Open Stack

On Fri, 2023-05-26 at 17:10 +0000, Jeremy Stanley wrote:
> On 2023-05-26 18:19:09 +0200 (+0200), Thomas Goirand wrote:
> > On 5/24/23 12:24, Sylvain Bauza wrote:
> [...]
> > As for CVE-2023-2088, the issue is implementing the force
> > 
> > > It would be difficult to fix the CVEs in the upstream branch but
> > > hopefully AFAIK all the OpenStack distros already fixed them for their
> > > related releases that use Train.
> > 
> > So far, I haven't seen such a fix, neither in Ubuntu or RedHat, on any
> > version prior to ussuri. If you have a link to a working patch, please let
> > me know.

for redhat openstack plathform 16 (trian) we fixed the vmdk issue (CVE-2022-47951) by increasing the version of
oslo.utils? that we shiped to ensure it had the relevant json format options
to inspect the iamge and bacislly used the same fix as on master.
we also did that for queens / osp 13
the qemu wersion we used supprot this all the way back to 13/queens so that made that approch
more viable.

we cant do that upstream as it would break people but the way i would have prefered to do this 
would have been to simply vendor the functionality in nova and continue the backport upstream
without bumping the min oslo verions. we have done that in the past for other libs.



> I think he may be referring to Red Hat. As I understand it, they
> went with the https://wiki.openstack.org/wiki/OSSN/OSSN-0092
> approach (mitigation through configuration only, disabling
> attachment-delete functionality for users). I may be wrong though,
> as I was not privy to their internal discussions.

downstream technically we never supproted VMDK in our product
we did nto block it either but custoemr are not expect to use vmdk images
with our downstream product. we still fixed the issue assumeing our customer cant
contol what there customers are uploadign to ther openstack clouds.