Hi, On Thu, Aug 28, 2025 at 09:59:51AM +0200, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:watcher > User: [email protected] > Usertags: pu > > Hi, > > [ Reason ] > I'd like to fix: https://bugs.debian.org/1111692 > in Trixie. This is a vulnerability where an OpenStack volume > may be mounted to a wrong VM. > > [ Impact ] > Someone could access the volume of another tenant in an > OpenStack deployment. > > [ Tests ] > Upstream has intensive unit and functional tests. I use it > too with the packaged version (that's on top of unit tests > at build time and in autopkgtest). > > [ Risks ] > Not much risk thanks to testing. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > Please allow me to upload watcher/14.0.0-2+deb13u1 to Trixe > proposed-updates as per attached debdiff. > > Cheers, > > Thomas Goirand (zigo) > > P.S: I'm following-up with the same request for Nova, as > both have fixes for OSSN-0094.
> diff -Nru watcher-14.0.0/debian/changelog watcher-14.0.0/debian/changelog > --- watcher-14.0.0/debian/changelog 2025-07-11 14:45:24.000000000 +0200 > +++ watcher-14.0.0/debian/changelog 2025-08-21 10:27:37.000000000 +0200 > @@ -1,3 +1,15 @@ > +watcher (14.0.0-2+deb13u1) trixie; urgency=high > + > + * A vulnerability has been identified in OpenStack Nova and OpenStack > Watcher > + in conjunction with volume swap operations performed by the Watcher > + service. Under specific circumstances, this can lead to a situation where > + two Nova libvirt instances could reference the same block device, > allowing > + accidental information disclosure to the unauthorized instance. Added > + upstream patch: OSSN-0094_use_cinder_migrate_for_swap_volume.patch. > + (Closes: #1111692). > + > + -- Thomas Goirand <[email protected]> Thu, 21 Aug 2025 10:27:37 +0200 Something is odd here: trixie has 14.0.0-1, so believe the update should be based on top of 14.0.0-1 and versioned 14.0.0-1+deb13u1 ? Or can you argue why it should be based on top of the 14.0.0-2 which did back then hit unstable but not moved to trixie, i.e. are those changes needed in the point release update? Regards, Salvatore
