Your message dated Sat, 21 Feb 2026 19:49:31 +0000
with message-id <[email protected]>
and subject line Bug#1128294: fixed in nova 2:26.2.2-1~deb12u4
has caused the Debian Bug report #1128294,
regarding CVE-2026-24708: malicious QCOW header result in unsafe image resize
operation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128294
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nova
Version: 2:31.0.0-6+deb13u1
Severity: grave
copying pre-OSSA:
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Dan Smith from Red Hat reported a vulnerability in nova. By
writing a malicious QCOW header to a root or ephemeral disk
and then triggering a resize, a user may convince Nova's flat
image backend to call qemu-img without a format restriction
resulting in an unsafe image resize operation that could
destroy data on the host system.
Only compute nodes using the Flat image backend (usually
configured with use_cow_images=False) are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: CVE-2026-24708
Proposed public disclosure date/time:
2026-02-17 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/2137507
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jay Faulkner
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:26.2.2-1~deb12u4
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Feb 2026 11:19:03 +0100
Source: nova
Architecture: source
Version: 2:26.2.2-1~deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1128294
Changes:
nova (2:26.2.2-1~deb12u4) bookworm-security; urgency=high
.
* CVE-2026-24708/OSSA-2026-002: By writing a malicious QCOW header to a root
or ephemeral disk and then triggering a resize, a user may convince Nova's
flat image backend to call qemu-img without a format restriction resulting
in an unsafe image resize operation that could destroy data on the host
system. Appiled upstream patch (Closes: #1128294):
- cve-2026-24708-make-disk.extend-pass-format-to-qemu-img-2024.2.patch
Checksums-Sha1:
ba59043699664761c2ef2db2295257ddd0c73cd5 5096 nova_26.2.2-1~deb12u4.dsc
a6796c58f74ec57267a33af7b0db4e63e6bfb552 6000800 nova_26.2.2.orig.tar.xz
869a7ded107c18cea5405a783966a02afda8d6b6 90292
nova_26.2.2-1~deb12u4.debian.tar.xz
c9fd117ee661720b661f81c408eb8a4c028d6426 23657
nova_26.2.2-1~deb12u4_amd64.buildinfo
Checksums-Sha256:
5cfb8905c68ea9f30650d78ecfe319d72c41b2826e4d18c6bc0e83e1e6ef6df6 5096
nova_26.2.2-1~deb12u4.dsc
d0fab415e15bfa70089b22e094d88ed3c7b66df0742bec52b4d9ff789e347571 6000800
nova_26.2.2.orig.tar.xz
422e158d60ecb353e5ec4f797d31152eb239a0a11bfd59c96bf4978e71aec93a 90292
nova_26.2.2-1~deb12u4.debian.tar.xz
6da4ee5c6683a754eeb679ff1f3208c29601762161caef0b026fe02bafbc0918 23657
nova_26.2.2-1~deb12u4_amd64.buildinfo
Files:
e6c7887705c1e2e0ee1bffd12f9da0a0 5096 net optional nova_26.2.2-1~deb12u4.dsc
fddc994a8d3d81c2c41a93eafad1ea29 6000800 net optional nova_26.2.2.orig.tar.xz
82f9764156d5840af570f3ba771a861a 90292 net optional
nova_26.2.2-1~deb12u4.debian.tar.xz
f84f1945dfca74811920cd0f302b3612 23657 net optional
nova_26.2.2-1~deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3+Kkgn20FPaRPp/ST56os/RrPrsFAmmUjjgACgkQT56os/Rr
PrssyRAAlbirFXOPfXkrl8G0VHgev7UtDWYEoGveunsQOPdBSpvDl0xb9zmtcSDg
64hIC3zLUEGaTq5eC4af3CljTCPxpFYrMc7IUkhdq8Lv+J8Oi6UF8XXFu9qjZeBC
MofeDupM5pc5OXCItWuhsFlBumbQzGQpLmZOpxyygLh+nWzqaT9EZXz87xiyb1rZ
DgOaS8NjXr/gYXkw3i+khxr1gPJX26pX2/l/jpA8uX7F32fW8Gy8rlcub8CSnl67
G+yeawT62Q9MQB7N4CAMpIXCK6eAEMUczHIt+n/SCCt45m3pOh/xNwTKmcpHTEC1
+MPWhCiMd3u3+pKrp1J6I1eg8F9A3tEiy8qpuPujpfluPefo+teml75qLK+6bQln
SbwGyDhDcSwKf7BUK3CVkihiySZaA8jLf5aqqLYNqY1rm90VFdFyZZEgY5NAfm/k
I/aitkmi+z2i38dSDDMh/b9IbIMxaueTBavaVenOu00hRShIybJPQYBMl1g9jNa3
n/Vn3h74YwtlUC4SCgQH7G/6rfQuxX4d8exn/Z8KZ25r+GoCGr0L1lKX6ajB+8+p
2Bvs0KYLR8ePwpmgbUr+ml/08vg9FlFWotjrrEqomk9ghn+BOxsGSnJ/U6TrRmwy
THuXHWaYWcRJdwZHg/IwcMGChDTN/RVG9iDyfPkQsXV75KnzD7s=
=HCuM
-----END PGP SIGNATURE-----
pgpLndzmrfFlN.pgp
Description: PGP signature
--- End Message ---
