Ubuntu Cloud Archive

Bug #2059809
Comment #358

Comment 358 for bug 2059809

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#358

This bug was fixed in the package glance - 2:27.0.0-0ubuntu1.2~cloud0
---------------

glance (2:27.0.0-0ubuntu1.2~cloud0) jammy; urgency=medium
.
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
.
glance (2:27.0.0-0ubuntu1.2) mantic-security; urgency=medium
.
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: support Stream Optimized
       VMDKs.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
       QCOW safety.
     - debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
     - debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
       files.
     - debian/patches/CVE-2024-32498-5.patch: add QED format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-6.patch: add file format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-7.patch: add safety check and detection
       support to FI tool.
     - CVE-2024-32498
.
glance (2:27.0.0-0ubuntu1) mantic; urgency=medium
.
   * New upstream release for OpenStack Bobcat.
.
glance (2:27.0.0~b2+git2023090714.b059c898-0ubuntu1) mantic; urgency=medium
.
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     glance/db/sqlalchemy/alembic_migrations/alembic.ini.
.
glance (2:27.0.0~b1+git2023071214.b350184f-0ubuntu1) mantic; urgency=medium
.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
.
glance (2:27.0.0~b1+git2023061414.43b2116a-0ubuntu1) mantic; urgency=medium
.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
.
glance (2:26.0.0-0ubuntu1) lunar; urgency=medium
.
   * New upstream release for OpenStack Antelope.
.
glance (2:26.0.0~b3+git2023030211.f0371614-0ubuntu2) lunar; urgency=medium
.
   * d/t/glance-daemons: Bump sleep to 0.5
.
glance (2:26.0.0~b3+git2023030211.f0371614-0ubuntu1) lunar; urgency=medium
.
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/add-root-tar-support.patch: Rebased.
.
glance (2:26.0.0~b2+git2023012815.907c5626-0ubuntu1) lunar; urgency=medium
.
   * New upstream snapshot for OpenStack Antelope.
.
glance (2:26.0.0~b2+git2023011009.e9b40e13-0ubuntu1) lunar; urgency=medium
.
   * New upstream snapshot for OpenStack Antelope.
.
glance (2:25.0.0-0ubuntu1) kinetic; urgency=medium
.
   * d/watch: Scope to 25.x.
   * New upstream release for OpenStack Zed.
.
glance (2:25.0.0~b3+git2022091212.d7db4e562-0ubuntu1) kinetic; urgency=medium
.
   * New upstream snapshot for OpenStack Zed.

This bug was fixed in the package glance - 2:27.0.0-0ubuntu1.2~cloud0
---------------

glance (2:27.0.0-0ubuntu1.2~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 glance (2:27.0.0-0ubuntu1.2) mantic-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: support Stream Optimized
       VMDKs.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
       QCOW safety.
     - debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
     - debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
       files.
     - debian/patches/CVE-2024-32498-5.patch: add QED format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-6.patch: add file format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-7.patch: add safety check and detection
       support to FI tool.
     - CVE-2024-32498
 .
 glance (2:27.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 glance (2:27.0.0~b2+git2023090714.b059c898-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     glance/db/sqlalchemy/alembic_migrations/alembic.ini.
 .
 glance (2:27.0.0~b1+git2023071214.b350184f-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:27.0.0~b1+git2023061414.43b2116a-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
 .
 glance (2:26.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
 .
 glance (2:26.0.0~b3+git2023030211.f0371614-0ubuntu2) lunar; urgency=medium
 .
   * d/t/glance-daemons: Bump sleep to 0.5
 .
 glance (2:26.0.0~b3+git2023030211.f0371614-0ubuntu1) lunar; urgency=medium
 .
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/add-root-tar-support.patch: Rebased.
 .
 glance (2:26.0.0~b2+git2023012815.907c5626-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
 .
 glance (2:26.0.0~b2+git2023011009.e9b40e13-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
 .
 glance (2:25.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 25.x.
   * New upstream release for OpenStack Zed.
 .
 glance (2:25.0.0~b3+git2022091212.d7db4e562-0ubuntu1) kinetic; urgency=medium
 .
   * New upstream snapshot for OpenStack Zed.