Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

2024-05-08 Thread Salvatore Bonaccorso 
Hi,

On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: python-glance-st...@packages.debian.org
> Control: affects -1 + src:python-glance-store
> 
> [ Reason ]
> I would like to update python-glance-store/4.1.0-4 to
> python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
> (aka: #1063795).

Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was
never in the archive ,but that makes sure it sorts before 4.1.1-1).

Regards,
Salvatore

Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

2024-05-08 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-glance-st...@packages.debian.org
Control: affects -1 + src:python-glance-store

[ Reason ]
I would like to update python-glance-store/4.1.0-4 to
python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
(aka: #1063795).

[ Impact ]
S3 credentials may otherwise continue to be logged in glance's
log if loglevel is set to DEBUG.

[ Tests ]
The package contains and run unit tests at build time, plus
autopkgtest. Upstream runs extensive functional tests, and
so do I, doing a full OpenStack deployment with this package.
No regression has been found.

[ Risks ]
Minimum. Only the S3 backend is impacted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The point release announcement was published last year:
https://lists.openstack.org/archives/list/release-annou...@lists.openstack.org/thread/PY26MG7DBD4UVJDEXWMSIM4TGS52F4VX/

It can be broken down this way:

e9d2509 Add force to os-brick disconnect
3d3467d Fix tox4 error
8034cdc Update TOX_CONSTRAINTS_FILE for stable/zed
c05c7e5 Update .gitreview for stable/zed

Let me explain the commits. e9d2509 contains the fix for CVE-2023-2088
that was already in Bookworm, and that I'm therefore droping. The
other 3 commits are to address internal OpenStack CI and Git infra, and
are not code change. They can therefore be ignore.

So really, this update only contains the fix for CVE-2024-1141 and
nothing else, even though the upstream version bumps.

Last thing: I rewrote the patch header this way (not shown in the
attached debdiff, as I fired-up reporbug -b before realizing the
patch header needed some edits):

Author: lujie 
Date: Fri, 19 Jan 2024 13:12:20 +0800
Description: CVE-2024-1141: Do not show access_key in s3 driver
 Avoid possible leakage of s3 access keys by not including them in log
 messages.
 .
 This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
 (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
 some more log messages that the original patch had missed.
 .
 The two commits are squashed here for ease in backporting (and also
 to make sure that *both* are always backported).
Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/907736
Bug: https://launchpad.net/bugs/2047688
Bug-Debian: https://bugs.debian.org/1063795
Last-Update: 2024-05-08

Please allow me to upload python-glance-store to Bookworm for the
next point release.

Cheers,

Thomas Goirand (zigo)
diff -Nru python-glance-store-4.1.0/debian/changelog 
python-glance-store-4.1.1/debian/changelog
--- python-glance-store-4.1.0/debian/changelog  2023-05-12 08:52:34.0 
+0200
+++ python-glance-store-4.1.1/debian/changelog  2023-09-01 15:10:49.0 
+0200
@@ -1,3 +1,13 @@
+python-glance-store (4.1.1-1+deb12u1) bookworm; urgency=medium
+
+  * New upstream release.
+  * Drop CVE-2023-2088_Add_force_to_os-brick_disconnect.patch applied
+upstream.
+  * CVE-2024-1141: Glance Store access key logged in DEBUG log level. Add
+upstream patch: Do not show access_key in s3 driver (Closes: #1063795).
+
+ -- Thomas Goirand   Fri, 01 Sep 2023 15:10:49 +0200
+
 python-glance-store (4.1.0-4) unstable; urgency=medium
 
   * CVE-2023-2088: Unauthorized volume access through deleted volume
diff -Nru 
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
 
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
--- 
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
   2023-05-12 08:52:34.0 +0200
+++ 
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
   1970-01-01 01:00:00.0 +0100
@@ -1,94 +0,0 @@
-Author: Brian Rosmaita 
-Date: Tue, 18 Apr 2023 11:22:27 -0400
-Description: CVE-2023-2088: Add force to os-brick disconnect
- In order to be sure that devices are being removed from the host,
- we should be using the 'force' parameter with os-brick's
- disconnect_volume() method.
-Bug: https://launchpad.net/bugs/2004555
-Change-Id: I63d09ad9ef465bc154c85a9ea125449c039d1b90
-Bug-Debian: https://bugs.debian.org/1035978
-Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/882853
-Last-Update: 2023-05-12
-
-diff --git a/glance_store/_drivers/cinder.py b/glance_store/_drivers/cinder.py
-index 3509348..7405b7a 100644
 a/glance_store/_drivers/cinder.py
-+++ b/glance_store/_drivers/cinder.py
-@@ -831,7 +831,10 @@
- client, attachment.id, volume_id, host, conn,
- connection_info, device)
- else:
--