[release-announce] nova 22.3.0 (victoria)

no-reply at openstack.org no-reply at openstack.org
Thu Oct 7 10:02:06 UTC 2021 

We exuberantly announce the release of:

nova 22.3.0: Cloud computing fabric controller

This release is part of the victoria stable release series.

The source is available from:

    https://opendev.org/openstack/nova

Download the package from:

    https://tarballs.openstack.org/nova/

Please report issues through:

    https://bugs.launchpad.net/nova/+bugs

For more details, please see below.

22.3.0
^^^^^^


Security Issues
***************

* A vulnerability in the console proxies (novnc, serial, spice) that
  allowed open redirection has been patched. The novnc, serial, and
  spice console proxies are implemented as websockify servers and the
  request handler inherits from the python standard
  SimpleHTTPRequestHandler. There is a known issue in the
  SimpleHTTPRequestHandler which allows open redirects by way of URLs
  in the following format:

     http://vncproxy.my.domain.com//example.com/%2F..

  which if visited, will redirect a user to example.com.

  The novnc, serial, and spice console proxies will now reject
  requests that pass a redirection URL beginning with "//" with a 400
  Bad Request.

   (https://bugs.launchpad.net/nova/+bug/1927677)
  (https://bugs.python.org/issue32084)


Bug Fixes
*********

* Addressed an issue that prevented instances with 1 vcpu using
  multiqueue feature from being created successfully when their
  vif_type is TAP.

Changes in nova 22.2.2..22.3.0
------------------------------

9588cdbfd4 address open redirect with 3 forward slashes
aaa56240b0 Fix 1vcpu error with multiqueue and vif_type=tap
1eceeebfb2 Avoid modifying the Mock class in test
7dbceeceef Fix request path to query a resource provider by uuid
94e265f3ca Reduce mocking in test_reject_open_redirect for compat
e238cc9cd6 Allow deletion of compute service with no compute nodes
9efdd0b085 Reproducer unit test for bug 1860312
b7677ae08a Move 'check-cherry-picks' test to gate, n-v check
6305ae491e Allow X-OpenStack-Nova-API-Version header in CORS
6b70350bdc Reject open redirection in the console proxy


Diffstat (except docs and test files)
-------------------------------------

.zuul.yaml                                         | 14 +++++
nova/api/openstack/compute/services.py             | 23 ++++++--
nova/cmd/manage.py                                 |  2 +-
nova/console/websocketproxy.py                     | 18 ++++++
nova/middleware.py                                 |  8 ++-
.../unit/api/openstack/compute/test_services.py    | 15 +++++
nova/virt/libvirt/vif.py                           |  3 +-
.../notes/bug-1939604-547c729b7741831b.yaml        |  5 ++
...roxy-reject-open-redirect-4ac0a7895acca7eb.yaml | 19 ++++++
tools/check-cherry-picks.sh                        |  5 --
tox.ini                                            | 12 +++-
14 files changed, 232 insertions(+), 49 deletions(-)

More information about the Release-announce mailing list