Your message dated Thu, 19 Mar 2026 16:19:30 +0000
with message-id <[email protected]>
and subject line Bug#1131274: fixed in glance 2:32.0.0~rc1-3
has caused the Debian Bug report #1131274,
regarding SSRF vulnerabilities in OpenStack Glance image import functionality
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: glance-api
Version: 2:31.0.0-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Copy/paste of the pre-OSSA message, which can now be disclosed:
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack
Glance image import functionality
Reporter: Hyeongeun_Ji, Open the Window; Abhishek Kekane, Red Hat
Products: Glance
Affects: <29.1.1, >=30.0.0 <30.1.1, ==31.0.0
Description:
Hyeongeun_Ji (Open the Window) and Abhishek Kekane (Red Hat) reported
multiple Server-Side Request Forgery (SSRF) vulnerabilities in Glance
image import. By use of HTTP redirects, an authenticated user can
bypass URL validation checks and redirect to internal services.
Only glance image import functionality is affected. In particular,
the 'web-download' and 'glance-download' import methods are subject to
this vulnerability, as is the optional (not enabled by default)
'ovf_process' image import plugin.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: pending assignment from MITRE
Proposed public disclosure date/time:
2026-03-19, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/2138602
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Brian Rosmaita
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html
--- End Message ---
--- Begin Message ---
Source: glance
Source-Version: 2:32.0.0~rc1-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Mar 2026 16:05:37 +0100
Source: glance
Architecture: source
Version: 2:32.0.0~rc1-3
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1131274
Changes:
glance (2:32.0.0~rc1-3) experimental; urgency=medium
.
* Server-Side Request Forgery (SSRF) vulnerabilities in Glance image import.
By use of HTTP redirects, an authenticated user can bypass URL validation
checks and redirect to internal services. Add upstream patch:
- OSSA-2026-004_Fix_SSRF_vulnerabilities_in_image_import_API.patch.
(Closes: #1131274).
Checksums-Sha1:
b19a9dff14ffbc6a4d3d37ca164ce507c2e6f0aa 3735 glance_32.0.0~rc1-3.dsc
1ab327b5081dbf6ca9c916ea8f1ba4b7354c90a6 27916
glance_32.0.0~rc1-3.debian.tar.xz
38a024a66ffeb9f90893ef76fffaeafafae875d3 19150
glance_32.0.0~rc1-3_amd64.buildinfo
Checksums-Sha256:
9efaeba18d61c6dcf25cd316bb227d498d487530be70c568ed5097324543a83a 3735
glance_32.0.0~rc1-3.dsc
cf1aa9f5e3e0abf760cc2deab8a4e99eb9100a27f466c601bbae770667849390 27916
glance_32.0.0~rc1-3.debian.tar.xz
9ec5624f16fbbf8fa7b024a5ccdf0d953056dd44300bbfcc63e3ce86f8d73f53 19150
glance_32.0.0~rc1-3_amd64.buildinfo
Files:
713160c7141fdf357f50c272fd5e7186 3735 net optional glance_32.0.0~rc1-3.dsc
0761e4447ddc832a4fdb27fa68248c2f 27916 net optional
glance_32.0.0~rc1-3.debian.tar.xz
7d73fb1eae80cefa54545dd33b515fca 19150 net optional
glance_32.0.0~rc1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmm8HKwACgkQ1BatFaxr
Q/4OCQ//UMo8nEfE2FNEXb5FWXzG1+LgZ8yt6UZwW4e85O+XL+JM2xNTDMDXE8Em
9dZwavEYvTE2RKN60+57EuK3xeLq5wI1F5/kAhyhQmyh8htNoZ/AVOGMDK1bUmBx
NjALp5humtAiLiVRM2X6Hdx91CLswwIs7kbFAZ6gy/JdqR1JypOa/dHjCInMwLWX
J4ke3HX0SS0vsiknRoT2nV6e1ZNhjJ1t4eToORQ/O86VQ0cG9MeeJkDyumbxBCe2
HT/YMicVZEfa+iVyAT/CREzcHeuZNKynDuU6heGMfhNaytXvXztuW/fl97WGYDPm
/nFqThv5113/o+IQwRfYbkhvoth1r6X2xr61PcdxMdpTrwZe31WwboqHNMpNyYF+
pfAVT5Pc068RUCU5YTDxCaV0LpeZTaDXnUxyEifqAy/EQ86Jrh/dWTEcWVpnwOem
x0YBUWYQTZ9TlkT0cJKLEMMlGXMEZXOrQP7Vy/tiENA6HPbSKBtXsm5pIFO2fh6L
YitW6Itx6mN/vWEIziEC7mphCkaKvyC6bbwo5uaX2o3pcnHVNDFCxV34ZozC080h
kH2HCLGSVb07ZfD2rBqFY+ORQUvVWDd8VIGvRkeHjF2Dvbdqj+dECVKr+1PSEZgR
4USREWNrnPEcLIsieiCCxXRJLWpxZ91yC2I07gZyUBz2VgiHKxE=
=tuCx
-----END PGP SIGNATURE-----
pgpcYMMR51pj4.pgp
Description: PGP signature
--- End Message ---
