[Bug 2020111] Re: CVE-2023-2088 regressions

James Page 2020111 at bugs.launchpad.net
Mon Jul 8 13:00:38 UTC 2024 

This bug was fixed in the package cinder - 2:23.0.0-0ubuntu1.4~cloud0
---------------

 cinder (2:23.0.0-0ubuntu1.4~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 cinder (2:23.0.0-0ubuntu1.4) mantic-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
 .
 cinder (2:23.0.0-0ubuntu1.2) mantic; urgency=medium
 .
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
 .
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
 .
 cinder (2:23.0.0-0ubuntu1.1) mantic; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
 .
   [ Edward Hope-Morley ]
   * revert driver assister volume retype (LP: #2019190)
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
 .
 cinder (2:23.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 cinder (2:23.0.0~rc1-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release candidate for OpenStack Bobcat.
 .
 cinder (2:22.1.0+git2023090509.f79048d2-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     cinder/db/alembic.ini.
 .
 cinder (2:22.1.0+git2023071214.c1a18fcd-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Dropped. No longer needed.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
 .
 cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
       attachment calls.
     - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu3) mantic; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu2) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023030309.3ddce92b-0ubuntu1) lunar; urgency=medium
 .
   * d/control: Drop min version of python3-mypy to enable backport
     to cloud-archive.
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023022212.0af3df67-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.1.0+git2023012815.c9e65529-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.0.0+git2023011009.2db3fc3e-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Skip tests that are affected by
     "Cannot spec a Mock object" failure.
 .
 cinder (2:21.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 21.x.
   * New upstream release for OpenStack Zed.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2020111

Title:
  CVE-2023-2088 regressions

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive victoria series:
  Fix Released
Status in Ubuntu Cloud Archive wallaby series:
  Fix Released
Status in Ubuntu Cloud Archive xena series:
  Fix Released
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in cinder package in Ubuntu:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in python-glance-store package in Ubuntu:
  Fix Released
Status in python-os-brick package in Ubuntu:
  Fix Released
Status in cinder source package in Focal:
  Fix Released
Status in nova source package in Focal:
  Fix Released
Status in python-glance-store source package in Focal:
  Fix Released
Status in python-os-brick source package in Focal:
  Fix Released
Status in cinder source package in Jammy:
  Fix Released
Status in nova source package in Jammy:
  Fix Released
Status in python-glance-store source package in Jammy:
  Fix Released
Status in python-os-brick source package in Jammy:
  Fix Released
Status in cinder source package in Kinetic:
  Fix Released
Status in nova source package in Kinetic:
  Fix Released
Status in python-glance-store source package in Kinetic:
  Fix Released
Status in python-os-brick source package in Kinetic:
  Fix Released
Status in cinder source package in Lunar:
  Fix Released
Status in nova source package in Lunar:
  Fix Released
Status in python-glance-store source package in Lunar:
  Fix Released
Status in python-os-brick source package in Lunar:
  Fix Released
Status in cinder source package in Mantic:
  Fix Released
Status in nova source package in Mantic:
  Fix Released
Status in python-glance-store source package in Mantic:
  Fix Released
Status in python-os-brick source package in Mantic:
  Fix Released

Bug description:
  There has been a regression found in at least one project due to the fixes for CVE-2023-2088:
  https://bugs.launchpad.net/ironic/+bug/2019892

  This may also affect other projects that are yet to be known.

  We will be reverting the CVE-2023-2088 patches that have been released
  to nova, cinder, python-os-brick, and python-glance-store until
  everything is settled upstream in order to prevent regressing our
  users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2020111/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list