We are pleased to announce the release of: cinder 23.2.0: OpenStack Block Storage This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/cinder Download the package from: https://tarballs.openstack.org/cinder/ Please report issues through: https://bugs.launchpad.net/cinder/+bugs For more details, please see below. 23.2.0 ^^^^^^ Security Issues *************** * Images in the qcow2 format with an external data file are now rejected with an "ImageUnacceptable" error because such images could be used in an exploit to expose host information. Given that qcow2 external data files were never supported by Cinder, this change should have no impact on users. See Bug #2059809 (https://bugs.launchpad.net/cinder/+bug/2059809) for details. Bug Fixes ********* * Bug #2008017 (https://bugs.launchpad.net/cinder/+bug/2012246): Hide value of the *[coordination] backend_url* option from logs because it can contain credential. * Bug #2059809 (https://bugs.launchpad.net/cinder/+bug/2059809): Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image is now rejected with an "ImageUnacceptable" error if it is used to create a volume. Given that qcow2 external data files were never supported by Cinder, the only use for such an image previously was to attempt to steal host information, and hence this change should have no impact on users. * Dell PowerMax driver bug #2051828 (https://bugs.launchpad.net/cinder/+bug/2051828): The driver only recognized 10.0 as being Unisphere 10 and would try to use 9.2 for Unisphere 10.x (where x > 0), but now it correctly recognizes 10.x as being Unisphere 10. * Bug #1988942 (https://bugs.launchpad.net/cinder/+bug/1988942): Increased size of volume image metadata values accepted by the Block Storage API. Volume image metadata values were limited to 255 characters but Glance allows up to 65535 bytes. This change does not affect the database tables which already allow up to 65535 bytes for image metadata values. Changes in cinder 23.1.0..23.2.0 -------------------------------- 9e667b02b CVE-2024-32498: Check for external qcow2 data file 1ec51a0af [stable-only] Set volume_image_dep_tests flag 9c504a019 [coordination] backend_url should be secret 245274505 RBD: Use "RBD" capitalization in user-facing text 68acf0b81 Recognize Dell PowerMax Unisphere 10.x (x>0) 1e5260264 Fix 'cinder-backup' service when Swift with TLS enabled 6fcdf82f6 Tests: Quiet Fungible invalid UUID warnings c0d9e2a2c Tests: Make NEC tests faster 9267b2f46 [stable-only] fix relnote markup 2fb2ff99b Increase size of volume image metadata values 5d24ae271 Ceph: Fix restoring old backups to a different backend Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 5 + cinder/api/schemas/volume_image_metadata.py | 2 +- cinder/api/validation/parameter_types.py | 9 + cinder/api/validation/validators.py | 8 + cinder/backup/drivers/ceph.py | 44 +- cinder/backup/drivers/swift.py | 3 +- cinder/coordination.py | 1 + cinder/image/format_inspector.py | 938 +++++++++++++++++++++ cinder/image/image_utils.py | 86 +- cinder/privsep/format_inspector.py | 38 + .../unit/api/contrib/test_volume_image_metadata.py | 65 +- .../dell_emc/powermax/test_powermax_rest.py | 21 + .../unit/volume/drivers/fungible/test_driver.py | 2 +- .../drivers/nec/v/test_internal_nec_rest_fc.py | 5 +- cinder/volume/drivers/dell_emc/powermax/rest.py | 61 +- cinder/volume/drivers/nfs.py | 10 + cinder/volume/drivers/rbd.py | 34 +- cinder/volume/drivers/remotefs.py | 3 +- .../drivers/dell-emc-powermax-driver.rst | 6 + .../notes/bug-2012246-292d7d93260a1fe5.yaml | 6 + ...9-disallow-qcow2-datafile-abc4e6d8be766710.yaml | 19 + ...l-powermax-unisphere-v101-7195af74d1c7671c.yaml | 8 + ...ge-metadata-size-increase-323812970dc0e513.yaml | 8 + ...pure-storage-fix-failover-fe6260a112409742.yaml | 4 +- 31 files changed, 2269 insertions(+), 119 deletions(-)