We exuberantly announce the release of: glance 26.1.0: OpenStack Image Service This release is part of the antelope release series. The source is available from: https://opendev.org/openstack/glance Download the package from: https://tarballs.openstack.org/glance/ Please report issues through: https://bugs.launchpad.net/glance/+bugs For more details, please see below. 26.1.0 ^^^^^^ Security Issues *************** * Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809) for details. Bug Fixes ********* * Bug #2059809 (https://bugs.launchpad.net/glance/+bug/2059809): Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and vmdk files in glance. Unsafe qcow and vmdk files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations. Changes in glance 26.0.0..26.1.0 -------------------------------- edd75b70 Add releasenote for CVE-2024-32498 fix d65e8a51 Revert "[stable only] Make import jobs non-voting" 6918d5b5 Increase timeout for tempest-integrated-storage-import job f9ccc2d8 [stable only] Make import jobs non-voting f98e9ae4 Fix import job to provide valid disk-formats list to tempest a1c94b47 Add safety check and detection support to FI tool 1656fe88 Add file format detection to format_inspector 9b3faf37 Add QED format detection to format_inspector c1c54abe Reject unsafe qcow and vmdk files 812e56d1 Add VMDK safety check 48600242 Extend format_inspector for QCOW safety dba3bdb4 Reject qcow files with data-file attributes ef22a742 Support Stream Optimized VMDKs a45667b7 Remove py38-fips jobs because stream8 is dead 70170d2a Fix broken glance-cache-prefetcher utility 065e2d7e Adjust integrated-storage-import jobs 285021bd Update TOX_CONSTRAINTS_FILE for stable/2023.1 0c03779f Update .gitreview for stable/2023.1 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 6 +- glance/async_/flows/base_import.py | 10 + glance/async_/flows/plugins/image_conversion.py | 52 +++- glance/cmd/cache_prefetcher.py | 2 + glance/common/format_inspector.py | 270 +++++++++++++++++++-- .../async_/flows/plugins/test_image_conversion.py | 73 +++++- playbooks/post-check-metadata-injection.yaml | 16 +- ...9-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml | 17 ++ tools/test_format_inspector.py | 7 + tox.ini | 2 +- 13 files changed, 583 insertions(+), 59 deletions(-)