.0+git2023030309.59f7a524-0ubuntu2) lunar; urgency=medium
 .
   * d/nova-compute-qemu.postinst: Add nova user to kvm group (LP: #2011535).
 .
 nova (3:26.1.0+git2023030309.59f7a524-0ubuntu1) lunar; urgency=medium
 .
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
 .
 nova (3:26.1.0+git2023012815.98daf501-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:26.0.0+git2023011010.5e5b6751-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:26.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 26.x series
   * New upstream release for OpenStack Zed.
   * d/control: Align (Build-)Depends with upstream.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#28

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#29

Download full text (8.8 KiB)

This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.4~cloud0
---------------

cinder (2:20.3.1-0ubuntu1.4~cloud0) focal; urgency=medium
.
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
.
cinder (2:20.3.1-0ubuntu1.4) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
.
cinder (2:20.3.1-0ubuntu1.2) jammy; urgency=medium
.
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
.
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
.
   [ Seyeong Kim ]
   * HPE3PAR: Failing to clone a volume having children (LP: #1994521):
     - d/p/0001-HPE-3PAR-Fix-umanaged-volumes-snapshots-missing.patch
     - d/p/0002-3PAR-Error-out-if-vol-cannot-be-converted-to-base.patch
     - api 4.0.17 is added as it is in the middle of the main patch
       (4.0.18)
.
cinder (2:20.3.1-0ubuntu1.1) jammy; urgency=medium
.
   * Revert driver assisted volume retype (LP: #2019190):
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
.
cinder (2:20.3.1-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2037332).
.
cinder (2:20.3.0-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088.patch: Dropped. Fixed in point release.
.
cinder (2:20.2.0-0ubuntu1.1) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
.
cinder (2:20.2.0-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/lp1945500.patch: Dropped. Fixed in stable point release.
.
cinder (2:20.1.0-0ubuntu2.2) jammy-security; urgency=medium
.
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
.
cinder (2:20.1.0-0ubuntu2.1) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
.
cinder (2:20.1.0-0ubuntu2) jammy; urgency=medium
.
   * d/p/lp1945500.patch: Filter reserved image properties (LP: #1945500).
.
cinder (2:20.1.0-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2004030).
.
cinder (2:20.0.1-0ubuntu1) jammy; urgency=medium
.
   * d/gbp.conf: Create stable/yoga branch.
   * New stable point r...

This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.4~cloud0
---------------

cinder (2:20.3.1-0ubuntu1.4~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 cinder (2:20.3.1-0ubuntu1.4) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
 .
 cinder (2:20.3.1-0ubuntu1.2) jammy; urgency=medium
 .
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
 .
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
 .
   [ Seyeong Kim ]
   * HPE3PAR: Failing to clone a volume having children (LP: #1994521):
     - d/p/0001-HPE-3PAR-Fix-umanaged-volumes-snapshots-missing.patch
     - d/p/0002-3PAR-Error-out-if-vol-cannot-be-converted-to-base.patch
     - api 4.0.17 is added as it is in the middle of the main patch
       (4.0.18)
 .
 cinder (2:20.3.1-0ubuntu1.1) jammy; urgency=medium
 .
   * Revert driver assisted volume retype (LP: #2019190):
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
 .
 cinder (2:20.3.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 cinder (2:20.3.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088.patch: Dropped. Fixed in point release.
 .
 cinder (2:20.2.0-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:20.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/lp1945500.patch: Dropped. Fixed in stable point release.
 .
 cinder (2:20.1.0-0ubuntu2.2) jammy-security; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 cinder (2:20.1.0-0ubuntu2.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:20.1.0-0ubuntu2) jammy; urgency=medium
 .
   * d/p/lp1945500.patch: Filter reserved image properties (LP: #1945500).
 .
 cinder (2:20.1.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2004030).
 .
 cinder (2:20.0.1-0ubuntu1) jammy; urgency=medium
 .
   * d/gbp.conf: Create stable/yoga branch.
   * New stable point release for OpenStack Yoga (LP: #1985084).
 .
 cinder (2:20.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 20.x.
   * New upstream release for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu2) jammy; urgency=medium
 .
   * d/p/fix-qos-computation.patch: Cherry-pick from upstream review to
     fix TypeError exception when generating QOS feature name (LP: #1948507).
 .
 cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
 .
 cinder (2:19.0.0+git2022011215.23494a6d6-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu2) jammy; urgency=medium
 .
   * d/t/control: Add allow-stderr restriction to prevent autopkgtest failure
     when SQLAlchemy issues a warning.
 .
 cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0-0ubuntu2) impish; urgency=medium
 .
   * d/py3dist-overrides: Add SQLAlchemy to ensure d/control is not overridden.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 19.x.
   * New upstream release for OpenStack Xena.
 .
 cinder (2:19.0.0~b1+git2021091409.768b8996b-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
 .
 cinder (2:18.0.0+git2021072116.81f2aaeea-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:18.0.0+git2021061414.d5f0e5187-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:18.0.0-0ubuntu3) hirsute; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Restored and rebased. This is still
     necessary for Launchpad builds.
 .
 cinder (2:18.0.0-0ubuntu2) hirsute; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Dropped. Fixed upstream.
   * d/p/add-mock-psutil-in-quobyte-tests.patch: Dropped. Fixed upstream.
 .
 cinder (2:18.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 cinder (2:18.0.0~b1-0ubuntu2) hirsute; urgency=medium
 .
   * d/py3dist-overrides: Add boto3 which is a Suggests.
 .
 cinder (2:18.0.0~b1-0ubuntu1) hirsute; urgency=medium
 .
   * d/watch: Track 18.x series.
   * New upstream milestone for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-moto-tests.patch: Skip test dependency that is not yet
     packaged in Ubuntu and was added late in cycle.
   * d/p/patch-botocore-exceptions.patch: Account for changes to botocore
     vendored exceptions.
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu3) hirsute; urgency=medium
 .
   * d/*: Remove tgt in favor of targetcli-fb.
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu2) hirsute; urgency=medium
 .
   * d/p/add-mock-psutil-in-quobyte-tests.patch: Add a mock of psutil
     disk_partitions to fix failing unit test (LP: #1913607).
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
 .
 cinder (2:17.0.1+git2021010614.a9c922ab7-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.1+git2020120911.d3ffa90ba-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.0-0ubuntu1) groovy; urgency=medium
 .
   * New upstream release for OpenStack Victoria.
 .
 cinder (2:17.0.0~rc2-0ubuntu1) groovy; urgency=medium
 .
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Track 17.x series.
   * New upstream release candidate for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu3) groovy; urgency=medium
 .
   * d/py3dist-overrides: Add python3-zstd to py3dist-overrides.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu2) groovy; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Restored to skip failing unit tests.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu1) groovy; urgency=medium
 .
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/*: Removed. Changes landed upstream and tests fixed.
   * d/control: Add new python3-zstd package to depends.
 .
 cinder (2:17.0.0~b2~git2020073012.2124f39f9-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/p/*: Refreshed.
 .
 cinder (2:17.0.0~b1~git2020062409.85fcf1057-0ubuntu1) groovy; urgency=medium
 .
   * SECURITY UPDATE: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure
     (LP: #1823200)
     - Remove VxFlex OS credentials from connection_properties. Passwords are
       now stored in separate file and are retrieved during each attach/detach
       operation. Cinder is patched in 16.1.0 stable point release.
     - d/control: Align (Build-)Depends with min version of python3-os-brick
       required to fix credential exposure.
     - CVE-2020-10755
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/py38skip.patch: Dropped. No longer needed.
   * d/p/skip-victoria-failures.patch: Rebased and updated with upstream bug.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#30

The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#31

Download full text (8.2 KiB)

This bug was fixed in the package nova - 3:25.2.1-0ubuntu2.3~cloud0
---------------

nova (3:25.2.1-0ubuntu2.3~cloud0) focal; urgency=medium
.
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
.
nova (3:25.2.1-0ubuntu2.3) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: consolidate
       create_cow_image and create_image.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
.
nova (3:25.2.1-0ubuntu2) jammy; urgency=medium
.
   * d/p/libvirt-remove-default-cputune-shares-value.patch:
     Enable launch of instances with more than 9 CPUs on Jammy
     (LP: #1978489).
.
nova (3:25.2.1-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2037332).
.
nova (3:25.2.0-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in point release.
.
nova (3:25.1.1-0ubuntu1.1) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
.
nova (3:25.1.1-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/ignore-deleted-server-groups-in-validation.patch: Dropped. Fixed
     in stable point release.
.
nova (3:25.1.0-0ubuntu2.2) jammy-security; urgency=medium
.
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
.
nova (3:25.1.0-0ubuntu2.1) jammy-security; urgency=medium
.
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
.
nova (3:25.1.0-0ubuntu2) jammy; urgency=medium
.
   * Backport fix to ignore deleted server groups (LP: #1890244)
     d/p/ignore-deleted-server-groups-in-validation.patch
.
nova (3:25.1.0-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #2004030).
.
nova (3:25.0.1-0ubuntu1) jammy; urgency=medium
.
   * New stable point release for OpenStack Yoga (LP: #1980369).
.
nova (3:25.0.0-0ubuntu1.1) jammy; urgency=medium
.
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/yoga branch.
.
   [ Felipe Reyes ]
   * d/nova-common.postinst: Don't change file permissions under
     /var/lib/nova/.ssh (LP: #1904580).
.
nova (3:25.0.0-0ubuntu1) jammy; urgency=med...

This bug was fixed in the package nova - 3:25.2.1-0ubuntu2.3~cloud0
---------------

nova (3:25.2.1-0ubuntu2.3~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 nova (3:25.2.1-0ubuntu2.3) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: consolidate
       create_cow_image and create_image.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
 .
 nova (3:25.2.1-0ubuntu2) jammy; urgency=medium
 .
   * d/p/libvirt-remove-default-cputune-shares-value.patch:
     Enable launch of instances with more than 9 CPUs on Jammy
     (LP: #1978489).
 .
 nova (3:25.2.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 nova (3:25.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in point release.
 .
 nova (3:25.1.1-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
 .
 nova (3:25.1.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/ignore-deleted-server-groups-in-validation.patch: Dropped. Fixed
     in stable point release.
 .
 nova (3:25.1.0-0ubuntu2.2) jammy-security; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2) jammy; urgency=medium
 .
   * Backport fix to ignore deleted server groups (LP: #1890244)
     d/p/ignore-deleted-server-groups-in-validation.patch
 .
 nova (3:25.1.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2004030).
 .
 nova (3:25.0.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #1980369).
 .
 nova (3:25.0.0-0ubuntu1.1) jammy; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/yoga branch.
 .
   [ Felipe Reyes ]
   * d/nova-common.postinst: Don't change file permissions under
     /var/lib/nova/.ssh (LP: #1904580).
 .
 nova (3:25.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 25.x series
   * New upstream release for OpenStack Yoga.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu2) jammy; urgency=medium
 .
   * d/control: Drop min version of python3-testtools to 2.4.0.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0+git2022011217.ea3945f71c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 nova (3:24.0.0+git2021120815.755aa11e0c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 24.x series
   * New upstream release for OpenStack Xena.
 .
 nova (3:23.0.2+git2021090912.edaaa97d99-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Rebased.
 .
 nova (3:23.0.2+git2021072117.3545356ae3-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu2) impish; urgency=medium
 .
   * d/nova-compute-ironic.conf: Use the correct compute_driver for
     ironic (LP: #1934533).
   * d/t/nova-compute-daemons: Add nova-compute-ironic to test.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 nova (3:23.0.0~rc2-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0~rc1-0ubuntu1) hirsute; urgency=medium
 .
   * d/control: Remove unnecessary dh-systemd Build-Depend
   * d/watch: Scope to 23.x series
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.1.0+git2021030407.0226f9dd63-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.0.1+git2021012713.d92c0740c6-0ubuntu1) hirsute; urgency=medium
 .
   [ Corey Bryant ]
   * d/control: Drop mox3 inline with upstream.
 .
   [ Chris MacNaughton ]
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Refreshed.
 .
 nova (3:22.0.1+git2020121010.3a6c1cbc3a-0ubuntu1) hirsute; urgency=medium
 .
   * Increment epoch to align with new snapshot plan.
   * New upstream snapshot for OpenStack Wallaby.
 .
 nova (2:23.0.0~b1~git2020120312.f0efcae697-0ubuntu2) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0-0ubuntu1) groovy; urgency=medium
 .
   * New upstream release for OpenStack Victoria.
 .
 nova (2:22.0.0~rc1-0ubuntu1) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Scope to 22.x series.
 .
   [ Corey Bryant ]
   * New upstream release candidate for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu3) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Ensure libvirt-qemu user is removed
     from nova group on package upgrade (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu2) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Drop libvirt-qemu user from nova group.
     This is no longer needed with recent /var/lib/nova permission changes and
     causes live snapshots to fail (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu2) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
 .
   [ Corey Bryant ]
   * d/control, d/nova-compute-ironic.conf, d/rules: Add nova-compute-ironic
     binary package.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Drop min version of openstack-pkg-tools.
   * d/control: Update Standards-Version to 4.5.0.
 .
 nova (2:22.0.0~b1~git2020070713.bc784a1c1f-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/add-mysql8-compatibility.patch: Removed. Change landed upstream.
   * d/p/arm-console-patch.patch: Refreshed.
   * d/p/drop-sphinxcontrib-rsvgconverter.patch: Refreshed

Ubuntu
nova package

Unauthorized volume access through deleted volume attachments (CVE-2023-2088)

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
Ubuntu Cloud Archive	Fix Released	High	Unassigned
Antelope	Fix Released	High	Unassigned
Bobcat	Fix Released	High	Unassigned
Ussuri	Won't Fix	Undecided	Unassigned
Victoria	Won't Fix	Undecided	Unassigned
Wallaby	Won't Fix	Undecided	Unassigned
Xena	Won't Fix	Undecided	Unassigned
Yoga	Fix Released	High	Unassigned
Zed	Fix Released	High	Unassigned
cinder (Ubuntu)	Fix Released	High	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Focal	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	High	Unassigned
Kinetic	Won't Fix	High	Unassigned
Lunar	Fix Released	High	Unassigned
Mantic	Fix Released	High	Unassigned
ironic (Ubuntu)	Fix Released	High	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Focal	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	High	Unassigned
Kinetic	Won't Fix	High	Unassigned
Lunar	Fix Released	High	Unassigned
Mantic	Fix Released	High	Unassigned
nova (Ubuntu)	Fix Released	High	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Focal	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	High	Unassigned
Kinetic	Won't Fix	High	Unassigned
Lunar	Fix Released	High	Unassigned
Mantic	Fix Released	High	Unassigned
python-glance-store (Ubuntu)	Fix Released	High	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Focal	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	High	Unassigned
Kinetic	Won't Fix	High	Unassigned
Lunar	Fix Released	High	Unassigned
Mantic	Fix Released	High	Unassigned
python-os-brick (Ubuntu)	Fix Released	High	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Focal	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	High	Unassigned
Kinetic	Won't Fix	High	Unassigned
Lunar	Fix Released	High	Unassigned
Mantic	Fix Released	High	Unassigned

Ubuntunova package

Unauthorized volume access through deleted volume attachments (CVE-2023-2088)

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
nova package