[release-announce] nova 21.2.3 (ussuri)

no-reply at openstack.org no-reply at openstack.org
Thu Oct 7 10:47:27 UTC 2021 

We high-spiritedly announce the release of:

nova 21.2.3: Cloud computing fabric controller

This release is part of the ussuri stable release series.

The source is available from:

    https://opendev.org/openstack/nova

Download the package from:

    https://tarballs.openstack.org/nova/

Please report issues through:

    https://bugs.launchpad.net/nova/+bugs

For more details, please see below.

21.2.3
^^^^^^


Security Issues
***************

* A vulnerability in the console proxies (novnc, serial, spice) that
  allowed open redirection has been patched. The novnc, serial, and
  spice console proxies are implemented as websockify servers and the
  request handler inherits from the python standard
  SimpleHTTPRequestHandler. There is a known issue in the
  SimpleHTTPRequestHandler which allows open redirects by way of URLs
  in the following format:

     http://vncproxy.my.domain.com//example.com/%2F..

  which if visited, will redirect a user to example.com.

  The novnc, serial, and spice console proxies will now reject
  requests that pass a redirection URL beginning with "//" with a 400
  Bad Request.

   (https://bugs.launchpad.net/nova/+bug/1927677)
  (https://bugs.python.org/issue32084)


Bug Fixes
*********

* Addressed an issue that prevented instances with 1 vcpu using
  multiqueue feature from being created successfully when their
  vif_type is TAP.

Changes in nova 21.2.2..21.2.3
------------------------------

5ded5d8050 [stable-only] Set lower-constraints job as non-voting
0997043f45 address open redirect with 3 forward slashes
fa0ad18619 Fix 1vcpu error with multiqueue and vif_type=tap
d43b88a334 Reduce mocking in test_reject_open_redirect for compat
719e651e6b Reject open redirection in the console proxy
59249697bf Initialize global data separately and run_once in WSGI app init
91314f7fbb Move 'check-cherry-picks' test to gate, n-v check
b96f93ed86 Honor [neutron]http_retries in the manual client
637402eec7 guestfs: With libguestfs >= v1.41.1 decode returned bytes to string
8a858eca55 Dynamically archive FK related records in archive_deleted_rows
37cff3c74d Add functional test for bug 1837995
a8624cdaa2 Centralize sqlite FK constraint enforcement


Diffstat (except docs and test files)
-------------------------------------

.zuul.yaml                                         |  19 +-
nova/api/openstack/wsgi_app.py                     |  24 ++-
nova/console/websocketproxy.py                     |  18 ++
nova/db/sqlalchemy/api.py                          | 221 ++++++++++++++-------
nova/network/neutron.py                            |   1 +
nova/test.py                                       |  23 +++
nova/utils.py                                      |  46 +++++
nova/virt/disk/api.py                              |   4 +-
nova/virt/disk/vfs/guestfs.py                      |   9 +-
nova/virt/libvirt/vif.py                           |   3 +-
.../notes/bug-1939604-547c729b7741831b.yaml        |   5 +
...roxy-reject-open-redirect-4ac0a7895acca7eb.yaml |  19 ++
tools/check-cherry-picks.sh                        |   5 -
tox.ini                                            |  12 +-
23 files changed, 676 insertions(+), 146 deletions(-)

More information about the Release-announce mailing list