Hi Thomas, On Fri, Aug 29, 2025 at 04:19:14PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Thu, Aug 28, 2025 at 09:59:51AM +0200, Thomas Goirand wrote: > > Package: release.debian.org > > Severity: normal > > Tags: trixie > > X-Debbugs-Cc: [email protected] > > Control: affects -1 + src:watcher > > User: [email protected] > > Usertags: pu > > > > Hi, > > > > [ Reason ] > > I'd like to fix: https://bugs.debian.org/1111692 > > in Trixie. This is a vulnerability where an OpenStack volume > > may be mounted to a wrong VM. > > > > [ Impact ] > > Someone could access the volume of another tenant in an > > OpenStack deployment. > > > > [ Tests ] > > Upstream has intensive unit and functional tests. I use it > > too with the packaged version (that's on top of unit tests > > at build time and in autopkgtest). > > > > [ Risks ] > > Not much risk thanks to testing. > > > > [ Checklist ] > > [x] *all* changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in (old)stable > > [x] the issue is verified as fixed in unstable > > > > Please allow me to upload watcher/14.0.0-2+deb13u1 to Trixe > > proposed-updates as per attached debdiff. > > > > Cheers, > > > > Thomas Goirand (zigo) > > > > P.S: I'm following-up with the same request for Nova, as > > both have fixes for OSSN-0094. > > > diff -Nru watcher-14.0.0/debian/changelog watcher-14.0.0/debian/changelog > > --- watcher-14.0.0/debian/changelog 2025-07-11 14:45:24.000000000 +0200 > > +++ watcher-14.0.0/debian/changelog 2025-08-21 10:27:37.000000000 +0200 > > @@ -1,3 +1,15 @@ > > +watcher (14.0.0-2+deb13u1) trixie; urgency=high > > + > > + * A vulnerability has been identified in OpenStack Nova and OpenStack > > Watcher > > + in conjunction with volume swap operations performed by the Watcher > > + service. Under specific circumstances, this can lead to a situation > > where > > + two Nova libvirt instances could reference the same block device, > > allowing > > + accidental information disclosure to the unauthorized instance. Added > > + upstream patch: OSSN-0094_use_cinder_migrate_for_swap_volume.patch. > > + (Closes: #1111692). > > + > > + -- Thomas Goirand <[email protected]> Thu, 21 Aug 2025 10:27:37 +0200 > > Something is odd here: trixie has 14.0.0-1, so believe the update > should be based on top of 14.0.0-1 and versioned 14.0.0-1+deb13u1 ? > > Or can you argue why it should be based on top of the 14.0.0-2 which > did back then hit unstable but not moved to trixie, i.e. are those > changes needed in the point release update?
Any news here? Regards, Salvatore
