Your message dated Thu, 19 Mar 2026 16:07:05 +0000
with message-id <[email protected]>
and subject line Bug#1131274: fixed in glance 2:31.0.0-3
has caused the Debian Bug report #1131274,
regarding SSRF vulnerabilities in OpenStack Glance image import functionality
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: glance-api
Version: 2:31.0.0-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Copy/paste of the pre-OSSA message, which can now be disclosed:
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack
Glance image import functionality
Reporter: Hyeongeun_Ji, Open the Window; Abhishek Kekane, Red Hat
Products: Glance
Affects: <29.1.1, >=30.0.0 <30.1.1, ==31.0.0
Description:
Hyeongeun_Ji (Open the Window) and Abhishek Kekane (Red Hat) reported
multiple Server-Side Request Forgery (SSRF) vulnerabilities in Glance
image import. By use of HTTP redirects, an authenticated user can
bypass URL validation checks and redirect to internal services.
Only glance image import functionality is affected. In particular,
the 'web-download' and 'glance-download' import methods are subject to
this vulnerability, as is the optional (not enabled by default)
'ovf_process' image import plugin.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: pending assignment from MITRE
Proposed public disclosure date/time:
2026-03-19, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/2138602
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Brian Rosmaita
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html
--- End Message ---
--- Begin Message ---
Source: glance
Source-Version: 2:31.0.0-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Mar 2026 16:17:23 +0100
Source: glance
Architecture: source
Version: 2:31.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1131274
Changes:
glance (2:31.0.0-3) unstable; urgency=medium
.
* Server-Side Request Forgery (SSRF) vulnerabilities in Glance image import.
By use of HTTP redirects, an authenticated user can bypass URL validation
checks and redirect to internal services. Add upstream patch:
- OSSA-2026-004_Fix_SSRF_vulnerabilities_in_image_import_API.patch.
(Closes: #1131274).
Checksums-Sha1:
ff4847d0ff11afdc580b66b4ebb43c6fa4dd305c 3691 glance_31.0.0-3.dsc
bacc2cc231eab1a79d915e297346879baf0a41a7 27792 glance_31.0.0-3.debian.tar.xz
7fbfe9a8b068be402a171c6efe86f07c30afa38f 18942 glance_31.0.0-3_amd64.buildinfo
Checksums-Sha256:
4176916d76e52a89d3b54b7add63cd32ff92603ae18de8b38739d2fb0ac6eab1 3691
glance_31.0.0-3.dsc
a07ccff9ada838eea3b6d7dd1efbdfb6d9b2151c13ec7a6ba8a2e449b532ec42 27792
glance_31.0.0-3.debian.tar.xz
2cb33ff7976d0a8af8d1f7889429d87f4e059519217e8e3763395564db597202 18942
glance_31.0.0-3_amd64.buildinfo
Files:
7866b30981ce8e03ce4657e9d602cd6e 3691 net optional glance_31.0.0-3.dsc
d7d55c6ef4f0190933f1ec1e84ce5ff6 27792 net optional
glance_31.0.0-3.debian.tar.xz
d4c7c2f1e33526aa2636f57d00483104 18942 net optional
glance_31.0.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmm8GsIACgkQ1BatFaxr
Q/59Vg//WBNzCalvKlRglmkCDZLiDAJYDgf6AIyi+cOn9w2S+lwZ3q7JL0kMbvxn
5qjeoiD3xqVTSmMS/KnMBrYYIyVdwcWSURUBgh8SoMSxmm12JqdgcrKqsM1nK3D/
FmcXEVI9hGbXD2hbnP5Cg8eHKxOCc93BCNfYH8d5g64P/CnnS51skcDYg8Ige/L2
JShfFuJPISHrRALo7PXBQqz8DJomQ9QfnEEVvhI1OohqXxOduTIORj9wol7+/L/s
HvRki2aJ5e2xx0yytlSqeMqT25k6VuxI8SdwxFHO3+imUNoEKJIiHM8Bn55F0rC0
cSU448u6JcWpPjy8Zz8m4n4HSAJlNGCsXfL0kqylZ1tU4HaiXs7Nzj5cgdGufJwk
7a81ON1orAsMVYoPu8IwyvYNDxdSICLXfeXSIbBU66iDYgYlsFIazpvoQeDlMeHD
ma+T6ge+LKcrm+gz3IbIgvlEa9+iX494SyMv3h6EDFCqtJym6pwQwsToQBrt1A6a
yy+KMmKQKF3sHlTjqFSlsgAFzvD6lfelSvGDjVV2bRAgKPbB32sCQY//dDUw6d92
IFgKdajXYSEOK/n5N8TY6fmPOQFTFG9qzmijDdZoLS9L0/pvy08oojcWqxhAAc5U
Am0o2SMcvuI8tBlqNa5evRc/NtXVjqbKGxFwuyKLegtGH3YrZJw=
=4eJl
-----END PGP SIGNATURE-----
pgp379pNUJJSm.pgp
Description: PGP signature
--- End Message ---
