[Bug 2021980] Re: Unauthorized volume access through deleted volume attachments (CVE-2023-2088)
James Page
2021980 at bugs.launchpad.net
Mon Jul 8 13:00:45 UTC 2024
This bug was fixed in the package cinder - 2:23.0.0-0ubuntu1.4~cloud0
---------------
cinder (2:23.0.0-0ubuntu1.4~cloud0) jammy; urgency=medium
.
* SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
.
cinder (2:23.0.0-0ubuntu1.4) mantic-security; urgency=medium
.
* SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
(LP: #2059809)
- debian/patches/CVE-2024-32498.patch: check for external qcow2 data
file.
- debian/control: added qemu-utils to Build-Depends so qemu-img is
available for new tests.
- CVE-2024-32498
.
cinder (2:23.0.0-0ubuntu1.2) mantic; urgency=medium
.
[ Jorge Merlino ]
* Increase size of volume image metadata values to 65535 bytes
(LP: #1988942)
.
[ Heather Lemon ]
* Start cinder-volume.service after tgt.service started (LP: #1987663)
- d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
('Wants=' is not generated by pkgos-gen-systemd-unit currently).
- d/cinder-volume.install: ship the systemd service drop-in file.
.
cinder (2:23.0.0-0ubuntu1.1) mantic; urgency=medium
.
[ Corey Bryant ]
* d/gbp.conf: Create stable/2023.2 branch.
* d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
bobcat.
.
[ Edward Hope-Morley ]
* revert driver assister volume retype (LP: #2019190)
- d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
.
cinder (2:23.0.0-0ubuntu1) mantic; urgency=medium
.
* New upstream release for OpenStack Bobcat.
.
cinder (2:23.0.0~rc1-0ubuntu1) mantic; urgency=medium
.
* New upstream release candidate for OpenStack Bobcat.
.
cinder (2:22.1.0+git2023090509.f79048d2-0ubuntu1) mantic; urgency=medium
.
* New upstream snapshot for OpenStack Bobcat.
* d/p/install-missing-db-files.patch: Install missing db files, including
cinder/db/alembic.ini.
.
cinder (2:22.1.0+git2023071214.c1a18fcd-0ubuntu1) mantic; urgency=medium
.
* d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
bobcat.
* New upstream snapshot for OpenStack Bobcat.
* d/control: Align (Build-)Depends with upstream.
* d/p/skip-mock-spec-failures.patch: Dropped. No longer needed.
* d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
.
cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
.
* SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
- debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
attachment calls.
- debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
- CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu3) mantic; urgency=medium
.
* SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
- debian/patches/series: Do not apply CVE-2023-2088.patch until
patches are ready for all upstream OpenStack projects.
- CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu2) mantic; urgency=medium
.
* SECURITY UPDATE: Unauthorized File Access
- debian/patches/CVE-2023-2088.patch: Reject unsafe delete
attachment calls.
- CVE-2023-2088
.
cinder (2:22.0.0-0ubuntu1) lunar; urgency=medium
.
* New upstream release for OpenStack Antelope.
* d/p/skip-mock-spec-failures.patch: Rebased.
.
cinder (2:21.1.0+git2023030309.3ddce92b-0ubuntu1) lunar; urgency=medium
.
* d/control: Drop min version of python3-mypy to enable backport
to cloud-archive.
* d/watch: Drop major version.
* New upstream snapshot for OpenStack Antelope.
* d/p/skip-mock-spec-failures.patch: Rebased.
.
cinder (2:21.1.0+git2023022212.0af3df67-0ubuntu1) lunar; urgency=medium
.
* New upstream snapshot for OpenStack Antelope.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:21.1.0+git2023012815.c9e65529-0ubuntu1) lunar; urgency=medium
.
* New upstream snapshot for OpenStack Antelope.
* d/control: Align (Build-)Depends with upstream.
.
cinder (2:21.0.0+git2023011009.2db3fc3e-0ubuntu1) lunar; urgency=medium
.
* New upstream snapshot for OpenStack Antelope.
* d/control: Align (Build-)Depends with upstream.
* d/p/skip-mock-spec-failures.patch: Skip tests that are affected by
"Cannot spec a Mock object" failure.
.
cinder (2:21.0.0-0ubuntu1) kinetic; urgency=medium
.
* d/watch: Scope to 21.x.
* New upstream release for OpenStack Zed.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/2021980
Title:
Unauthorized volume access through deleted volume attachments
(CVE-2023-2088)
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive antelope series:
Fix Released
Status in Ubuntu Cloud Archive bobcat series:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Won't Fix
Status in Ubuntu Cloud Archive victoria series:
Won't Fix
Status in Ubuntu Cloud Archive wallaby series:
Won't Fix
Status in Ubuntu Cloud Archive xena series:
Won't Fix
Status in Ubuntu Cloud Archive yoga series:
Fix Released
Status in Ubuntu Cloud Archive zed series:
Fix Released
Status in cinder package in Ubuntu:
Fix Released
Status in ironic package in Ubuntu:
Fix Released
Status in nova package in Ubuntu:
Fix Released
Status in python-glance-store package in Ubuntu:
Fix Released
Status in python-os-brick package in Ubuntu:
Fix Released
Status in cinder source package in Bionic:
Won't Fix
Status in ironic source package in Bionic:
Won't Fix
Status in nova source package in Bionic:
Won't Fix
Status in python-glance-store source package in Bionic:
Won't Fix
Status in python-os-brick source package in Bionic:
Won't Fix
Status in cinder source package in Focal:
Won't Fix
Status in ironic source package in Focal:
Won't Fix
Status in nova source package in Focal:
Won't Fix
Status in python-glance-store source package in Focal:
Won't Fix
Status in python-os-brick source package in Focal:
Won't Fix
Status in cinder source package in Jammy:
Fix Released
Status in ironic source package in Jammy:
Fix Released
Status in nova source package in Jammy:
Fix Released
Status in python-glance-store source package in Jammy:
Fix Released
Status in python-os-brick source package in Jammy:
Fix Released
Status in cinder source package in Kinetic:
Won't Fix
Status in ironic source package in Kinetic:
Won't Fix
Status in nova source package in Kinetic:
Won't Fix
Status in python-glance-store source package in Kinetic:
Won't Fix
Status in python-os-brick source package in Kinetic:
Won't Fix
Status in cinder source package in Lunar:
Fix Released
Status in ironic source package in Lunar:
Fix Released
Status in nova source package in Lunar:
Fix Released
Status in python-glance-store source package in Lunar:
Fix Released
Status in python-os-brick source package in Lunar:
Fix Released
Status in cinder source package in Mantic:
Fix Released
Status in ironic source package in Mantic:
Fix Released
Status in nova source package in Mantic:
Fix Released
Status in python-glance-store source package in Mantic:
Fix Released
Status in python-os-brick source package in Mantic:
Fix Released
Bug description:
OpenStack security advisory:
https://security.openstack.org/ossa/OSSA-2023-003.html
Note: This is the second attempt at patching this CVE. The first time
with the embargo patches resulted in an ironic regression. There have
also been additional changes since the embargo patches. We also want
to coordinate documentation better this time as service tokens are now
required.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2021980/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list