Your message dated Tue, 24 Jan 2023 16:45:10 +0000
with message-id <e1pkmq2-008yfy...@fasolo.debian.org>
and subject line Bug#1029561: fixed in nova 2:26.0.0-6
has caused the Debian Bug report #1029561,
regarding CVE-2022-47951: vulnerability in VMDK image processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nova-compute
Version: 2:26.0.0-5
Severity: grave
Tags: patch
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.
CVE: CVE-2022-47951
Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:26.0.0-6
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Jan 2023 14:11:46 +0100
Source: nova
Architecture: source
Version: 2:26.0.0-6
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1029561
Changes:
nova (2:26.0.0-6) unstable; urgency=high
.
* CVE-2022-47951: By supplying a specially created VMDK flat image which
references a specific backing file path, an authenticated user may convince
systems to return a copy of that file's contents from the server resulting
in unauthorized access to potentially sensitive data. Add upstream patch
cve-2022-47951-glance-stable-zed.patch (Closes: #1029561).
Checksums-Sha1:
505c29ba929e249cf22955e1c7edd7702c21f482 5042 nova_26.0.0-6.dsc
3daa1f3524316bb60961ee7c617770fda2f84dff 62696 nova_26.0.0-6.debian.tar.xz
32cadc362c6f3f009c1b37e3399d1c90989045be 22202 nova_26.0.0-6_amd64.buildinfo
Checksums-Sha256:
4ed40c6cf1e2f069f881418341692fa9d42a4c5b79d8680f044cfedf907ca146 5042
nova_26.0.0-6.dsc
a010170a561579be0b5e75d4cea48654a1939b3ae8c58a16b47433db99d67d8c 62696
nova_26.0.0-6.debian.tar.xz
5db77128c47f971774d6ba4ebd26bfe5fc11fa3f47199a86053138d51d140fbb 22202
nova_26.0.0-6_amd64.buildinfo
Files:
06fb71f148e5e26e2f3c5225a13487ba 5042 net optional nova_26.0.0-6.dsc
9b5cb17a1905b86ca0cb83722aa180bd 62696 net optional nova_26.0.0-6.debian.tar.xz
e6c4b454d8cee51c352c46e9ac09dda7 22202 net optional
nova_26.0.0-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQAt8ACgkQ1BatFaxr
Q/7Gmw//R5/srmTolvgFfKhfeWlfDgw5ZlzdtZG2Wmt0c4kULbhOPdF2B/jnmSih
d//QmRoFpzET1E70ze5SYwfc00sM+Qh3xXDT25xwQlWwW1vCraAwY31hTbEOBkNY
ql1fy48YmnA27BCPaVZvpfx82DDkcsMgSTi3fAkacrsRAM5XzNiJzljAR317N3lv
YBcjfXCl0AojWSOl+P0xW7dTZpRz6ScDeDhRgrSjGskxpU4uRUmL+n52ozdPgBIs
jzpY+jm4LKIwpl2FiemLZKsfyAHIFtbBF6017N0irBWo6gKz4mQdlz5HxE7bDTXp
/pRZQHYOv/d5y5ifroRYznGu33z3wZk3/zOfNuKY1jGDpROjg7QKFYclb9s7ASCl
FJTsaP0aJD5ksAakXTzZCcdqGUmPFjEmw3bWamun1boGKvspGZsW6dbslPBU8Jy1
AMtYf27ZCVxy1+38BxfE363BUZosv9cMnFCIa9cCHxKqFqlZIVu/l+h3fqRD/tHz
YHDNnJzQ2xro2jzoqj2llkUzz9kOJOK1VJRb5bQs1t43d00m+zYUQCva/4WwEwMU
OMPtAMW1UpiAZOsQUD+YFVA/lk5PE4C0eIH1ZTqs9xbqwrtGwRO0kIlUe4/MLMn9
I3MzlXuMIDxPhmcTwxhNoNzdfgwII9kKUgRMJUolsTS8Crnakvs=
=y79u
-----END PGP SIGNATURE-----
--- End Message ---
