[Bug 2020111] Re: CVE-2023-2088 regressions

James Page 2020111 at bugs.launchpad.net
Mon Jul 8 13:01:29 UTC 2024 

This bug was fixed in the package nova - 3:28.0.1-0ubuntu1.3~cloud0
---------------

 nova (3:28.0.1-0ubuntu1.3~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 nova (3:28.0.1-0ubuntu1.3) mantic-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
 .
 nova (3:28.0.1-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf: Create stable/2023.2 branch.
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New stable point release for OpenStack Bobcat (LP: #2046359).
 .
 nova (3:28.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 nova (3:27.1.0+git2023090509.82a17a37-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/drop-actdiag.patch: Temporarily drop actdiag until bug fixed upstream.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     nova/db/api/alembic.ini and nova/db/main/alembic.ini.
 .
 nova (3:27.1.0+git2023071215.f7ce4df5-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * d/p/skip-if-https-proxy.patch: Test skipped if https-proxy is set
     as lpci builds in .launchpad.yaml do.
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
 .
 nova (3:27.0.0-0ubuntu4) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu3) mantic; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu2) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
 .
 nova (3:27.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
 .
 nova (3:26.1.0+git2023030309.59f7a524-0ubuntu2) lunar; urgency=medium
 .
   * d/nova-compute-qemu.postinst: Add nova user to kvm group (LP: #2011535).
 .
 nova (3:26.1.0+git2023030309.59f7a524-0ubuntu1) lunar; urgency=medium
 .
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
 .
 nova (3:26.1.0+git2023012815.98daf501-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:26.0.0+git2023011010.5e5b6751-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:26.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 26.x series
   * New upstream release for OpenStack Zed.
   * d/control: Align (Build-)Depends with upstream.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2020111

Title:
  CVE-2023-2088 regressions

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive victoria series:
  Fix Released
Status in Ubuntu Cloud Archive wallaby series:
  Fix Released
Status in Ubuntu Cloud Archive xena series:
  Fix Released
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in cinder package in Ubuntu:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in python-glance-store package in Ubuntu:
  Fix Released
Status in python-os-brick package in Ubuntu:
  Fix Released
Status in cinder source package in Focal:
  Fix Released
Status in nova source package in Focal:
  Fix Released
Status in python-glance-store source package in Focal:
  Fix Released
Status in python-os-brick source package in Focal:
  Fix Released
Status in cinder source package in Jammy:
  Fix Released
Status in nova source package in Jammy:
  Fix Released
Status in python-glance-store source package in Jammy:
  Fix Released
Status in python-os-brick source package in Jammy:
  Fix Released
Status in cinder source package in Kinetic:
  Fix Released
Status in nova source package in Kinetic:
  Fix Released
Status in python-glance-store source package in Kinetic:
  Fix Released
Status in python-os-brick source package in Kinetic:
  Fix Released
Status in cinder source package in Lunar:
  Fix Released
Status in nova source package in Lunar:
  Fix Released
Status in python-glance-store source package in Lunar:
  Fix Released
Status in python-os-brick source package in Lunar:
  Fix Released
Status in cinder source package in Mantic:
  Fix Released
Status in nova source package in Mantic:
  Fix Released
Status in python-glance-store source package in Mantic:
  Fix Released
Status in python-os-brick source package in Mantic:
  Fix Released

Bug description:
  There has been a regression found in at least one project due to the fixes for CVE-2023-2088:
  https://bugs.launchpad.net/ironic/+bug/2019892

  This may also affect other projects that are yet to be known.

  We will be reverting the CVE-2023-2088 patches that have been released
  to nova, cinder, python-os-brick, and python-glance-store until
  everything is settled upstream in order to prevent regressing our
  users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2020111/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list