Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

[Salvatore Bonaccorso]

On Sat, Jun 15, 2024 at 07:29:56PM +0100, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Sat, 2024-06-15 at 16:21 +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Wed, 2024-05-08 at 17:59 +0200, Salvatore Bonaccorso wrote:
> > > Hi,
> > > 
> > > On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote:
> > > 
> > [...]
> > > > I would like to update python-glance-store/4.1.0-4 to
> > > > python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
> > > > (aka: #1063795).
> > > 
> > > Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was
> > > never in the archive ,but that makes sure it sorts before 4.1.1-1).
> > 
> > Yes, indeed.
> > 
> > Both the Security Tracker and BTS suggest that this issue affects
> > unstable and is not yet fixed there. What's the status?
> 
> Apparently the metadata was outdated. Thanks for checking and updating
> it, Salvatore.
> 
> Please go ahead, using 4.1.1-0+deb12u1 as the version number.

Thomas, did you saw this ack from Adam?

Regards,
Salvatore

Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sat, 2024-06-15 at 16:21 +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Wed, 2024-05-08 at 17:59 +0200, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote:
> > 
> [...]
> > > I would like to update python-glance-store/4.1.0-4 to
> > > python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
> > > (aka: #1063795).
> > 
> > Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was
> > never in the archive ,but that makes sure it sorts before 4.1.1-1).
> 
> Yes, indeed.
> 
> Both the Security Tracker and BTS suggest that this issue affects
> unstable and is not yet fixed there. What's the status?

Apparently the metadata was outdated. Thanks for checking and updating
it, Salvatore.

Please go ahead, using 4.1.1-0+deb12u1 as the version number.

Regards,

Adam

Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Wed, 2024-05-08 at 17:59 +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote:
> 
[...]
> > I would like to update python-glance-store/4.1.0-4 to
> > python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
> > (aka: #1063795).
> 
> Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was
> never in the archive ,but that makes sure it sorts before 4.1.1-1).

Yes, indeed.

Both the Security Tracker and BTS suggest that this issue affects
unstable and is not yet fixed there. What's the status?

Regards,

Adam

Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

[Salvatore Bonaccorso]

Hi,

On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: python-glance-st...@packages.debian.org
> Control: affects -1 + src:python-glance-store
> 
> [ Reason ]
> I would like to update python-glance-store/4.1.0-4 to
> python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
> (aka: #1063795).

Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was
never in the archive ,but that makes sure it sorts before 4.1.1-1).

Regards,
Salvatore

Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4

[Thomas Goirand]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-glance-st...@packages.debian.org
Control: affects -1 + src:python-glance-store

[ Reason ]
I would like to update python-glance-store/4.1.0-4 to
python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
(aka: #1063795).

[ Impact ]
S3 credentials may otherwise continue to be logged in glance's
log if loglevel is set to DEBUG.

[ Tests ]
The package contains and run unit tests at build time, plus
autopkgtest. Upstream runs extensive functional tests, and
so do I, doing a full OpenStack deployment with this package.
No regression has been found.

[ Risks ]
Minimum. Only the S3 backend is impacted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The point release announcement was published last year:
https://lists.openstack.org/archives/list/release-annou...@lists.openstack.org/thread/PY26MG7DBD4UVJDEXWMSIM4TGS52F4VX/

It can be broken down this way:

e9d2509 Add force to os-brick disconnect
3d3467d Fix tox4 error
8034cdc Update TOX_CONSTRAINTS_FILE for stable/zed
c05c7e5 Update .gitreview for stable/zed

Let me explain the commits. e9d2509 contains the fix for CVE-2023-2088
that was already in Bookworm, and that I'm therefore droping. The
other 3 commits are to address internal OpenStack CI and Git infra, and
are not code change. They can therefore be ignore.

So really, this update only contains the fix for CVE-2024-1141 and
nothing else, even though the upstream version bumps.

Last thing: I rewrote the patch header this way (not shown in the
attached debdiff, as I fired-up reporbug -b before realizing the
patch header needed some edits):

Author: lujie 
Date: Fri, 19 Jan 2024 13:12:20 +0800
Description: CVE-2024-1141: Do not show access_key in s3 driver
 Avoid possible leakage of s3 access keys by not including them in log
 messages.
 .
 This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
 (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
 some more log messages that the original patch had missed.
 .
 The two commits are squashed here for ease in backporting (and also
 to make sure that *both* are always backported).
Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/907736
Bug: https://launchpad.net/bugs/2047688
Bug-Debian: https://bugs.debian.org/1063795
Last-Update: 2024-05-08

Please allow me to upload python-glance-store to Bookworm for the
next point release.

Cheers,

Thomas Goirand (zigo)
diff -Nru python-glance-store-4.1.0/debian/changelog 
python-glance-store-4.1.1/debian/changelog
--- python-glance-store-4.1.0/debian/changelog  2023-05-12 08:52:34.0 
+0200
+++ python-glance-store-4.1.1/debian/changelog  2023-09-01 15:10:49.0 
+0200
@@ -1,3 +1,13 @@
+python-glance-store (4.1.1-1+deb12u1) bookworm; urgency=medium
+
+  * New upstream release.
+  * Drop CVE-2023-2088_Add_force_to_os-brick_disconnect.patch applied
+upstream.
+  * CVE-2024-1141: Glance Store access key logged in DEBUG log level. Add
+upstream patch: Do not show access_key in s3 driver (Closes: #1063795).
+
+ -- Thomas Goirand   Fri, 01 Sep 2023 15:10:49 +0200
+
 python-glance-store (4.1.0-4) unstable; urgency=medium
 
   * CVE-2023-2088: Unauthorized volume access through deleted volume
diff -Nru 
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
 
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
--- 
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
   2023-05-12 08:52:34.0 +0200
+++ 
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
   1970-01-01 01:00:00.0 +0100
@@ -1,94 +0,0 @@
-Author: Brian Rosmaita 
-Date: Tue, 18 Apr 2023 11:22:27 -0400
-Description: CVE-2023-2088: Add force to os-brick disconnect
- In order to be sure that devices are being removed from the host,
- we should be using the 'force' parameter with os-brick's
- disconnect_volume() method.
-Bug: https://launchpad.net/bugs/2004555
-Change-Id: I63d09ad9ef465bc154c85a9ea125449c039d1b90
-Bug-Debian: https://bugs.debian.org/1035978
-Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/882853
-Last-Update: 2023-05-12
-
-diff --git a/glance_store/_drivers/cinder.py b/glance_store/_drivers/cinder.py
-index 3509348..7405b7a 100644
 a/glance_store/_drivers/cinder.py
-+++ b/glance_store/_drivers/cinder.py
-@@ -831,7 +831,10 @@
- client, attachment.id, volume_id, host, conn,
- connection_info, device)
- else:
--