[ubuntu/focal-updates] glance 2:20.2.0-0ubuntu1.2 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Mon Jul 8 13:28:53 UTC 2024 

glance (2:20.2.0-0ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
    (LP: #2059809)
    - debian/patches/CVE-2024-32498-pre1.patch: stream-friendly disk format
      inspection module.
    - debian/patches/CVE-2024-32498-pre2.patch: fix unintentional exception
      inspecting VMDK.
    - debian/patches/CVE-2024-32498-pre3.patch: limit CaptureRegion sizes
      in format_inspector for VMDK and VHDX.
    - debian/patches/CVE-2024-32498-pre4.patch: support Stream Optimized
      VMDKs.
    - debian/patches/CVE-2024-32498-pre5.patch: add missing fail case tests
      for image_conversion.
    - debian/patches/CVE-2024-32498-pre6.patch: make action wrapper support
      arbitrary properties.
    - debian/patches/CVE-2024-32498-pre7.patch: make image_conversion use
      action wrapper.
    - debian/patches/CVE-2024-32498-pre8.patch: update image.size after
      conversion.
    - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
      data-file attributes.
    - debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
      QCOW safety.
    - debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
    - debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
      files.
    - debian/patches/CVE-2024-32498-5.patch: add QED format detection to
      format_inspector.
    - debian/patches/CVE-2024-32498-6.patch: add file format detection to
      format_inspector.
    - debian/patches/CVE-2024-32498-7.patch: add safety check and detection
      support to FI tool.
    - debian/control: added qemu-utils to Build-Depends so qemu-img is
      available for new tests.
    - CVE-2024-32498

Date: 2024-07-03 19:20:17.641743+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Maintainer: OpenStack Ubuntu packagers <openstack-packaging at lists.ubuntu.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/glance/2:20.2.0-0ubuntu1.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list