Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: python-os-br...@packages.debian.org Control: affects -1 + src:python-os-brick
Dear release team, Please unblock package python-os-brick, python-glance-store, cinder and nova. [ Reason ] When using the LVM / iSCSI backend of Cinder, under some circonstances, it may be possible for a user to access the data of a volume from another user. Glance, Cinder and Nova are affected, through the common library python-os-brick (that is the glue between them). The change is adding a "force_disconnect" in the Cinder API, and checking that users are allowed to destroy volume exports. [ Impact ] See CVE-2023-2088 (that I'm copy/pasting here...): **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. [ Tests ] Unit tests are run during package build, and with autopkgtest. Upstream runs an extensive set of functional tests. [ Risks ] Considering the amount of testing in OpenStack, the risks are always mitigated, and it should be safe from regressions. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Note that I've added a diff of the 4 packages in a tarball attached to this message. Please also note that I did a mistake in the python-os-brick, using the wrong CVE number (ie: CVE-2023-30861 instead of CVE-2023-2088). If you think I should re-upload to fix only that, please let me know. Cheers, Thomas Goirand (zigo) unblock python-os-brick/6.1.0-3 python-glance-store/4.1.0-4 nova/2:26.1.0-4 cinder/2:21.1.0-3
all-diff.tar.gz
Description: application/gzip
