Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Nova contains an open redirect on the VNC console URL, where the URL: https://vnc-console-host.com//example.com/scam-url.html would redirect to http://example.com/scam-url.html. Of course, that's not a big issue (which is why there's no DSA), but I would still like to get this fixed in Bullseye. Also, I would like to get Nova upgraded to the latest point release, to fix numerous small issues. The release notes for Nova are there: https://docs.openstack.org/releasenotes/nova/victoria.html I'm especially interested having this bug solved: "The libvirt virt driver will no longer attempt to fetch volume encryption metadata or the associated secret key when attaching LUKSv1 encrypted volumes if a libvirt secret already exists on the host. This resolves bug 1905701 (https://launchpad.net/bugs/1905701) where instances with LUKSv1 encrypted volumes could not be restarted automatically by the nova-compute service after a host reboot when the [DEFAULT]/resume_guests_state_on_host_boot configurable was enabled." but the other issue (ie: Improved detection of anti-affinity policy violation when performing live and cold migrations.) is also very nice to have. Also, I've upgraded all of my live clusters (including a public cloud) to this version of Nova, and I would like to keep Bullseye in sync with what I am maintaining. [ Impact ] Open redirect in the VNC console could be use by spammers to hide the real URLs. [ Tests ] Not only upstream runs a battery of unit and functional tests, but the Nova package itself runs 16946 unit tests at build time. Also, we're using version 22.2.2-1 of Nova in production, and our deployment suffer no regression. [ Risks ] No risk during upgrade that I know of. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable The debdiff being too big, please find it, together with the built packages, at: http://shade.infomaniak.ch/bullseye-pu/nova/ [ Changes ] Here's the details of the debian/changelog explained. * Tune nova-api-{,metadata-}uwsgi.ini for performance. This is a minor tweak to the uwsgi.ini default configuration, which I've started pushing on all OpenStack packages in Debian. It's only better with it... * New upstream release. See above. * CVE-2021-3654: novnc allows open redirection. Added upstream patch: Reject_open_redirection_in_the_console_proxy.patch (Closes: #991441). This addresses the main issue that mandates the pu. * Do not maintain glance_api_servers through debconf (as the default of reading its URL in the Keystone catalogue is better). This avoids tweaking nova.conf on upgrades, which could otherwise potentially destroy one's deployment. Indeed, one very valid (and in fact recommended) way to deploy, is to *NOT* set the glance_api_servers directive. With the debconf code, this forces having something. After removing the debconf integration for this directive, upgrade to the proposed update isn't breaking deployments anymore, while leaving already configured glance_api_servers alone (so not destroying anyone setup). Please allow me to upload nova/22.2.2-1+deb11u1 to Bullseye, Cheers, Thomas Goirand (zigo)
