On 7/2/24 17:00, Jeremy Stanley wrote:
======================================================================= OSSA-2024-001: Arbitrary file access through custom QCOW2 external data =======================================================================
:Date: July 02, 2024 :CVE: CVE-2024-32498
Affects
- Cinder: <22.1.3, >=23.0.0 <23.1.1, ==24.0.0 - Glance: <26.0.1, ==27.0.0, >=28.0.0 <28.0.2 - Nova: <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3
Hi,
FYI, I have just completed the update of all 3 projects Debian packages from Victoria to Caracal. So, 3 projects, times 8 branches, that's 24 branches in total. I worked full time on this for a week and a half! :/ All of them are available as usual, through the unofficial Debian repository at:
https://osbpo.debian.net/debian
Official Victoria update in Debian 11, Bullseye LTS and Zed update in Debian 12, Bookworm will follow, though I've been told that the Debian security team is busy on other priorities, so I have no clue when they will have enough time to review my packages.
Also, note that for Victoria, since it was the older branch, I went up to run a full Tempest functional test to validate the upgrades. I couldn't, given the short time, do that on all releases, though I expect them to be working too since the newer the simpler. Obviously, please report any regression.
Hoping that Debian users will appreciate having the last 8 branches fixed, with backports, in a timely manner.
Cheers,
Thomas Goirand (zigo)