Your message dated Tue, 02 Jul 2024 15:19:05 +0000
with message-id <e1sofhd-00acbu...@fasolo.debian.org>
and subject line Bug#1074761: fixed in glance 2:28.0.1-3+deb12u1
has caused the Debian Bug report #1074761,
regarding CVE-2024-32498: Arbitrary file access through custom QCOW2 external
data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074761
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: glance
Version: 2:25.1.0-2
Severity: grave
Tags: patch
Title: Arbitrary file access through custom QCOW2 external data
Reporter: Martin Kaesberger
Products: Cinder, Glance, Nova
Description:
Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.
Original private report: https://launchpad.net/bugs/2059809
--- End Message ---
--- Begin Message ---
Source: glance
Source-Version: 2:28.0.1-3+deb12u1
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1074...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Jun 2024 09:35:02 +0200
Source: glance
Architecture: source
Version: 2:28.0.1-3+deb12u1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1074761
Changes:
glance (2:28.0.1-3+deb12u1) unstable; urgency=high
.
* CVE-2024-32498: Arbitrary file access through custom QCOW2 external data.
Add upstream patch (Closes: #1074761):
- CVE-2024-32498_1_1_glance-stable-2024.1.patch
- CVE-2024-32498_1_2_glance-stable-2024.1.patch
- CVE-2024-32498_1_3_glance-stable-2024.1.patch
- CVE-2024-32498_1_4_glance-stable-2024.1.patch
- CVE-2024-32498_1_5_glance-stable-2024.1.patch
- CVE-2024-32498_1_6_glance-stable-2024.1.patch
- CVE-2024-32498_1_7_glance-stable-2024.1.patch
Checksums-Sha1:
288a585b099fb6bb2d47b949d64e1edb3184f085 3769 glance_28.0.1-3+deb12u1.dsc
220d4f9e62f3da625f3f0d332ff42117f0f0e90e 28028
glance_28.0.1-3+deb12u1.debian.tar.xz
0f73fc2459fa76c3601d087a608168a811204b34 19410
glance_28.0.1-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
8ef2709c3a5bb7aee92c00e680d25c08398f0648ca02a3407c124aca16818833 3769
glance_28.0.1-3+deb12u1.dsc
39d080772bf21519e2d1602a2dfc91e15f5a2ef7d5fec69a5781a13ceaf1b672 28028
glance_28.0.1-3+deb12u1.debian.tar.xz
fa3809b74456316445674965e2860742fb32fd0b95a6ec639858f52facbcb356 19410
glance_28.0.1-3+deb12u1_amd64.buildinfo
Files:
d3f7e9b9160ff4583c3586e814c383f9 3769 net optional glance_28.0.1-3+deb12u1.dsc
e0d93830cb3c6a2fb0a592333cf93c3b 28028 net optional
glance_28.0.1-3+deb12u1.debian.tar.xz
3bdba3c0895e1f1566da9d1abe086757 19410 net optional
glance_28.0.1-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmaEFnAACgkQ1BatFaxr
Q/5T/BAAgXTdUOismaegXqpXvAQJhN+d9q2C7vY1UVHHWH24fezrz6TYq/HUPVVU
dAXgehiHoAa6hjunKx6mhWUbqcclDewDFnaE4oVNLTp1JO7TYcRu2P8i1FgIqsVa
wgVahmdTlumTGLectefLINTO4bLVZQM+m1tVyPU6rzq6yCh22riQKS24nD1iPBtC
4V/fOHolgaeAMUi65Wf6JdihAM4/IWprCAzDAjBEMLSphOCxAKyklzkbRN014QG1
Je34X0Fixl8vAancl4AKITf9KMKLYM/x3SfotSbCOk17wbCdg1MK+XO87dWooXM8
k8yp86CaGHiM/L+a1xvbcbBgaeRRYt8m4Daqg28d67rRlrePlw5r+RdxDWJUBojY
WuYfBvtRZWqhsOzAsgzdu1iv8NTWrIj1s8dDBi5iWPWAvaMhwh3Z7sMzXY4ogdcO
o313jTpki6ck/hIujJpTAFJLpnLmihiztlh6dlKuANnNkmMu8Wks8RMMp5XbH5uz
lWdFtvtwOFjzA6j0FjrWAONbMJc+NB808AT4akR8hpmOBoN9znsesQ8oh4ScR1DR
ab2JIkFvTwb6OozzbHMs2qbZiWjO5V22TmoCdlfU4F8uSRt+39zGT0ACMw5ITs+y
lKVOMVM2v5K/8X7UZkxOQP/3lYXgZwYucasr4udYuNxgLRHy0IA=
=1/l/
-----END PGP SIGNATURE-----
pgpegk8LOuA1k.pgp
Description: PGP signature
--- End Message ---
