We joyfully announce the release of: glance 28.1.0: OpenStack Image Service This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/glance Download the package from: https://tarballs.openstack.org/glance/ Please report issues through: https://bugs.launchpad.net/glance/+bugs For more details, please see below. 28.1.0 ^^^^^^ Security Issues *************** * Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809) for details. Bug Fixes ********* * Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809): Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and vmdk files in glance. Unsafe qcow and vmdk files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations. Changes in glance 28.0.1..28.1.0 -------------------------------- b5b29a0a Add releasenote for CVE-2024-32498 fix 4168ee5a Revert "[stable only] Make import jobs non-voting" 35968d7a Increase timeout for tempest-integrated-storage-import job bc996f20 [stable only] Make import jobs non-voting 400345bf Fix import job to provide valid disk-formats list to tempest 1e5c4444 Add safety check and detection support to FI tool 26e5b855 Add file format detection to format_inspector 83acfc46 Add QED format detection to format_inspector f482a92f Reject unsafe qcow and vmdk files b9ef41ac Add VMDK safety check 7a6c344c Extend format_inspector for QCOW safety 35c7e85d Reject qcow files with data-file attributes eb3eb4ea Remove SQLAlchemy tips jobs 99540a99 Fix broken glance-cache-prefetcher utility f6a553aa Replace remaining usage of [DEFAULT] sql_connection 708ca14f Update TOX_CONSTRAINTS_FILE for stable/2024.1 83683937 Update .gitreview for stable/2024.1 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 22 +- glance/async_/flows/base_import.py | 10 + glance/async_/flows/plugins/image_conversion.py | 52 +++- glance/cmd/cache_prefetcher.py | 2 + glance/common/format_inspector.py | 266 +++++++++++++++++++-- .../async_/flows/plugins/test_image_conversion.py | 73 +++++- ...9-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml | 17 ++ tools/test_format_inspector.py | 7 + tox.ini | 2 +- 13 files changed, 523 insertions(+), 54 deletions(-)