On 1/24/23 17:02, Jeremy Stanley wrote:
======================================================================== OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor ========================================================================
:Date: January 24, 2023 :CVE: CVE-2022-47951
Affects ~~~~~~~ - Cinder, glance, nova: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
FYI, I patched all Debian packages from Rocky to Zed. That's 9 flavors of OpenStack times 3 packages, plus 2 versions of oslo.utils (needed for Rocky and Stein), so that's a total of 29 packages. Packages were uploaded to official buster-security (Debian LTS), bullseye-security (for which I just received the security announce, closing this chapter) and unstable. The same work was done for Swift. Note that some of the flavors above (namely Train, Ussuri, Victoria and Xena) were pushed to my employer's (Infomaniak) production cloud without any issue. FYI, I plan to support from Rocky to Zed the above way until Debian Buster (LTS) is EOL. I hope all Debian users appreciate the amount of work I've put into this, and hope this will get more traction to Debian, knowing we are now engaged in a 5 years support. Also thanks for everyone that helped me on IRC (in the Nova and Cinder channels). Best regards, Thomas Goirand (zigo)