This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.4~cloud0 ---------------
cinder (2:20.3.1-0ubuntu1.4~cloud0) focal; urgency=medium . * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal. . cinder (2:20.3.1-0ubuntu1.4) jammy-security; urgency=medium . * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data (LP: #2059809) - debian/patches/CVE-2024-32498.patch: check for external qcow2 data file. - debian/control: added qemu-utils to Build-Depends so qemu-img is available for new tests. - CVE-2024-32498 . cinder (2:20.3.1-0ubuntu1.2) jammy; urgency=medium . [ Jorge Merlino ] * Increase size of volume image metadata values to 65535 bytes (LP: #1988942) . [ Heather Lemon ] * Start cinder-volume.service after tgt.service started (LP: #1987663) - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants=' ('Wants=' is not generated by pkgos-gen-systemd-unit currently). - d/cinder-volume.install: ship the systemd service drop-in file. . [ Seyeong Kim ] * HPE3PAR: Failing to clone a volume having children (LP: #1994521): - d/p/0001-HPE-3PAR-Fix-umanaged-volumes-snapshots-missing.patch - d/p/0002-3PAR-Error-out-if-vol-cannot-be-converted-to-base.patch - api 4.0.17 is added as it is in the middle of the main patch (4.0.18) . cinder (2:20.3.1-0ubuntu1.1) jammy; urgency=medium . * Revert driver assisted volume retype (LP: #2019190): - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch . cinder (2:20.3.1-0ubuntu1) jammy; urgency=medium . * New stable point release for OpenStack Yoga (LP: #2037332). . cinder (2:20.3.0-0ubuntu1) jammy; urgency=medium . * New stable point release for OpenStack Yoga (LP: #2025503). * d/p/CVE-2023-2088.patch: Dropped. Fixed in point release. . cinder (2:20.2.0-0ubuntu1.1) jammy-security; urgency=medium . * SECURITY UPDATE: Unauthorized File Access (LP: #2021980) - debian/patches/CVE-2023-2088.patch: Reject unsafe delete attachment calls. - CVE-2023-2088 . cinder (2:20.2.0-0ubuntu1) jammy; urgency=medium . * New stable point release for OpenStack Yoga (LP: #2019759). * d/p/lp1945500.patch: Dropped. Fixed in stable point release. . cinder (2:20.1.0-0ubuntu2.2) jammy-security; urgency=medium . * SECURITY REGRESSION: Regressions in other projects (LP: #2020111) - debian/patches/series: Do not apply CVE-2023-2088.patch until patches are ready for all upstream OpenStack projects. - CVE-2023-2088 . cinder (2:20.1.0-0ubuntu2.1) jammy-security; urgency=medium . * SECURITY UPDATE: Unauthorized File Access - debian/patches/CVE-2023-2088.patch: Reject unsafe delete attachment calls. - CVE-2023-2088 . cinder (2:20.1.0-0ubuntu2) jammy; urgency=medium . * d/p/lp1945500.patch: Filter reserved image properties (LP: #1945500). . cinder (2:20.1.0-0ubuntu1) jammy; urgency=medium . * New stable point release for OpenStack Yoga (LP: #2004030). . cinder (2:20.0.1-0ubuntu1) jammy; urgency=medium . * d/gbp.conf: Create stable/yoga branch. * New stable point release for OpenStack Yoga (LP: #1985084). . cinder (2:20.0.0-0ubuntu1) jammy; urgency=medium . * d/watch: Scope to 20.x. * New upstream release for OpenStack Yoga. * d/control: Align (Build-)Depends with upstream. . cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu2) jammy; urgency=medium . * d/p/fix-qos-computation.patch: Cherry-pick from upstream review to fix TypeError exception when generating QOS feature name (LP: #1948507). . cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu1) jammy; urgency=medium . * New upstream snapshot for OpenStack Yoga. . cinder (2:19.0.0+git2022011215.23494a6d6-0ubuntu1) jammy; urgency=medium . * New upstream snapshot for OpenStack Yoga. * d/control, d/rules: Bump debhelper compat to 13. . cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu2) jammy; urgency=medium . * d/t/control: Add allow-stderr restriction to prevent autopkgtest failure when SQLAlchemy issues a warning. . cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu1) jammy; urgency=medium . * New upstream snapshot for OpenStack Yoga. * d/control: Align (Build-)Depends with upstream. . cinder (2:19.0.0-0ubuntu2) impish; urgency=medium . * d/py3dist-overrides: Add SQLAlchemy to ensure d/control is not overridden. * d/control: Align (Build-)Depends with upstream. . cinder (2:19.0.0-0ubuntu1) impish; urgency=medium . * d/watch: Scope to 19.x. * New upstream release for OpenStack Xena. . cinder (2:19.0.0~b1+git2021091409.768b8996b-0ubuntu1) impish; urgency=medium . * New upstream snapshot for OpenStack Xena. . cinder (2:18.0.0+git2021072116.81f2aaeea-0ubuntu1) impish; urgency=medium . * New upstream snapshot for OpenStack Xena. * d/control: Align (Build-)Depends with upstream. . cinder (2:18.0.0+git2021061414.d5f0e5187-0ubuntu1) impish; urgency=medium . * New upstream snapshot for OpenStack Xena. * d/control: Align (Build-)Depends with upstream. . cinder (2:18.0.0-0ubuntu3) hirsute; urgency=medium . * d/p/skip-victoria-failures.patch: Restored and rebased. This is still necessary for Launchpad builds. . cinder (2:18.0.0-0ubuntu2) hirsute; urgency=medium . * d/p/skip-victoria-failures.patch: Dropped. Fixed upstream. * d/p/add-mock-psutil-in-quobyte-tests.patch: Dropped. Fixed upstream. . cinder (2:18.0.0-0ubuntu1) hirsute; urgency=medium . * New upstream release for OpenStack Wallaby. . cinder (2:18.0.0~b1-0ubuntu2) hirsute; urgency=medium . * d/py3dist-overrides: Add boto3 which is a Suggests. . cinder (2:18.0.0~b1-0ubuntu1) hirsute; urgency=medium . * d/watch: Track 18.x series. * New upstream milestone for OpenStack Wallaby. * d/control: Align (Build-)Depends with upstream. * d/p/skip-moto-tests.patch: Skip test dependency that is not yet packaged in Ubuntu and was added late in cycle. * d/p/patch-botocore-exceptions.patch: Account for changes to botocore vendored exceptions. . cinder (2:17.0.1+git2021012507.d26092348-0ubuntu3) hirsute; urgency=medium . * d/*: Remove tgt in favor of targetcli-fb. . cinder (2:17.0.1+git2021012507.d26092348-0ubuntu2) hirsute; urgency=medium . * d/p/add-mock-psutil-in-quobyte-tests.patch: Add a mock of psutil disk_partitions to fix failing unit test (LP: #1913607). . cinder (2:17.0.1+git2021012507.d26092348-0ubuntu1) hirsute; urgency=medium . * New upstream snapshot for OpenStack Wallaby. . cinder (2:17.0.1+git2021010614.a9c922ab7-0ubuntu1) hirsute; urgency=medium . * New upstream snapshot for OpenStack Wallaby. * d/control: Align (Build-)Depends with upstream. . cinder (2:17.0.1+git2020120911.d3ffa90ba-0ubuntu1) hirsute; urgency=medium . * New upstream snapshot for OpenStack Wallaby. * d/control: Align (Build-)Depends with upstream. . cinder (2:17.0.0-0ubuntu1) groovy; urgency=medium . * New upstream release for OpenStack Victoria. . cinder (2:17.0.0~rc2-0ubuntu1) groovy; urgency=medium . * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev. * d/watch: Track 17.x series. * New upstream release candidate for OpenStack Victoria. * d/control: Align (Build-)Depends with upstream. . cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu3) groovy; urgency=medium . * d/py3dist-overrides: Add python3-zstd to py3dist-overrides. . cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu2) groovy; urgency=medium . * d/p/skip-victoria-failures.patch: Restored to skip failing unit tests. . cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu1) groovy; urgency=medium . * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419). * New upstream snapshot for OpenStack Victoria. * d/control: Align (Build-)Depends with upstream. * d/p/*: Removed. Changes landed upstream and tests fixed. * d/control: Add new python3-zstd package to depends. . cinder (2:17.0.0~b2~git2020073012.2124f39f9-0ubuntu1) groovy; urgency=medium . * New upstream snapshot for OpenStack Victoria. * d/p/*: Refreshed. . cinder (2:17.0.0~b1~git2020062409.85fcf1057-0ubuntu1) groovy; urgency=medium . * SECURITY UPDATE: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure (LP: #1823200) - Remove VxFlex OS credentials from connection_properties. Passwords are now stored in separate file and are retrieved during each attach/detach operation. Cinder is patched in 16.1.0 stable point release. - d/control: Align (Build-)Depends with min version of python3-os-brick required to fix credential exposure. - CVE-2020-10755 * New upstream snapshot for OpenStack Victoria. * d/control: Align (Build-)Depends with upstream. * d/p/py38skip.patch: Dropped. No longer needed. * d/p/skip-victoria-failures.patch: Rebased and updated with upstream bug.
This bug was fixed in the package cinder - 2:20.3. 1-0ubuntu1. 4~cloud0
---------------
cinder (2:20.3. 1-0ubuntu1. 4~cloud0) focal; urgency=medium 1-0ubuntu1. 4) jammy-security; urgency=medium patches/ CVE-2024- 32498.patch: check for external qcow2 data 1-0ubuntu1. 2) jammy; urgency=medium volume. service after tgt.service started (LP: #1987663) volume. service. conf: drop-in with 'After=' and 'Wants=' systemd- unit currently). volume. install: ship the systemd service drop-in file. HPE-3PAR- Fix-umanaged- volumes- snapshots- missing. patch 3PAR-Error- out-if- vol-cannot- be-converted- to-base. patch 1-0ubuntu1. 1) jammy; urgency=medium Revert- Driver- assisted- migration- on-retype- when-it- s.patch 2023-2088. patch: Dropped. Fixed in point release. 0-0ubuntu1. 1) jammy-security; urgency=medium patches/ CVE-2023- 2088.patch: Reject unsafe delete patch: Dropped. Fixed in stable point release. 0-0ubuntu2. 2) jammy-security; urgency=medium patches/ series: Do not apply CVE-2023-2088.patch until 0-0ubuntu2. 1) jammy-security; urgency=medium patches/ CVE-2023- 2088.patch: Reject unsafe delete patch: Filter reserved image properties (LP: #1945500). 0+git2022030310 .b49fb59a6- 0ubuntu2) jammy; urgency=medium qos-computation .patch: Cherry-pick from upstream review to 0+git2022030310 .b49fb59a6- 0ubuntu1) jammy; urgency=medium 0+git2022011215 .23494a6d6- 0ubuntu1) jammy; urgency=medium 0+git2021120811 .e5ef39604- 0ubuntu2) jammy; urgency=medium 0+git2021120811 .e5ef39604- 0ubuntu1) jammy; urgency=medium overrides: Add SQLAlchemy to ensure d/control is not overridden. 0~b1+git2021091 409.768b8996b- 0ubuntu1) impish; urgency=medium 0+git2021072116 .81f2aaeea- 0ubuntu1) impish; urgency=medium 0+git2021061414 .d5f0e5187- 0ubuntu1) impish; urgency=medium victoria- failures. patch: Restored and rebased. This is still victoria- failures. patch: Dropped. Fixed upstream. mock-psutil- in-quobyte- tests.patch: Dropped. Fixed upstream. 0~b1-0ubuntu2) hirsute; urgency=medium overrides: Add boto3 which is a Suggests. 0~b1-0ubuntu1) hirsute; urgency=medium moto-tests. patch: Skip test dependency that is not yet botocore- exceptions. patch: Account for changes to botocore 1+git2021012507 .d26092348- 0ubuntu3) hirsute; urgency=medium 1+git2021012507 .d26092348- 0ubuntu2) hirsute; urgency=medium mock-psutil- in-quobyte- tests.patch: Add a mock of psutil partitions to fix failing unit test (LP: #1913607). 1+git2021012507 .d26092348- 0ubuntu1) hirsute; urgency=medium 1+git2021010614 .a9c922ab7- 0ubuntu1) hirsute; urgency=medium 1+git2020120911 .d3ffa90ba- 0ubuntu1) hirsute; urgency=medium 0~rc2-0ubuntu1) groovy; urgency=medium 0~b3~git2020091 007.afcaf0b9d- 0ubuntu3) groovy; urgency=medium overrides: Add python3-zstd to py3dist-overrides. 0~b3~git2020091 007.afcaf0b9d- 0ubuntu2) groovy; urgency=medium victoria- failures. patch: Restored to skip failing unit tests. 0~b3~git2020091 007.afcaf0b9d- 0ubuntu1) groovy; urgency=medium 0~b2~git2020073 012.2124f39f9- 0ubuntu1) groovy; urgency=medium 0~b1~git2020062 409.85fcf1057- 0ubuntu1) groovy; urgency=medium properties. Passwords are victoria- failures. patch: Rebased and updated with upstream bug.
.
* SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
.
cinder (2:20.3.
.
* SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
(LP: #2059809)
- debian/
file.
- debian/control: added qemu-utils to Build-Depends so qemu-img is
available for new tests.
- CVE-2024-32498
.
cinder (2:20.3.
.
[ Jorge Merlino ]
* Increase size of volume image metadata values to 65535 bytes
(LP: #1988942)
.
[ Heather Lemon ]
* Start cinder-
- d/cinder-
('Wants=' is not generated by pkgos-gen-
- d/cinder-
.
[ Seyeong Kim ]
* HPE3PAR: Failing to clone a volume having children (LP: #1994521):
- d/p/0001-
- d/p/0002-
- api 4.0.17 is added as it is in the middle of the main patch
(4.0.18)
.
cinder (2:20.3.
.
* Revert driver assisted volume retype (LP: #2019190):
- d/p/0001-
.
cinder (2:20.3.1-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2037332).
.
cinder (2:20.3.0-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2025503).
* d/p/CVE-
.
cinder (2:20.2.
.
* SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
- debian/
attachment calls.
- CVE-2023-2088
.
cinder (2:20.2.0-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2019759).
* d/p/lp1945500.
.
cinder (2:20.1.
.
* SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
- debian/
patches are ready for all upstream OpenStack projects.
- CVE-2023-2088
.
cinder (2:20.1.
.
* SECURITY UPDATE: Unauthorized File Access
- debian/
attachment calls.
- CVE-2023-2088
.
cinder (2:20.1.0-0ubuntu2) jammy; urgency=medium
.
* d/p/lp1945500.
.
cinder (2:20.1.0-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2004030).
.
cinder (2:20.0.1-0ubuntu1) jammy; urgency=medium
.
* d/gbp.conf: Create stable/yoga branch.
* New stable point release for OpenStack Yoga (LP: #1985084).
.
cinder (2:20.0.0-0ubuntu1) jammy; urgency=medium
.
* d/watch: Scope to 20.x.
* New upstream release for OpenStack Yoga.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:19.0.
.
* d/p/fix-
fix TypeError exception when generating QOS feature name (LP: #1948507).
.
cinder (2:19.0.
.
* New upstream snapshot for OpenStack Yoga.
.
cinder (2:19.0.
.
* New upstream snapshot for OpenStack Yoga.
* d/control, d/rules: Bump debhelper compat to 13.
.
cinder (2:19.0.
.
* d/t/control: Add allow-stderr restriction to prevent autopkgtest failure
when SQLAlchemy issues a warning.
.
cinder (2:19.0.
.
* New upstream snapshot for OpenStack Yoga.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:19.0.0-0ubuntu2) impish; urgency=medium
.
* d/py3dist-
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:19.0.0-0ubuntu1) impish; urgency=medium
.
* d/watch: Scope to 19.x.
* New upstream release for OpenStack Xena.
.
cinder (2:19.0.
.
* New upstream snapshot for OpenStack Xena.
.
cinder (2:18.0.
.
* New upstream snapshot for OpenStack Xena.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:18.0.
.
* New upstream snapshot for OpenStack Xena.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:18.0.0-0ubuntu3) hirsute; urgency=medium
.
* d/p/skip-
necessary for Launchpad builds.
.
cinder (2:18.0.0-0ubuntu2) hirsute; urgency=medium
.
* d/p/skip-
* d/p/add-
.
cinder (2:18.0.0-0ubuntu1) hirsute; urgency=medium
.
* New upstream release for OpenStack Wallaby.
.
cinder (2:18.0.
.
* d/py3dist-
.
cinder (2:18.0.
.
* d/watch: Track 18.x series.
* New upstream milestone for OpenStack Wallaby.
* d/control: Align (Build-)Depends with upstream.
* d/p/skip-
packaged in Ubuntu and was added late in cycle.
* d/p/patch-
vendored exceptions.
.
cinder (2:17.0.
.
* d/*: Remove tgt in favor of targetcli-fb.
.
cinder (2:17.0.
.
* d/p/add-
disk_
.
cinder (2:17.0.
.
* New upstream snapshot for OpenStack Wallaby.
.
cinder (2:17.0.
.
* New upstream snapshot for OpenStack Wallaby.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:17.0.
.
* New upstream snapshot for OpenStack Wallaby.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:17.0.0-0ubuntu1) groovy; urgency=medium
.
* New upstream release for OpenStack Victoria.
.
cinder (2:17.0.
.
* d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
* d/watch: Track 17.x series.
* New upstream release candidate for OpenStack Victoria.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:17.0.
.
* d/py3dist-
.
cinder (2:17.0.
.
* d/p/skip-
.
cinder (2:17.0.
.
* d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
* New upstream snapshot for OpenStack Victoria.
* d/control: Align (Build-)Depends with upstream.
* d/p/*: Removed. Changes landed upstream and tests fixed.
* d/control: Add new python3-zstd package to depends.
.
cinder (2:17.0.
.
* New upstream snapshot for OpenStack Victoria.
* d/p/*: Refreshed.
.
cinder (2:17.0.
.
* SECURITY UPDATE: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure
(LP: #1823200)
- Remove VxFlex OS credentials from connection_
now stored in separate file and are retrieved during each attach/detach
operation. Cinder is patched in 16.1.0 stable point release.
- d/control: Align (Build-)Depends with min version of python3-os-brick
required to fix credential exposure.
- CVE-2020-10755
* New upstream snapshot for OpenStack Victoria.
* d/control: Align (Build-)Depends with upstream.
* d/p/py38skip.patch: Dropped. No longer needed.
* d/p/skip-