Comment 66 for bug 2071734

Given there are no remaining blockers identified, and the four patches attached to comments #40-45 from Wednesday have been tested and reviewed favorably by multiple parties, I'll proceed with the downstream stakeholder advance notification with a plan to publish a new official advisory at 15:00 UTC on 2024-07-23.

In addition to the description draft from comment #39 I'll be including these additional notes:

- The patches included should apply cleanly to the present public state of their respective branches, and depend on some commits which merged after the OSSA-2024-001 fixes as well as the final states of the Nova changes linked from that advisory (those did see some minor adjustments before they merged).

- Neither the methods introduced in these patches nor the fixes for OSSA-2024-001 are capable of blocking malicious images which are already resident in Nova's cache. At this time we do not have useful operator guidance for identifying and removing such existing images from the cache but strongly caution, if you do attempt to use the qemu-img tool to find them, to make sure you're using a version of it patched for CVE-2024-4467.