Your message dated Sat, 04 Feb 2023 17:17:10 +0000 with message-id <[email protected]> and subject line Bug#1029563: fixed in glance 2:21.0.0-2+deb11u1 has caused the Debian Bug report #1029563, regarding CVE-2022-47951: vulnerability in VMDK image processing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1029563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029563 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: glance-api Version: 2:25.0.0-1.1 Severity: grave Tags: patch This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Arbitrary file access through custom VMDK flat descriptor Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) Products: Cinder, Glance, Nova Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0 Description: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. Note that stable/wallaby and older branches are under extended maintenance and will receive no new point releases, but patches for some of them are provided as a courtesy. CVE: CVE-2022-47951 Proposed public disclosure date/time: 2023-01-24, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1996188 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you. -- Jeremy Stanley OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2:21.0.0-2+deb11u1 Done: Thomas Goirand <[email protected]> We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <[email protected]> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 18 Jan 2023 10:14:44 +0100 Source: glance Architecture: source Version: 2:21.0.0-2+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <[email protected]> Changed-By: Thomas Goirand <[email protected]> Closes: 1029563 Changes: glance (2:21.0.0-2+deb11u1) bullseye-security; urgency=medium . * CVE-2022-47951: By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. Add upstream patch cve-2022-47951-glance-stable-victoria.patch (Closes: #1029563). Checksums-Sha1: a55a859e2366820084168fa126fb8e887120c8c9 3768 glance_21.0.0-2+deb11u1.dsc 5bc58570ac46747db867f53e6633bba8a68d2f0a 1471508 glance_21.0.0.orig.tar.xz c8ee1328ec0761ce296fe0fb83d1e7b4d11f25d2 18852 glance_21.0.0-2+deb11u1.debian.tar.xz ffbc487672efc487022e797d9a5f96536ad56882 18111 glance_21.0.0-2+deb11u1_amd64.buildinfo Checksums-Sha256: 738bf183334415d0c78e9546e1c395b225809bfa18b4fc800d6c37ab81ebbba2 3768 glance_21.0.0-2+deb11u1.dsc 7e9e96711ca27913cae31c0992a90edd4f572a66768162324ce8aa79ccc7820d 1471508 glance_21.0.0.orig.tar.xz 18312e8c4b194415b0a06a8419b3451f57b16a1f0e37fa4a8c376b2544b45e57 18852 glance_21.0.0-2+deb11u1.debian.tar.xz 264766a40f873ed3fae836c778652c0469d81845a30e676e75cf313483335d4d 18111 glance_21.0.0-2+deb11u1_amd64.buildinfo Files: 89ab7d0ac9486b299ce7125985186a0d 3768 net optional glance_21.0.0-2+deb11u1.dsc bef1454ed9865225181e6ec7df9b23ff 1471508 net optional glance_21.0.0.orig.tar.xz 0c1aceab581b54b7a88324cd5aba21a0 18852 net optional glance_21.0.0-2+deb11u1.debian.tar.xz fd037e53d5c991c0885fddb7d0a2419e 18111 net optional glance_21.0.0-2+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPXv+kACgkQ1BatFaxr Q/5MRw/+PIR+Km+VwZXdTJPt72V7XaAlouB4nutToHm1TF93w5vshObfo44nSVQe CdBxbcPp8TdzsYM143KWzp2WVu2b/Wy2MNpvAtIvz5Pbqxbw4hX7RDBIW7hHR9cn JjlBL6tHrN7sZP+sPjQP4Lp9MoqevkSBtlimhrE5yBg+r+SEIwuos2P/m6oDoj7v Dwr5flg6gQ7OcpKz482dzn6fK5HaPB6Xf9QYaLL/5L0ZsDgxLAP5eiq/oLQvo6HU n+u1ipgDdOltFbIAttFp8+uBqKeOVXzpaAfSmQkjJQm5hpaj4DOCBM4bTYMii672 2SgfqTqFw9TYsiA4SvnJ6Iy3ll9m7/7bU4yADBdtlOWW9SZ+YxDooKlc5KWZQIPj P0W7pPitP1UcjqDwfJErX2odVSIbUL5W4Oln1jLBlLeK+OA5IjWayp41o/tTwCma UVKScs40mlp+NUsRkIxPrqWie6PEn1scn/L+aFk5uWWBBp5IRqvJdu3ikCcFJVBD 5mJYP6TZp9Rlsc7u1WvYKrCWxhqAOc99tyfj+v41E8VOLhNcn5NExtZTeF8K8j5d NqwkXhlVFlAHu6y4IbqUtSzluUJxYo7UbaLdLwAh7VpAGIe11/gSbEz1UG9LH8Ny uiD/O1AgzACmo1eEHS3gTWqOfHdK/sgbNy1vDNKNoTDs6vza1t4= =Y2Jg -----END PGP SIGNATURE-----
--- End Message ---
