Comment 199 for bug 2059809
Revision history for this message
| Thomas Goirand (thomas-goirand) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #199 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hi Dan Smith (danms).
Regarding your comment at #196, here are my findings.
The oslo.utils patch you are referring is from Feb 18, 2020, and therefore is on all oslo.utils version after Victoria. For Victoria, it was included in the 4.6.1 point release of oslo.utils. So it really needs to be backported only prior Victoria.
FYI, I'm not planning any futher backport than Debian old-stable, which is Victoria. I'll get in touch with the Debian LTS team to see if they want to backport up to Rocky.
When I'm fully done, I'll run functional testing on Victoria too. I spent 2 days repairing my CI that had too many caracal-ism in it, but it's not working and doing a 100% on tempest again. Since I'm only missing Cinder for Victoria and Wallaby, I should soon be able to check for regressions in Victoria. If it passes Victoria, then I'll consider other branches to be ok as well (I don't think I'll have enough time to do functional tempest checks with all branches).
Once I'm done, I'll publish patches for all packages and branch in here, in Salsa.debian.org git, in osbpo.debian.net (unofficial Debian backports for all OpenStack branches that may or may not be in Debian Stable), and on security.
At least that's my current plan ... :)