Comment 370 for bug 2059809

This bug was fixed in the package glance - 2:24.2.1-0ubuntu1.2~cloud0
---------------

 glance (2:24.2.1-0ubuntu1.2~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 glance (2:24.2.1-0ubuntu1.2) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: limit CaptureRegion sizes
       in format_inspector for VMDK and VHDX.
     - debian/patches/CVE-2024-32498-pre2.patch: support Stream Optimized
       VMDKs.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
       QCOW safety.
     - debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
     - debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
       files.
     - debian/patches/CVE-2024-32498-5.patch: add QED format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-6.patch: add file format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-7.patch: add safety check and detection
       support to FI tool.
     - CVE-2024-32498
 .
 glance (2:24.2.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 glance (2:24.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2011713).
   * d/p/CVE-2022-47951.patch: Dropped. Fixed in stable point release.
 .
 glance (2:24.1.0-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access
     - debian/patches/CVE-2022-47951.patch: Enforce image safety
       during image_conversion.
     - CVE-2022-47951
 .
 glance (2:24.1.0-0ubuntu1) jammy; urgency=medium
 .
   * d/gbp.conf: Create stable/yoga branch.
   * New stable point release for OpenStack Yoga (LP: #1980369).
 .
 glance (2:24.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 24.x.
   * New upstream release for OpenStack Yoga.
 .
 glance (2:24.0.0~rc1+git2022030311.d4119be05-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-py10-failure.patch: Dropped. Fixed in upstream snapshot.
 .
 glance (2:23.0.0+git2022011216.502fa0ffc-0ubuntu1) jammy; urgency=medium
 .
   * d/glance-common.install, d/glance-api.init.in: Install
     glance-image-import.conf.sample and add --config-dir=/etc/glance/
     to glance-api init script (LP: #1955022).
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 glance (2:23.0.0+git2021120811.4ee7799aa-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/p/skip-py10-failure.patch: Skip test that is raising different
     exception with Python 3.10.
 .
 glance (2:23.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 23.x.
   * New upstream release for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:23.0.0~b3+git2021091316.d49eaa04c-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/p/add-root-tar-support.patch: Rebased.
 .
 glance (2:23.0.0~b2+git2021072116.62334aa4-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:22.0.0+git2021061112.4f20e500-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
 .
 glance (2:22.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 glance (2:22.0.0~rc1-0ubuntu1) hirsute; urgency=medium
 .
   * d/watch: Track the 22.x series and fix path.
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:22.0.0~b2+git2021012915.03bf00ee-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:21.0.0+git2020120911.f102b74a-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
 .
 glance (2:21.0.0-0ubuntu1) groovy; urgency=medium
 .
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Track the 21.x series.
   * New upstream release for OpenStack Victoria.
 .
 glance (2:21.0.0~b3~git2020091515.e16d5c9b-0ubuntu1) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
 .
   [ Corey Bryant ]
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 glance (2:21.0.0~b2~git2020073013.cfbe5f76-0ubuntu2) groovy; urgency=medium
 .
   * d/glance-common.postrm: Drop --system from deluser/delgroup calls. This
     aligns with the glance-common.postinst script reserved glance uid/gid
     (LP: #1889846).
 .
 glance (2:21.0.0~b2~git2020073013.cfbe5f76-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * Align (Build-)Depends with upstream.
 .
 glance (2:21.0.0~b1~git2020062909.e6db0b10-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * Align (Build-)Depends with upstream.
   * d/glance-common.install, d/glance-common.manpages: Remove glance-registry bits
     after upstream removal.
   * d/control: Update Standards-Version to 4.5.0.