We are excited to announce the release of: glance 27.1.0: OpenStack Image Service This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/glance Download the package from: https://tarballs.openstack.org/glance/ Please report issues through: https://bugs.launchpad.net/glance/+bugs For more details, please see below. 27.1.0 ^^^^^^ Security Issues *************** * Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809) for details. Bug Fixes ********* * Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809): Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and vmdk files in glance. Unsafe qcow and vmdk files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations. Changes in glance 27.0.0..27.1.0 -------------------------------- 835c89c7 Add releasenote for CVE-2024-32498 fix 78c97fd1 Revert "[stable only] Make import jobs non-voting" 212426fa Increase timeout for tempest-integrated-storage-import job fb0004a0 [stable only] Make import jobs non-voting 1ea1a937 Fix import job to provide valid disk-formats list to tempest 2befcfcb Add safety check and detection support to FI tool 54c1edbf Add file format detection to format_inspector 4bc13f95 Add QED format detection to format_inspector c2373030 Reject unsafe qcow and vmdk files 50aa0dfa Add VMDK safety check 733d771a Extend format_inspector for QCOW safety 87a98f0d Reject qcow files with data-file attributes 5e2acc91 Support Stream Optimized VMDKs 56da508e Remove py38-fips jobs because stream8 is dead cec35e92 Fix broken glance-cache-prefetcher utility 9a4a3067 Update TOX_CONSTRAINTS_FILE for stable/2023.2 6b7d26c9 Update .gitreview for stable/2023.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 4 +- glance/async_/flows/base_import.py | 10 + glance/async_/flows/plugins/image_conversion.py | 52 +++- glance/cmd/cache_prefetcher.py | 2 + glance/common/format_inspector.py | 270 +++++++++++++++++++-- .../async_/flows/plugins/test_image_conversion.py | 73 +++++- ...9-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml | 17 ++ tools/test_format_inspector.py | 7 + tox.ini | 2 +- 12 files changed, 571 insertions(+), 53 deletions(-)