Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-glance-st...@packages.debian.org
Control: affects -1 + src:python-glance-store
[ Reason ]
I would like to update python-glance-store/4.1.0-4 to
python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
(aka: #1063795).
[ Impact ]
S3 credentials may otherwise continue to be logged in glance's
log if loglevel is set to DEBUG.
[ Tests ]
The package contains and run unit tests at build time, plus
autopkgtest. Upstream runs extensive functional tests, and
so do I, doing a full OpenStack deployment with this package.
No regression has been found.
[ Risks ]
Minimum. Only the S3 backend is impacted.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The point release announcement was published last year:
https://lists.openstack.org/archives/list/release-annou...@lists.openstack.org/thread/PY26MG7DBD4UVJDEXWMSIM4TGS52F4VX/
It can be broken down this way:
e9d2509 Add force to os-brick disconnect
3d3467d Fix tox4 error
8034cdc Update TOX_CONSTRAINTS_FILE for stable/zed
c05c7e5 Update .gitreview for stable/zed
Let me explain the commits. e9d2509 contains the fix for CVE-2023-2088
that was already in Bookworm, and that I'm therefore droping. The
other 3 commits are to address internal OpenStack CI and Git infra, and
are not code change. They can therefore be ignore.
So really, this update only contains the fix for CVE-2024-1141 and
nothing else, even though the upstream version bumps.
Last thing: I rewrote the patch header this way (not shown in the
attached debdiff, as I fired-up reporbug -b before realizing the
patch header needed some edits):
Author: lujie
Date: Fri, 19 Jan 2024 13:12:20 +0800
Description: CVE-2024-1141: Do not show access_key in s3 driver
Avoid possible leakage of s3 access keys by not including them in log
messages.
.
This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
(change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
some more log messages that the original patch had missed.
.
The two commits are squashed here for ease in backporting (and also
to make sure that *both* are always backported).
Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/907736
Bug: https://launchpad.net/bugs/2047688
Bug-Debian: https://bugs.debian.org/1063795
Last-Update: 2024-05-08
Please allow me to upload python-glance-store to Bookworm for the
next point release.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-glance-store-4.1.0/debian/changelog
python-glance-store-4.1.1/debian/changelog
--- python-glance-store-4.1.0/debian/changelog 2023-05-12 08:52:34.0
+0200
+++ python-glance-store-4.1.1/debian/changelog 2023-09-01 15:10:49.0
+0200
@@ -1,3 +1,13 @@
+python-glance-store (4.1.1-1+deb12u1) bookworm; urgency=medium
+
+ * New upstream release.
+ * Drop CVE-2023-2088_Add_force_to_os-brick_disconnect.patch applied
+upstream.
+ * CVE-2024-1141: Glance Store access key logged in DEBUG log level. Add
+upstream patch: Do not show access_key in s3 driver (Closes: #1063795).
+
+ -- Thomas Goirand Fri, 01 Sep 2023 15:10:49 +0200
+
python-glance-store (4.1.0-4) unstable; urgency=medium
* CVE-2023-2088: Unauthorized volume access through deleted volume
diff -Nru
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
---
python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
2023-05-12 08:52:34.0 +0200
+++
python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
1970-01-01 01:00:00.0 +0100
@@ -1,94 +0,0 @@
-Author: Brian Rosmaita
-Date: Tue, 18 Apr 2023 11:22:27 -0400
-Description: CVE-2023-2088: Add force to os-brick disconnect
- In order to be sure that devices are being removed from the host,
- we should be using the 'force' parameter with os-brick's
- disconnect_volume() method.
-Bug: https://launchpad.net/bugs/2004555
-Change-Id: I63d09ad9ef465bc154c85a9ea125449c039d1b90
-Bug-Debian: https://bugs.debian.org/1035978
-Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/882853
-Last-Update: 2023-05-12
-
-diff --git a/glance_store/_drivers/cinder.py b/glance_store/_drivers/cinder.py
-index 3509348..7405b7a 100644
a/glance_store/_drivers/cinder.py
-+++ b/glance_store/_drivers/cinder.py
-@@ -831,7 +831,10 @@
- client, attachment.id, volume_id, host, conn,
- connection_info, device)
- else:
--