- OpenStack-announce - lists.openstack.org

[administrivia] Messages accidentally approved through moderation
by Jeremy Stanley 21 May '25

21 May '25

Apologies, I accidentally approved two off-topic crossposts through the openstack-announce moderation queue just now. I've deleted them from the archive for avoidance of confusion. -- Jeremy Stanley

1 0

[OSSA-2025-001] Ironic fails to restrict paths used for file:// image URLs (CVE-2025-44021)
by Jay Faulkner 09 May '25

09 May '25

========================================================================= OSSA-2025-001: Ironic fails to restrict paths used forfile:// image URLs ========================================================================= :Date: May 08, 2024 :CVE: CVE-2025-44021 Affects ~~~~~~~ - Ironic: <24.1.3, >=25.0.0 <26.1.1, >=27.0.0, <29.0.1 Description ~~~~~~~~~~~ Julia Kreger of Red Hat noticed a vulnerability in image handling for Ironic. A malicious project assigned as a node owner can provide a path to any local file readable by the ironic-conductor which may then be written to the target node disk. This is only possible via deployments performed directly via Ironic's API and cannot be triggered via Nova's virt driver. This is difficult to exploit in practice, as a node deployed in this manner should not ever reach ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/ironic/+/949175 (2024.1/caracal) -https://review.opendev.org/c/openstack/ironic/+/949174 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/ironic/+/949173 (2025.1/epoxy) - Patch attached tohttps://bugs.launchpad.net/ironic/+bug/2107847/comments/47 (Bobcat/2023.2-eol) -https://review.opendev.org/c/openstack/ironic/+/949186 (Bugfix/26.0) -https://review.opendev.org/c/openstack/ironic/+/949185 (Bugfix/27.0) -https://review.opendev.org/c/openstack/ironic/+/949184 (Bugfix/28.0) -https://review.opendev.org/c/openstack/ironic/+/949172 (Master) -https://review.opendev.org/c/openstack/ironic/+/949182 (Unmaintained/2023.1 antelope) -https://review.opendev.org/c/openstack/ironic/+/949179 (Unmaintained/xena) -https://review.opendev.org/c/openstack/ironic/+/949177 (Unmaintained/yoga) -https://review.opendev.org/c/openstack/ironic/+/949176 (Unmaintained/zed) Credits ~~~~~~~ - Julia Kreger from Red Hat (CVE-2025-44021) References ~~~~~~~~~~ -https://launchpad.net/bugs/2107847 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-44021 Notes ~~~~~ - Patches have been provided for all supported Ironic branches. As a courtesy, we have also provided patches for some unmaintained branches and the recently end-of-life 2023.2/bobcat release. As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches.

1 0

OpenStack 2025.1 Epoxy is officially released!
by Elõd Illés 02 Apr '25

02 Apr '25

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2025.1 Epoxy, which conclude the 2025.1 Epoxy development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/epoxy/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, 2025.2 Flamingo, has already started. We will meet virtually in April 7th - 11th at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the Release Management team

1 0

[OSSA-2024-005] Neutron: Authorization bypassed when setting tags on Neutron networks (CVE-2024-53916)
by Jay Faulkner 04 Dec '24

04 Dec '24

=========================================================================== OSSA-2024-005: Authorization bypassed when setting tags on Neutron networks =========================================================================== :Date: December 03, 2024 :CVE: CVE-2024-53916 Affects ~~~~~~~ - Neutron: >=23.0.0 <23.2.1, >=24.0.0 <24.0.2, >=25.0.0 <25.0.1 Description ~~~~~~~~~~~ Tore Anderson of Redpill Linpro AS discovered that Neutron does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects which do not belong to the tenant, and this action is not being subjected to the proper policy authorization check. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/neutron/+/936849 (2023.2/bobcat) -https://review.opendev.org/c/openstack/neutron/+/936846 (2024.1/caracal) -https://review.opendev.org/c/openstack/neutron/+/936843 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/neutron/+/935883 (2025.1/epoxy) Credits ~~~~~~~ - Tore Anderson from Redpill Linpro AS (C, V, E, -, 2, 0, 2, 4, -, 5, 3, 9, 1, 6) References ~~~~~~~~~~ -https://launchpad.net/bugs/2088986 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53916 -- Jay Faulkner OpenStack VMT

1 0

[OSSA-2024-004]: OpenStack Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
by Jay Faulkner 04 Oct '24

04 Oct '24

==================================================================================================================================== OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming ==================================================================================================================================== :Date: October 03, 2024 :CVE: CVE-2024-47211 Affects ~~~~~~~ - Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0 Description ~~~~~~~~~~~ Julia Kreger of Red Hat noticed a vulnerability in image validation for Ironic, in which images may not have their checksum validated before conversion, potentially permitting man-in-the-middle attacks modifying image data. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/ironic/+/931300 (2023.1/antelope(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931294 (2024.2/dalmatian(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931305 (Unmaintained/victoria(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931304 (Unmaintained/wallaby(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931303 (Unmaintained/xena(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931302 (Unmaintained/yoga(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931301 (Unmaintained/zed(ironic)) Credits ~~~~~~~ - Julia Kreger from Red Hat (CVE-2024-47211) References ~~~~~~~~~~ -https://launchpad.net/bugs/2076289 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47211 Notes ~~~~~ - No other Ironic-adjacent projects, including Ironic-Python-Agent, require patching to resolve this vulnerability. - As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches. -- Jay Faulkner OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

OpenStack 2024.2 Dalmatian is officially released!
by Elõd Illés 02 Oct '24

02 Oct '24

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2024.2 Dalmatian, which conclude the 2024.2 Dalmatian development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/dalmatian/ Congratulations to all of the teams who have contributed to this release! Our next development cycle, 2025.1 Epoxy, has already started. We will meet virtually in October 21-25, 2024, at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the Release Management team

1 0

[all][elections][tc][ptl] 2025.1 Epoxy: Technical Committee & PTL Election Conclusion & Results
by Ian Y. Choi 19 Sep '24

19 Sep '24

Thank you to the electorate, to all those who supported and to all candidates who put their name forward for Technical Committee (TC) & Project Team Lead (PTL) in this election. A healthy, open process breeds trust in our decision making capability. Thank you to all those who make this process possible. 1. Please join me in congratulating the 4 newly elected members of the Technical Committee (TC). Ghanshyam Mann (gmann) Jens Harbott (frickler) Sylvain Bauza (bauzas) Doug Goldstein (cardoe) Full results: https://civs1.civs.us/cgi-bin/results.pl?id=E_079cc0f0dda5010c 2. For the results of the PTL election process, please join me in extending congratulations to the following PTLs: * Adjutant: Dale Smith (dalees) * Barbican: Grzegorz Grasza (xek) * Blazar: Pierre Riteau (priteau) * Cinder: Jon Bernard () * Cloudkitty: Rafael Weingartner () * Cyborg: alex song (songwenping) * Designate: Michael Johnson (johnsom) * Glance: Pranali Deore (pdeore) * Heat: Takashi Kajinami (tkajinam) * Horizon: Tatiana Ovchinnikova (tmazur) * Ironic: Riccardo Pittau (rpittau) * Keystone: Dave Wilde (d34dh0r53) * Kolla: Michal Nasiadka (mnasiadka) * Magnum: Jake Yip (jakeyip) * Manila: Carlos Silva (carloss) * Masakari: sam sue () * Monasca: Hasan Acar () * Neutron: Brian Haley (haleyb) * Nova: Sylvain Bauza (bauzas) * Octavia: Gregory Thiemonge (gthiemonge) * OpenStack Charms: James Page (jamespage) * OpenStack Helm: Vladimir Kozhukalov (kozhukalov) * OpenStackAnsible: Dmitriy Rabotyagov (noonedeadpunk) * OpenStackSDK: Artem Goncharov (gtema) * Puppet OpenStack: Takashi Kajinami (tkajinam) * Quality Assurance: Martin Kopec (kopecmartin) * Rally: Andrey Kurilin (andreykurilin) * Skyline: Wenxiang Wu (wu_wenxiang) * Storlets: Takashi Kajinami (tkajinam) * Sunbeam: Guillaume Boutry (gboutry) * Tacker: Yasufumi Ogawa (yasufum) * Telemetry: Erno Kuvaja (jokke_) * Trove: wu chunyang (wuchunyang) * Venus: Eric Zhang () * Vitrage: Dmitriy Rabotyagov (noonedeadpunk) * Zaqar: Hao Wang (wanghao) * Zun: Hongbin Lu () PTL Election: no election required. For remaining projects (without PTL candidates), TC will work on the appointment. Election process details and results are also available here: https://governance.openstack.org/election/ Thank you to all of the candidates, having a good group of candidates helps engage the community in our democratic process. Thank you to all who voted and who encouraged others to vote. We need to ensure your voice is heard. Thank you for another great round. Thank you, /Ian, an election official

1 0

[OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082)
by Brian Rosmaita 05 Sep '24

05 Sep '24

======================================================== OSSA-2024-003: Unvalidated image data passed to qemu-img ======================================================== :Date: September 04, 2024 :CVE: CVE-2024-44082 Affects ~~~~~~~ - Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1 - Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1 Description ~~~~~~~~~~~ Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research noticed a vulnerability in image processing for Ironic, in which a specially crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. Mitigation ---------- The attached patches contain code allowing Ironic and the Ironic-Python-Agent (IPA) to pre-screen images before passing them to qemu-img. You should patch both of them because in some popular deployment configurations, it is possible for images to bypass the Ironic conductor for more efficient image downloads. In situations where it is not possible to patch IPA, there is a new configuration option, ``[conductor]conductor_always_validates_images``. When this option is True, all image downloads are forced to occur through the Ironic conductor, where they are validated. However, this may incur a significant performance hit; hence our recommendation to patch both Ironic and IPA. Patches are available for both Ironic and IPA for all maintained branches, namely, the Dalmatian development branch (current master) through Antelope. For these branches, ``conductor_always_validates_images`` defaults to False. For the unmaintained branches (Zed through Victoria), patches are not available for IPA due to a significant risk of regressions. For these branches, the Ironic patches set ``conductor_always_validates_images`` to True, as this is the only safe way to run Ironic with an un-patched IPA. Cached images ------------- Images in the Ironic image cache should be purged. To purge the cache, stop the Ironic conductor and remove the files in the ``[pxe]/instance_master_path`` directory on that conductor node. Supported image formats ----------------------- A new configuration option, ``[conductor]permitted_image_formats`` controls what image formats will be accepted by Ironic. By default, the allowed formats are 'raw' and 'qcow2', which are the only formats that Ironic is tested with. In previous releases, it was possible to use images of other, unsupported formats with Ironic, but this is now blocked by default due to security issues arising from the image conversion process. It is possible, though not recommended, to expand the list of permitted formats. Alternatively, users requiring the use of an image in an unsupported format can convert the image offline into a supported format before uploading the image to Glance or otherwise making the image available to Ironic. Consult the Ironic documentation for details. Warning ------- As is well-documented, the OpenStack Ironic project does not support the use of ironic-lib for non-Ironic use cases. In its normal supported context, ironic-lib assumes that images have been pre-screened before ironic-lib comes in contact with them. Thus, unsupported use of ironic-lib leaves you vulnerable to the exploit outlined in this OSSA. The Ironic project intends eventually to explicitly remove the vulnerable methods in ironic-lib, but reminds the reader that independent use of ironic-lib is not supported. Bugfix branches --------------- Patches are available for maintained bugfix branches. These patches will be merged to the maintained branches, but no new releases will be triggered from those branches. Patches ~~~~~~~ - https://review.opendev.org/927972 (2023.1/antelope(ironic)) - https://review.opendev.org/927979 (2023.1/antelope(ironic-python-agent)) - https://review.opendev.org/927970 (2023.2/bobcat(ironic)) - https://review.opendev.org/927978 (2023.2/bobcat(ironic-python-agent)) - https://review.opendev.org/927968 (2024.1/caracal(ironic)) - https://review.opendev.org/927976 (2024.1/caracal(ironic-python-agent)) - https://review.opendev.org/927965 (2024.2/dalmatian(ironic)) - https://review.opendev.org/927974 (2024.2/dalmatian(ironic-python-agent)) - https://review.opendev.org/927969 (Bugfix/24.0 (ironic)) - https://review.opendev.org/927967 (Bugfix/25.0 (ironic)) - https://review.opendev.org/927966 (Bugfix/26.0 (ironic)) - https://review.opendev.org/927983 (Bugfix/9.12 (ironic-python-agent)) - https://review.opendev.org/927981 (Bugfix/9.13 (ironic-python-agent)) - https://review.opendev.org/927984 (Bugfix/9.9 (ironic-python-agent)) - https://review.opendev.org/927982 (Unmaintained/victoria(ironic)) - https://review.opendev.org/927980 (Unmaintained/wallaby(ironic)) - https://review.opendev.org/927977 (Unmaintained/xena(ironic)) - https://review.opendev.org/927975 (Unmaintained/yoga(ironic)) - https://review.opendev.org/927973 (Unmaintained/zed(ironic)) Credits ~~~~~~~ - Dan Smith from Red Hat (CVE-2024-44082) - Jay Faulkner from G-Research (CVE-2024-44082) - Julia Kreger from Red Hat (CVE-2024-44082) References ~~~~~~~~~~ - https://launchpad.net/bugs/2071740 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44082 Notes ~~~~~ - For more information about the unadvisability of calling 'qemu-img info' on untrusted images, see CVE-2024-04467. - The ironic unmaintained/* branches will receive no point releases, but patches for them are provided as a courtesy. - The ironic-python-agent unmaintained/* branches will receive no point releases, nor are patches for them available. - The ironic and ironic-python-agent bugfix/* branches will receive no point releases, but patches for them are provided as a courtesy. -- Brian Rosmaita OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

[OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
by Jeremy Stanley 24 Jul '24

24 Jul '24

================================================================== OSSA-2024-002: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors ================================================================== :Date: July 23, 2024 :CVE: CVE-2024-40767 Affects ~~~~~~~ - Nova: <27.4.1, >=28.0.0 <28.2.1, >=29.0.0 <29.1.1 Description ~~~~~~~~~~~ Arnaud Morin (OVH) reported a vulnerability in Nova. By supplying a raw format image which is actually a specially crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file’s contents from the server resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. Patches ~~~~~~~ - https://review.opendev.org/924734 (2023.1/antelope) - https://review.opendev.org/924733 (2023.2/bobcat) - https://review.opendev.org/924732 (2024.1/caracal) - https://review.opendev.org/924731 (2024.2/dalmatian) Credits ~~~~~~~ - Arnaud Morin from OVH (CVE-2024-40767) References ~~~~~~~~~~ - https://launchpad.net/bugs/2071734 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40767 Notes ~~~~~ - The patches linked above should apply cleanly to the public state of their respective branches at time of disclosure, and depend on some commits which merged after the `OSSA-2024-001 <https://security.openstack.org/ossa/OSSA-2024-001.html>`_ fixes as well as the final states of the Nova changes linked from that advisory (those did see some minor adjustments before they merged). - The QCOW2 issue is due to an incomplete fix in OSSA-2024-001 affecting systems where the ``use_cow_images`` configuration option is disabled, while the VMDK issue is a regression of the earlier `OSSA-2023-002 <https://security.openstack.org/ossa/OSSA-2023-002.html>`_ vulnerability reintroduced by the new implementation in OSSA-2024-001. Both problems were identified in the final hours before OSSA-2024-001 publication but, due to time constraints, were redacted from that bug and moved to a separate report. - Neither the methods introduced in these patches nor the fixes for OSSA-2024-001 are capable of blocking malicious images which are already resident in Nova's cache. At this time we do not have useful operator guidance for identifying and removing such existing images from the cache but strongly caution, if you do attempt to use the qemu-img tool to find them, to make sure you're using a version of it patched for `QEMU CVE-2024-4467 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467>`_. -- Jeremy Stanley OpenStack Vulnerability Management Team

1 0

[OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)
by Jeremy Stanley 03 Jul '24

03 Jul '24

======================================================================= OSSA-2024-001: Arbitrary file access through custom QCOW2 external data ======================================================================= :Date: July 02, 2024 :CVE: CVE-2024-32498 Affects ~~~~~~~ - Cinder: <22.1.3, >=23.0.0 <23.1.1, ==24.0.0 - Glance: <26.0.1, ==27.0.0, >=28.0.0 <28.0.2 - Nova: <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3 Description ~~~~~~~~~~~ Martin Kaesberger reported a vulnerability in QCOW2 image processing for Cinder, Glance and Nova. By supplying a specially created QCOW2 image which references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Patches ~~~~~~~ - https://review.opendev.org/923247 (2023.1/antelope(cinder)) - https://review.opendev.org/923277 (2023.1/antelope(glance)) - https://review.opendev.org/923278 (2023.1/antelope(glance)) - https://review.opendev.org/923279 (2023.1/antelope(glance)) - https://review.opendev.org/923280 (2023.1/antelope(glance)) - https://review.opendev.org/923281 (2023.1/antelope(glance)) - https://review.opendev.org/923282 (2023.1/antelope(glance)) - https://review.opendev.org/923283 (2023.1/antelope(glance)) - https://review.opendev.org/923288 (2023.1/antelope(nova)) - https://review.opendev.org/923289 (2023.1/antelope(nova)) - https://review.opendev.org/923290 (2023.1/antelope(nova)) - https://review.opendev.org/923281 (2023.1/antelope(nova)) - https://review.opendev.org/923246 (2023.2/bobcat(cinder)) - https://review.opendev.org/923266 (2023.2/bobcat(glance)) - https://review.opendev.org/923267 (2023.2/bobcat(glance)) - https://review.opendev.org/923268 (2023.2/bobcat(glance)) - https://review.opendev.org/923269 (2023.2/bobcat(glance)) - https://review.opendev.org/923270 (2023.2/bobcat(glance)) - https://review.opendev.org/923271 (2023.2/bobcat(glance)) - https://review.opendev.org/923272 (2023.2/bobcat(glance)) - https://review.opendev.org/923284 (2023.2/bobcat(nova)) - https://review.opendev.org/923285 (2023.2/bobcat(nova)) - https://review.opendev.org/923286 (2023.2/bobcat(nova)) - https://review.opendev.org/923287 (2023.2/bobcat(nova)) - https://review.opendev.org/923245 (2024.1/caracal(cinder)) - https://review.opendev.org/923259 (2024.1/caracal(glance)) - https://review.opendev.org/923260 (2024.1/caracal(glance)) - https://review.opendev.org/923261 (2024.1/caracal(glance)) - https://review.opendev.org/923262 (2024.1/caracal(glance)) - https://review.opendev.org/923263 (2024.1/caracal(glance)) - https://review.opendev.org/923264 (2024.1/caracal(glance)) - https://review.opendev.org/923265 (2024.1/caracal(glance)) - https://review.opendev.org/923273 (2024.1/caracal(nova)) - https://review.opendev.org/923274 (2024.1/caracal(nova)) - https://review.opendev.org/923275 (2024.1/caracal(nova)) - https://review.opendev.org/923276 (2024.1/caracal(nova)) - https://review.opendev.org/923244 (2024.2/dalmatian(cinder)) - https://review.opendev.org/923248 (2024.2/dalmatian(glance)) - https://review.opendev.org/923249 (2024.2/dalmatian(glance)) - https://review.opendev.org/923250 (2024.2/dalmatian(glance)) - https://review.opendev.org/923251 (2024.2/dalmatian(glance)) - https://review.opendev.org/923252 (2024.2/dalmatian(glance)) - https://review.opendev.org/923253 (2024.2/dalmatian(glance)) - https://review.opendev.org/923254 (2024.2/dalmatian(glance)) - https://review.opendev.org/923255 (2024.2/dalmatian(nova)) - https://review.opendev.org/923256 (2024.2/dalmatian(nova)) - https://review.opendev.org/923257 (2024.2/dalmatian(nova)) - https://review.opendev.org/923258 (2024.2/dalmatian(nova)) Credits ~~~~~~~ - Martin Kaesberger (CVE-2024-32498) References ~~~~~~~~~~ - https://launchpad.net/bugs/2059809 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498 Notes ~~~~~ - Due to the scope of the problem and complexity of the resulting fixes, regressions and additional bypasses were reported in the original bug by downstream stakeholders during the coordinated disclosure period. As a result, our initially chosen publication date was rescheduled, which put the advisory four days past our promised ninety day maximum embargo length. Additional revised patches and regression fixes were supplied to stakeholders as soon as possible, but we understand the unfortunate timing of these last-minute changes resulted in a lot of additional work for everyone involved. -- Jeremy Stanley OpenStack Vulnerability Management Team

1 0