Bug#1034875: marked as done (kitty: Should not handle application/x-sh mime type by executing the script)
Your message dated Sat, 13 May 2023 02:33:57 + with message-id and subject line Bug#1034875: fixed in kitty 0.26.5-5 has caused the Debian Bug report #1034875, regarding kitty: Should not handle application/x-sh mime type by executing the script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034875 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: kitty Version: 0.26.5-4 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team Hello, I was reading https://lists.debian.org/20230425190728.ga1471...@subdivi.de in mutt and that mail contains 3 shell scripts as attachments (application/x-sh). I wanted to have a look at the scripts and thus I "opened" those attachments... that open operation has been handled by Kitty due its MimeType declaration in /usr/share/applications/kitty-open.desktop [1] and the shell script has thus been fed to "kitty +open
Processed: Bug#1034875 marked as pending in kitty
Processing control commands: > tag -1 pending Bug #1034875 [kitty] kitty: Should not handle application/x-sh mime type by executing the script Added tag(s) pending. -- 1034875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034875 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1034875: marked as pending in kitty
Control: tag -1 pending Hello, Bug #1034875 in kitty reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/kitty/-/commit/b66f1fdd1774d353b9cd10946410b293f2eb0124 Ship kitty-open.desktop as an example The desktop file registers itself as a handler for application/sh (and related) mimetypes. When it has priority in the mime database, this will *execute* rather than *view* the file. Even if those mimetypes were removed, there are also text/* mimetypes that can be executed. Since this is unexpected, and potentially dangerous (running shellscripts when they were intended to be viewed), stop installing the desktop file. Instead, provide it as an example and describe how to enable, as well as the caveats, in README.Debian. Newer kitty versions will support[0] prompting the user before executing executable files, but that can't be easily backported to the Python version of the kitten. [0]: https://github.com/kovidgoyal/kitty/commit/537cabca710f64b838d3b8b1dc986db596fb29d4 Closes: #1034875 Signed-off-by: James McCoy (this message was generated automatically) -- Greetings https://bugs.debian.org/1034875
Bug#1030284: nodejs: [arm64] RangeError: Maximum call stack size exceeded
James Addison dixit: >I'm going to stay involved with this thread, but I think that it is >upon you to develop or provide further guidance towards a patch if >it's something you'd like to have implemented, Thorsten. I actually have looked into that but I don’t understand the nodejs and v8 source code enough to be able. I know C, but not CFrustFrust. I would rather prefer asm… bye, //mirabilos -- When he found out that the m68k port was in a pretty bad shape, he did not, like many before him, shrug and move on; instead, he took it upon himself to start compiling things, just so he could compile his shell. How's that for dedication. -- Wouter, about my Debian/m68k revival
Bug#1030284: nodejs: [arm64] RangeError: Maximum call stack size exceeded
On Fri, 12 May 2023 at 23:23, James Addison wrote: > > On Fri, 12 May 2023 at 16:54, Thorsten Glaser wrote: > > > > Yes, but given the usual ulimit, the new limit would be 4+ times > > the old one, much much harder to reach. > > That does sound promising. > > I've followed up on this discussion with the relevant upstream NodeJS > thread, and beyond there to the relevant V8 discussion group. My > sense from those, and given my own experience building NodeJS is that > I don't feel an rlimit patch is straightforward or worthwhile - > although it's possible that I didn't accurately understand or > communicate the context. > > I'm going to stay involved with this thread, but I think that it is > upon you to develop or provide further guidance towards a patch if > it's something you'd like to have implemented, Thorsten. Maybe my tone was unclear, but I'm not hugely keen to provide more effort on this -- despite being interested -- because I feel like I've been running errands to try to find a good path through, when in fact I don't really understand the nature of the problem, nor am I likely to benefit much from it. But if improvement is possible, I'll do what I can. That said: perhaps it could be useful if someone could check whether the following commit is relevant to this: https://github.com/libuv/libuv/commit/18c7530a75d813801f819caae4dff47fc4a1d4a1
Bug#1035841: fixed in amavisd-new 1:2.13.0-3
Johannes Schauer Marin Rodrigues writes: > thank you! Would you like me to take care of filing the unblock request with > release.debian.org or would you like to take care of that yourself? Can you please do this? Thanks -- Brian May @ Debian
Bug#1030284: nodejs: [arm64] RangeError: Maximum call stack size exceeded
On Fri, 12 May 2023 at 16:54, Thorsten Glaser wrote: > > Yes, but given the usual ulimit, the new limit would be 4+ times > the old one, much much harder to reach. That does sound promising. I've followed up on this discussion with the relevant upstream NodeJS thread, and beyond there to the relevant V8 discussion group. My sense from those, and given my own experience building NodeJS is that I don't feel an rlimit patch is straightforward or worthwhile - although it's possible that I didn't accurately understand or communicate the context. I'm going to stay involved with this thread, but I think that it is upon you to develop or provide further guidance towards a patch if it's something you'd like to have implemented, Thorsten.
Bug#1033836: marked as done (postgresql-mysql-fdw: autopkgtest regression: expected output changed)
Your message dated Fri, 12 May 2023 21:18:49 + with message-id and subject line Bug#1033836: fixed in postgresql-mysql-fdw 2.9.0-1 has caused the Debian Bug report #1033836, regarding postgresql-mysql-fdw: autopkgtest regression: expected output changed to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: postgresql-mysql-fdw Version: 2.8.0-3 Severity: serious Control: tags -1 bookworm-ignore User: debian...@lists.debian.org Usertags: regression Dear maintainer(s), Your package has an autopkgtest, great. However, it fails since December 2022. Can you please investigate the situation and fix it? I copied some of the output at the bottom of this report. The release team has announced [1] that failing autopkgtest on amd64 and arm64 are considered RC in testing. [Release Team member hat on] Because we're currently in the hard freeze for bookworm, I have marked this bug as bookworm-ignore. Targeted fixes are still welcome. More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://lists.debian.org/debian-devel-announce/2019/07/msg2.html https://ci.debian.net/data/autopkgtest/testing/amd64/p/postgresql-mysql-fdw/32436088/log.gz regression.diffs diff -U3 /tmp/autopkgtest-lxc.bpuoqtzm/downtmp/build.8FT/src/expected/dml.out /tmp/autopkgtest-lxc.bpuoqtzm/downtmp/build.8FT/src/results/dml.out --- /tmp/autopkgtest-lxc.bpuoqtzm/downtmp/build.8FT/src/expected/dml.out 2022-05-16 06:15:40.0 + +++ /tmp/autopkgtest-lxc.bpuoqtzm/downtmp/build.8FT/src/results/dml.out 2023-03-27 01:10:40.554906706 + @@ -92,7 +92,7 @@ $$ LANGUAGE plpgsql; NOTICE: failed to execute the MySQL query: -Unknown database 'public' +SELECT command denied to user 'edb'@'localhost' for table `public`.`student` -- Check with the same table name from different database. fdw126_ft3 is -- pointing to the mysql_fdw_regress1.numbers and not mysql_fdw_regress.numbers -- table. INSERT/UPDATE/DELETE should be failing. SELECT will return no rows. ### End 15 installcheck (FAILED with exit code 1) ### OpenPGP_signature Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Source: postgresql-mysql-fdw Source-Version: 2.9.0-1 Done: Christoph Berg We believe that the bug you reported is fixed in the latest version of postgresql-mysql-fdw, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Berg (supplier of updated postgresql-mysql-fdw package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 12 May 2023 22:40:06 +0200 Source: postgresql-mysql-fdw Architecture: source Version: 2.9.0-1 Distribution: experimental Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Closes: 1033836 Changes: postgresql-mysql-fdw (2.9.0-1) experimental; urgency=medium . * New upstream version 2.9.0. * Skip tests when mysql schema can't be loaded. (It's incompatible with mariadb now.) * Adjust tests for changed mysql error messages. (Closes: #1033836) * Remove pushdown test with varying output on PG11. Checksums-Sha1: af9ac74d2bb8e52a27080ae5072b559ce5755303 2284 postgresql-mysql-fdw_2.9.0-1.dsc 1ab64246b9a0be1a7a2411590243f4d3ae6989f5 167809 postgresql-mysql-fdw_2.9.0.orig.tar.gz 722d5bdf4b7ffb4be6559dd4f87bc5485e1ef845 5704 postgresql-mysql-fdw_2.9.0-1.debian.tar.xz Checksums-Sha256: 0b7dac20a873ae434688f6690e329e9b3bf1dcb811b29a3a69c27f28662fdad3 2284 postgresql-mysql-fdw_2.9.0-1.dsc 5180d2347063739bb929ba2626bbed4af221fc15e5a979f6bb36e60dc8edfe99 167809 postgresql-mysql-fdw_2.9.0.orig.tar.gz cfae4f9dc9b98832befd0e4e061451044f87aadbb8fe83ed6d122b1f6364bab6 5704 postgresql-mysql-fdw_2.9.0-1.debian.tar.xz Files: f96362aaee99d73a411789cc5d9a245d 2284 database optional postgresql-mysql-fdw_2.9.0-1.dsc 1370a2d638197d065cfdb9343e52a6
Bug#1035430: marked as done (libgmsh-private-headers-dev: missing copyright file (policy 12.5))
Your message dated Fri, 12 May 2023 21:05:18 + with message-id and subject line Bug#1035430: fixed in gmsh 4.8.4+ds2-3 has caused the Debian Bug report #1035430, regarding libgmsh-private-headers-dev: missing copyright file (policy 12.5) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035430 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libgmsh-private-headers-dev Version: 4.8.4+ds2-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, a test with piuparts revealed that your package misses the copyright file, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information >From the attached log (scroll to the bottom...): MISSING COPYRIGHT FILE: /usr/share/doc/libgmsh-private-headers-dev/copyright # ls -lad /usr/share/doc/libgmsh-private-headers-dev drwxr-xr-x 2 root root 100 May 1 12:26 /usr/share/doc/libgmsh-private-headers-dev # ls -la /usr/share/doc/libgmsh-private-headers-dev/ total 28 drwxr-xr-x 2 root root 100 May 1 12:26 . drwxr-xr-x 190 root root 3860 May 1 12:26 .. -rw-r--r-- 1 root root 228 Oct 22 2022 changelog.Debian.amd64.gz -rw-r--r-- 1 root root 1700 Oct 22 2022 changelog.Debian.gz -rw-r--r-- 1 root root 17796 Apr 28 2021 changelog.gz cheers, Andreas libgmsh-private-headers-dev_4.8.4+ds2-2+b3.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: gmsh Source-Version: 4.8.4+ds2-3 Done: Anton Gladky We believe that the bug you reported is fixed in the latest version of gmsh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anton Gladky (supplier of updated gmsh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 12 May 2023 22:37:40 +0200 Source: gmsh Architecture: source Version: 4.8.4+ds2-3 Distribution: unstable Urgency: medium Maintainer: Debian Science Maintainers Changed-By: Anton Gladky Closes: 1035430 Changes: gmsh (4.8.4+ds2-3) unstable; urgency=medium . * [c8b0031] Skip reprotest in CI. * [7106608] Add copyright file to libgmsh-private-headers-dev. (Closes: #1035430) Checksums-Sha1: 7b336c31aa868337531ea15aa07b233eb72b3ae7 2835 gmsh_4.8.4+ds2-3.dsc 87eec2082f79213c12c502b50a05530d96604edb 24332 gmsh_4.8.4+ds2-3.debian.tar.xz e54c02e426d53d6b466fa4d42ad422d1bb941098 9689 gmsh_4.8.4+ds2-3_source.buildinfo Checksums-Sha256: dd27a4f79bc352f5b7a41c3d2eb3eaa8d66c8d06b6d773b7c02d1e388e7ca5ca 2835 gmsh_4.8.4+ds2-3.dsc db1c47ce6cdfbde8bc1315a7a509f10ee95ab1363580341bd5ade9ef83228d36 24332 gmsh_4.8.4+ds2-3.debian.tar.xz 95d69a5c4155b7c9165bf5edd93617aaf4a2a6ee537e0fcfaa9bbccc84d8521c 9689 gmsh_4.8.4+ds2-3_source.buildinfo Files: 339a56595a7bd6a050c8ceb01a38d2de 2835 math optional gmsh_4.8.4+ds2-3.dsc ed3949af370f806de9b9e2449e46cb0e 24332 math optional gmsh_4.8.4+ds2-3.debian.tar.xz 7f06c174595d0bd5d841a4ad668fe4d1 9689 math optional gmsh_4.8.4+ds2-3_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmReo/QACgkQ0+Fzg8+n /wYoqg/7B2i/PsNs7R/3WU8Ym08rU5ggjQ2zThn8nDz4/15CZQsZvec2TX0v2QR5 T3hwvSzBm4KuVJMPMBiAhfm/dZV/zXjH/86zriWpAwj0I+RWqEcIww/F+LjZVDqp /dkjLq6ZraJUT3Ru0HzcXxj+iYHOos+SGVdfKFIdRdXsf0iMKovD/VdhfUTiynu1 5WVX+mNmTKPHMqMDj6bv0uuCzWinJQkYmkLfCdq59p9K4EEHOZs0/YeFVbih51eJ ELcsJgmP1aiEOPznGiOZimrwdHRd/OgGDoRX+WdeazzTUvRMnzPvcQZE89QXeaU7 kgIlKx6AURLRxsnbQ0/0Hpvd0B7KWepyKWyTU5LopEvBmc62pBnCGRFGX74ogvqV lmWvYMEZvTTAnIDMScHQi3iP+2p2pX9ZdKAJ8Jrw/9QVHEha7QVAJg2bsZNro9Nu DDhXRdA+9Dvo5btKSTw0fBnsUG+0ICii2yYP2qFbcnO3fp4qIHdXPfiDOVcXcur6 dslPka9Ji3OAG7sut/3Y81fq9NfcxtU7AaTIbLSrZ46JlBYq2WQl7nuVQe1dRQkG HDUWH6lReC8Y9H+CnU7qMRHi9Dp+oiUH371DuUn5nxCi1xk4EgotBXph7kPltH3i sWrB4h8QzIM99s4CXDmBfs7lxC8B8VRgatpkQzfLUFC7a+QQCHg= =Z0vU -END PGP SIGNATURE End Message ---
Bug#1035886: marked as done (libopencv-core406: please add Breaks: libopencv-core4.5 (<< 4.6))
Your message dated Fri, 12 May 2023 20:35:25 + with message-id and subject line Bug#1035886: fixed in opencv 4.6.0+dfsg-12 has caused the Debian Bug report #1035886, regarding libopencv-core406: please add Breaks: libopencv-core4.5 (<< 4.6) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035886 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libopencv-core406 Version: 4.6.0+dfsg-11 Severity: serious Tags: patch User: debian...@lists.debian.org Usertags: piuparts Hi, while analyzing piuparts bullseye -> bookworm upgrade logs I found several cases where apt chose a suboptimal solution that involved keeping some upgradable package at the bullseye version in order to keep some obsolete library from bullseye installed. Many of these problematic upgrade paths involve packages from src:opencv and src:onetbb where the library stacks from bullseye and bookworm are not co-installable due to long transitive dependency chains. We can easily hint apt into doing the right thing by adding Breaks against the highest scoring package from the old library stack to the highest scoring library from the new library stack, in this case these are libopencv-core406 in bookworm and libopencv-core4.5 in bullseye. Please consider applying the attached patch. Andreas PS: a similar change is needed for src:onetbb PPS: for the curious: apt problemresolver debug output from a randomly selected opencv binary package (may not be the best example) ... Starting 2 pkgProblemResolver with broken count: 2 Investigating (0) libtbbmalloc2:amd64 < none -> 2021.8.0-1 @un uN Ib > Broken libtbbmalloc2:amd64 Breaks on libtbb2:amd64 < 2020.3-1 @ii mK > (< 2020.3-1ubuntu2) Considering libtbb2:amd64 2 as a solution to libtbbmalloc2:amd64 1 Holding Back libtbbmalloc2:amd64 rather than change libtbb2:amd64 Investigating (0) libsemanage1:amd64 < 3.1-1+b2 @ii mK Ib > Broken libsemanage1:amd64 Depends on libsemanage-common:amd64 < 3.1-1 -> 3.4-1 @ii umU > (= 3.1-1) Considering libsemanage-common:amd64 1 as a solution to libsemanage1:amd64 -2 Removing libsemanage1:amd64 rather than change libsemanage-common:amd64 Investigating (1) libtbb12:amd64 < none -> 2021.8.0-1 @un uN Ib > Broken libtbb12:amd64 Depends on libtbbmalloc2:amd64 < none | 2021.8.0-1 @un uH > (= 2021.8.0-1) Considering libtbbmalloc2:amd64 1 as a solution to libtbb12:amd64 8 Holding Back libtbb12:amd64 rather than change libtbbmalloc2:amd64 Investigating (1) libtbb-dev:amd64 < 2020.3-1 -> 2021.8.0-1 @ii umU Ib > Broken libtbb-dev:amd64 Depends on libtbb12:amd64 < none | 2021.8.0-1 @un uH > (= 2021.8.0-1) Considering libtbb12:amd64 8 as a solution to libtbb-dev:amd64 2 Holding Back libtbb-dev:amd64 rather than change libtbb12:amd64 Investigating (2) libopencv-core406:amd64 < none -> 4.6.0+dfsg-11 @un uN Ib > Broken libopencv-core406:amd64 Depends on libtbb12:amd64 < none | 2021.8.0-1 @un uH > (>= 2021.4.0) Considering libtbb12:amd64 8 as a solution to libopencv-core406:amd64 12 Holding Back libopencv-core406:amd64 rather than change libtbb12:amd64 Investigating (2) libopencv-imgproc406:amd64 < none -> 4.6.0+dfsg-11 @un uN Ib > Broken libopencv-imgproc406:amd64 Depends on libopencv-core406:amd64 < none | 4.6.0+dfsg-11 @un uH > (>= 4.6.0+dfsg) Considering libopencv-core406:amd64 12 as a solution to libopencv-imgproc406:amd64 5 Holding Back libopencv-imgproc406:amd64 rather than change libopencv-core406:amd64 Investigating (2) libopencv-core-dev:amd64 < 4.5.1+dfsg-5 -> 4.6.0+dfsg-11 @ii umU Ib > Broken libopencv-core-dev:amd64 Depends on libopencv-core406:amd64 < none | 4.6.0+dfsg-11 @un uH > (= 4.6.0+dfsg-11) Considering libopencv-core406:amd64 12 as a solution to libopencv-core-dev:amd64 2 Holding Back libopencv-core-dev:amd64 rather than change libopencv-core406:amd64 Try to Re-Instate (2) libtbb-dev:amd64 Investigating (2) libopencv-imgproc-dev:amd64 < 4.5.1+dfsg-5 -> 4.6.0+dfsg-11 @ii umU Ib > Broken libopencv-imgproc-dev:amd64 Depends on libopencv-core-dev:amd64 < 4.5.1+dfsg-5 | 4.6.0+dfsg-11 @ii umH > (= 4.6.0+dfsg-11) Considering libopencv-core-dev:amd64 2 as a solution to libopencv-imgproc-dev:amd64 1 Holding Back libopencv-imgproc-dev:amd64 rather than change libopencv-core-dev:amd64 Investigating (2) libopencv-flann406:amd64 < none -> 4.6.0+dfsg-11 @un uN Ib > Broken libopencv-flann406:amd64 Depends on libopencv-core406:amd64 < none | 4.6.0+dfsg-11 @un uH > (>= 4.6.0
Bug#1035962: closing 1035962, closing 1035962
close 1035962 4.1.0-4 close 1035962 4.3.0-2 close 1035981 2:27.0.0-3 notfixed 1035978 2:27.0.0-3 thanks
Processed: closing 1035962, closing 1035962
Processing commands for cont...@bugs.debian.org:
> close 1035962 4.1.0-4
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Marked as fixed in versions python-glance-store/4.1.0-4.
Marked as fixed in versions python-glance-store/4.1.0-4.
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Bug 1035962 is already marked as done; not doing anything.
> close 1035962 4.3.0-2
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Marked as fixed in versions python-glance-store/4.3.0-2.
Marked as fixed in versions python-glance-store/4.3.0-2.
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Bug 1035962 is already marked as done; not doing anything.
> close 1035981 2:27.0.0-3
Bug #1035981 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Bug #1035963 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
The source 'nova' and version '2:27.0.0-3' do not appear to match any binary
packages
Marked as fixed in versions nova/2:27.0.0-3.
Marked as fixed in versions nova/2:27.0.0-3.
Bug #1035981 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Bug #1035963 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Bug 1035981 is already marked as done; not doing anything.
> notfixed 1035978 2:27.0.0-3
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
The source 'python-glance-store' and version '2:27.0.0-3' do not appear to
match any binary packages
Ignoring request to alter fixed versions of bug #1035978 to the same values
previously set
Ignoring request to alter fixed versions of bug #1035962 to the same values
previously set
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1035962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035962
1035963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035963
1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978
1035981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035981
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1034824: tomcat9 should not be released with Bookworm
Hi Markus, Thanks for the reply and sorry for my bit grumpy mail yesterday. I was tired and surprised. On 11-05-2023 23:31, Markus Koschany wrote: [...] (all good reply). I'll check on Sunday on the proposal, unless somebody beats me to it. I don't have time before then. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1035456: marked as done (libsrpc-dev: missing Depends: libsrpc0 (= ${binary:Version}))
Your message dated Fri, 12 May 2023 17:49:17 +
with message-id
and subject line Bug#1035456: fixed in srpc 0.9.8-1.1
has caused the Debian Bug report #1035456,
regarding libsrpc-dev: missing Depends: libsrpc0 (= ${binary:Version})
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1035456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035456
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libsrpc-dev
Version: 0.9.8-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package ships (or creates)
a broken symlink.
0m20.5s ERROR: FAIL: Broken symlinks:
/usr/lib/x86_64-linux-gnu/libsrpc.so -> libsrpc.so.0 (libsrpc-dev:amd64)
cheers,
Andreas
--- End Message ---
--- Begin Message ---
Source: srpc
Source-Version: 0.9.8-1.1
Done: Bastian Germann
We believe that the bug you reported is fixed in the latest version of
srpc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann (supplier of updated srpc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 12 May 2023 19:39:47 +0200
Source: srpc
Architecture: source
Version: 0.9.8-1.1
Distribution: unstable
Urgency: medium
Maintainer: Lance Lin
Changed-By: Bastian Germann
Closes: 1035456
Changes:
srpc (0.9.8-1.1) unstable; urgency=medium
.
* Non-maintainer upload
* libsrpc-dev: Add missing Depends (Closes: #1035456)
Checksums-Sha1:
ca27a990515c184e1f06988440b71c2206d28332 1862 srpc_0.9.8-1.1.dsc
5de87abdd863afa1f147ff66aeccea816870f35d 3328 srpc_0.9.8-1.1.debian.tar.xz
40e2df87a1a38257639f6bfd39720884704a91e9 6167 srpc_0.9.8-1.1_source.buildinfo
Checksums-Sha256:
11aea4a59ddc3b50635245daee5997c6cdac30602e0646454a97dd1399135065 1862
srpc_0.9.8-1.1.dsc
e61fb74913f927d118fec7fdd9003dedb57aca5a472fa2c1a4fa568009cea745 3328
srpc_0.9.8-1.1.debian.tar.xz
e3da3ad70245233aedc6a392e8e9aae87869955bf1a689ef4fd4d47486274aee 6167
srpc_0.9.8-1.1_source.buildinfo
Files:
630cfb2d7b356d7c4a39a283f836eb8a 1862 libs optional srpc_0.9.8-1.1.dsc
561b0a3962c5c894fe35fcb680c2cfb6 3328 libs optional
srpc_0.9.8-1.1.debian.tar.xz
f4a01264e1714c4249fa94a633c7feb4 6167 libs optional
srpc_0.9.8-1.1_source.buildinfo
-BEGIN PGP SIGNATURE-
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmReej0QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFHfyDAD05OJiIoRTJw8JWE9eQNM9wOScpxz7TJ21
RRyMwQ7AA0m3JAWTGT4ipeZbMDirsbVpf1B70RqtD+d/GWBGu7UUCgCfTmAkV5Uv
SS+v/Q5xHWl/F3EnlMGMBwjtEdGoJIFGRhrwLGIpuYYLeyWjcGQD+TS+VxffLAxT
BD9+AkibBoJyvDcJCnfiKa65qwtL1LltcwNIYrOdjEiQGaEiX/shYCcniLbclkSQ
h66+Kl23nnPCX5zoKjMZvdF+cGQzcqzXOTJe1vgeNLksf0qJicj/TieZwmbb6F1q
Jm8OFAUiFnSH/qZI1WeoeiyZWCcW+P3X9ZWSopBOi1c0lCDpw5QgUJXQlOZ04vCG
EN0F2fNF/B77UeXzpedUKvpHKJlo5Lw3uwqJ/RZ+ngBoEeCbtrf01CuGOO703YS6
RYFDtRAR+m99mj+0iWkQZ/hNDPyPSxPaqGanK/BFoBdgY+yDMsoXq8SsC4jfDFZQ
fpblYhzXZmnUSWB3yDERZa+b6kta/AA=
=gbAx
-END PGP SIGNATURE End Message ---
Bug#1035453: marked as done (libmygui-dev: missing Depends: libmygui.opengl3platform0debian1v5 (= ${binary:Version}))
Your message dated Fri, 12 May 2023 17:49:00 +
with message-id
and subject line Bug#1035453: fixed in mygui 3.4.1+dfsg-3
has caused the Debian Bug report #1035453,
regarding libmygui-dev: missing Depends: libmygui.opengl3platform0debian1v5 (=
${binary:Version})
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1035453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035453
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libmygui-dev
Version: 3.4.1+dfsg-2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package ships (or creates)
a broken symlink.
0m23.2s ERROR: FAIL: Broken symlinks:
/usr/lib/x86_64-linux-gnu/libMyGUI.OpenGL3Platform.so ->
libMyGUI.OpenGL3Platform.so.0debian1 (libmygui-dev)
cheers,
Andreas
--- End Message ---
--- Begin Message ---
Source: mygui
Source-Version: 3.4.1+dfsg-3
Done: Bastian Germann
We believe that the bug you reported is fixed in the latest version of
mygui, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann (supplier of updated mygui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 12 May 2023 19:29:44 +0200
Source: mygui
Architecture: source
Version: 3.4.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team
Changed-By: Bastian Germann
Closes: 1035453
Changes:
mygui (3.4.1+dfsg-3) unstable; urgency=medium
.
* Team upload
* libmygui-dev: Add missing Depends (Closes: #1035453)
Checksums-Sha1:
d107d645ea6adc5ebdc5b256b4cceabfea90ebfd 2354 mygui_3.4.1+dfsg-3.dsc
fcf114399fde957dc524b282a60223402e50384e 42800 mygui_3.4.1+dfsg-3.debian.tar.xz
3eeab1f95381b9e9e5883023fbb327acf1c6ef93 8843
mygui_3.4.1+dfsg-3_source.buildinfo
Checksums-Sha256:
71821dc4dd5acba2336c674baa97b71d411484500785c762263265634dc7cbef 2354
mygui_3.4.1+dfsg-3.dsc
c4ac90fb51bb3f1e2030f2bab705cd1673d90c7c62861ce1fe4402790720aa9d 42800
mygui_3.4.1+dfsg-3.debian.tar.xz
193ad906f3d151a293ccb85c51421f1af4e9891ff04c19801d63896a266e4f5e 8843
mygui_3.4.1+dfsg-3_source.buildinfo
Files:
53ef6b6f1dbd54b9e9e895fbca1d2af6 2354 libs optional mygui_3.4.1+dfsg-3.dsc
94c356709c9b4c92904cb977eb7d9f0a 42800 libs optional
mygui_3.4.1+dfsg-3.debian.tar.xz
2f89979ebd5e93fde799108796854472 8843 libs optional
mygui_3.4.1+dfsg-3_source.buildinfo
-BEGIN PGP SIGNATURE-
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmRed+QQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFJgrC/9HVcrTutrM8JVbbBduP1j21usgsimaLRy4
LuHeY6+n0PLd24xOkMwg6thKLV7x3yga7cmtUNjuUMnx7u19+tN1hFp8nV6oo7Dp
l0R6IkxSsZlHEitVoPiO3325gwoPGyVlRr1av0wiy9kgsjXRJH55cEQ2Tnd+ma3G
L2yd37DzB4ARxPxjir0bTIKgyuea0LUG7XGP2VSh4J+HgDqpIWZ0tB7uRIMb8tOe
6oqxtTkjJ+NW3adtZn6sduz5SRDmuMxYzluMzY+zeUWCjETqlcg5gZIG2k4O2dsC
8FtLJUoU8phb/qLcrA2YvBqDVvPfC5jVH5eG/TdFixXrwvLqu/+ZMwpg3YrrL1K+
q39z2XLGaq0ReFhGgpglmVhLEA97iKiWf4w7OzUVYOm2G7EWwz/e1In41A6970T3
4+7YZ47Y4mN1ccUTr4eTOx01U1n7axItvFrY0pklm4i8vNfyDnvRHiIFZcjbteOX
d+5MMeNXL9lKDI/QfenxKzBBA6wUhOs=
=J97q
-END PGP SIGNATURE End Message ---
Bug#1035603: marked as done (mpdscribble: prompting due to modified conffiles which were not modified by the user: /etc/mpdscribble.conf)
Your message dated Fri, 12 May 2023 17:33:49 + with message-id and subject line Bug#1035603: fixed in mpdscribble 0.24-3 has caused the Debian Bug report #1035603, regarding mpdscribble: prompting due to modified conffiles which were not modified by the user: /etc/mpdscribble.conf to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035603 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mpdscribble Version: 0.24-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed the piuparts upgrade test because dpkg detected a conffile as being modified and then prompted the user for an action. As there is no user input, this fails. But this is not the real problem, the real problem is that this prompt shows up in the first place, as there was nobody modifying this conffile at all, the package has just been installed and upgraded... This is a violation of policy 10.7.3, see https://www.debian.org/doc/debian-policy/ch-files.html#behavior, which says "[These scripts handling conffiles] must not ask unnecessary questions (particularly during upgrades), and must otherwise be good citizens." https://wiki.debian.org/DpkgConffileHandling should help with figuring out how to do this properly. In https://lists.debian.org/debian-devel/2009/08/msg00675.html and followups it has been agreed that these bugs are to be filed with severity serious. >From the attached log (scroll to the bottom...): Setting up mpdscribble (0.24-2+b1) ... Configuration file '/etc/mpdscribble.conf' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** mpdscribble.conf (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package mpdscribble (--configure): end of file on stdin at conffile prompt cheers, Andreas mpdscribble_0.24-2+b1.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: mpdscribble Source-Version: 0.24-3 Done: Geoffroy Youri Berret We believe that the bug you reported is fixed in the latest version of mpdscribble, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Geoffroy Youri Berret (supplier of updated mpdscribble package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 07 May 2023 20:00:03 +0200 Source: mpdscribble Architecture: source Version: 0.24-3 Distribution: unstable Urgency: medium Maintainer: mpd maintainers Changed-By: Geoffroy Youri Berret Closes: 1035603 Changes: mpdscribble (0.24-3) unstable; urgency=medium . * Do not ship /etc/mpdscribble.conf as a conffile (already managed with ucf) Thanks to Andreas Beckmann (Closes: #1035603) Checksums-Sha1: dbc988d209b02931b876868596775fe8458af53e 2360 mpdscribble_0.24-3.dsc 79a3b5df81d830d582ad165f35d60666e7ee96e5 21332 mpdscribble_0.24-3.debian.tar.xz e53da92b11b8b219a81efe570ef074a69f6f5df4 7258 mpdscribble_0.24-3_amd64.buildinfo Checksums-Sha256: 9f68022265045b3897a63a97854823909903f4d484de5be584f98a52a96c4dad 2360 mpdscribble_0.24-3.dsc 449451e3e93760157b0fcd90da3e4cab5e8ffd5c9d555a48942577cae1a7bb15 21332 mpdscribble_0.24-3.debian.tar.xz e1807693083005471730c4bafebaa50ea8cb86b27a83344fe2c211fca0ddb4dc 7258 mpdscribble_0.24-3_amd64.buildinfo Files: 696aaaf7588907910f817df0064a3ba6 2360 sound optional mpdscribble_0.24-3.dsc 870e85e8fbe9d15fec936f0251f8f055 21332 sound optional mpdscribble_0.24-3.debian.tar.xz 713565db03fa1a477e549ea96b875b6f 7258 sound optional mpdscribble_0.24-3_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEE5yJWkSiFjoTmimKdwOcUqy2lK4FAmRecgkACgkQdwOcUqy2
Bug#1030284: nodejs: [arm64] RangeError: Maximum call stack size exceeded
James Addison dixit: >So: a fix here won't achieve stack capacity equality across No. The fix you proposed won’t achieve that but others would improve the situation much more, so that equality across arches won’t need to matter any more. >Or, to put it another way: applying an increase (either static or >dynamic, either ARM-specific or across all architectures) for stack >size determination would move the problem, and another architecture >would take the place of "architecture where RangeError can occur in >code x that doesn't occur on other architectures". Yes, but given the usual ulimit, the new limit would be 4+ times the old one, much much harder to reach. >it, though - and based on their current policy, NodeJS upstream seem >unlikely to accept it since they don't want to modify their vendored >V8. AIUI that’s not necessary because you can already set the stack limit with a nodejs command line option. The patch could just set the limit, using the same facility that CLI option uses, if that option isn’t given (or before it is processed). bye, //mirabilos -- (gnutls can also be used, but if you are compiling lynx for your own use, there is no reason to consider using that package) -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL
Bug#1035872: marked as done (tuxmath-data: broken symlink: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf)
Your message dated Fri, 12 May 2023 15:10:31 + with message-id and subject line Bug#1035872: fixed in tuxmath 2.0.3-9 has caused the Debian Bug report #1035872, regarding tuxmath-data: broken symlink: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: tuxmath-data Version: 2.0.3-8 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package ships (or creates) a broken symlink. 0m19.3s ERROR: FAIL: Broken symlinks: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf (tuxmath-data) /usr/share/fonts/truetype/andika/Andika-Regular.ttf might be an alternative target. (May need a versioned fonts-sil-andika dependency.) cheers, Andreas --- End Message --- --- Begin Message --- Source: tuxmath Source-Version: 2.0.3-9 Done: Holger Levsen We believe that the bug you reported is fixed in the latest version of tuxmath, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen (supplier of updated tuxmath package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 12 May 2023 15:30:44 +0200 Source: tuxmath Architecture: source Version: 2.0.3-9 Distribution: unstable Urgency: medium Maintainer: Holger Levsen Changed-By: Holger Levsen Closes: 1035872 Changes: tuxmath (2.0.3-9) unstable; urgency=medium . * tuxmath-data: update link target to comply with the change in fonts-sil-andika: /usr/share/fonts/truetype/andika/Andika-R.ttf has been renamed to Andika-Regular.ttf. Thanks to Andreas Beckmann. Closes: #1035872. Checksums-Sha1: 5ba72d624f9ade0d87693f36cae1bfc31f04b220 2110 tuxmath_2.0.3-9.dsc 114ca229d40900a3c6dea7f3091028d4274c5a3b 19824 tuxmath_2.0.3-9.debian.tar.xz a75f897f912c366788f6539ca8165838547c1e32 13216 tuxmath_2.0.3-9_source.buildinfo Checksums-Sha256: d9aea2766ad6485a980072cf00da6832574d326652200b242436d061cb5d17f8 2110 tuxmath_2.0.3-9.dsc b9115bbe8bda8ae03e03b61ba9fbe63defd526b12c92fa79e2b99bcd4a563453 19824 tuxmath_2.0.3-9.debian.tar.xz ec7e947bec61260020e651356314b8aa363a5c90d57c269a1f1b43ec2a785380 13216 tuxmath_2.0.3-9_source.buildinfo Files: 537aa480fe4c2c79ef655a9299549da5 2110 games optional tuxmath_2.0.3-9.dsc db2c7ee124d002bcac183926c595cc04 19824 games optional tuxmath_2.0.3-9.debian.tar.xz 619b90e83256e12656ff8635be1d5d8a 13216 games optional tuxmath_2.0.3-9_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmReRFUACgkQCRq4Vgaa qhyFRBAAohu1zIB2gSvj279QkKfkBk5y4sbcbUO30RZ6UOBNAYD9e49mybipXCiZ 012OM9o8WBGOOemYsEkiLgoc/JGL+nhsc5+8xEJsp+p7JsfMp8QRriiwHZeu3unl EI49czx46+LA8PUfYbtDAeVP8QdQhO+WYR2yD+nZaGDnksO9JF3IlSweoYNqnUv2 4VAfYHAUPSHVi3IUwLgL4GODKApVHag3L7MfiUQKL2uLIBWanWCT3sND9Zspp128 Gg3lpzoGGzcfAINQ5WWYqtbjUne/1rygqmPiZrTUpSff59mLJCQQ63gn3CiW6AC+ dJYzPSaay2MEoSkkx4s7pwtREbJGwhf9Hh0lhjEnF917aJfihiM85afqO8cz18fg gQFRnj4yUXPJdqjaVa9mpMep9JmEfEGrXvxHrBxR5/a3ckZUXjZjCEODRada14cc pe2x6C4K/wUYAnujox7MFE4pNiwnyh5eSUEIqK101CdBQXgvkQreMtwe2X3VfL4m 2aexFOg3DqdGo5bKJoMTv8sm/U5pLiHlyhUfj9HPte4MkkgoLSu0l/sQ+3rq+LxE qbvSqv+WsJyHy4e4J7wJto+JUFhYJpep66DUu5f4hzJ88flavoW6vxK0YxjnyePI lYIAjXXfod/TIqqw7qfwcAgvqizgYVZ8BNb2hmv7L4ZScbCci3o= =vs79 -END PGP SIGNATURE End Message ---
Bug#1033167: usrmerge: messes with /etc/shells
On Sun, 19 Mar 2023 17:22:11 +0100 Helmut Grohne wrote: > I've prepared an update for debianutils and tested it in the > following > cases: > * Installation on a pre-merged chroot -> /usr/bin/sh is added to >/etc/shells. > * Installation on a chroot merged by usrmerge -> no difference > * Installation on an unmerged system. Manual merge without >convert-etc-shells. Manual update-shells. -> Looks the same as > after >convert-etc-shells. > > Does anyone see any bugs? Not an expert in update-shells, but cannot see anything obviously wrong with the patch. Only comment I'd make is maybe to split the latter half of the changes, which seems unrelated and adding previously missing quotes, in a different patch. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Processed: Bug#1035872 marked as pending in tuxmath
Processing control commands: > tag -1 pending Bug #1035872 [tuxmath-data] tuxmath-data: broken symlink: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf Added tag(s) pending. -- 1035872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035872: marked as pending in tuxmath
Control: tag -1 pending Hello, Bug #1035872 in tuxmath reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/tux4kids-pkg-team/tuxmath/-/commit/c37250a01ec839f92b51aec23cc299bf82fd9d37 tuxmath-data: update link target to comply with the change in fonts-sil-andika. Closes: #1035872 Signed-off-by: Holger Levsen (this message was generated automatically) -- Greetings https://bugs.debian.org/1035872
Processed: Re: Bug#1035872: tuxmath-data: broken symlink: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf
Processing commands for cont...@bugs.debian.org: > severity 1035872 serious Bug #1035872 [tuxmath-data] tuxmath-data: broken symlink: /usr/share/tuxmath/fonts/AndikaDesRevG.ttf -> ../../fonts/truetype/andika/Andika-R.ttf Severity set to 'serious' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 1035872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033832: marked as pending in php-db
Control: tag -1 pending Hello, Bug #1033832 in php-db reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/php-team/pear/php-db/-/commit/f2123b042898f37b5a1cc9408ddbe24d3e4ce4b8 Add a patch for PHP 8.2 dynamic properties (Closes: #1033832) (this message was generated automatically) -- Greetings https://bugs.debian.org/1033832
Processed: Bug#1033832 marked as pending in php-db
Processing control commands: > tag -1 pending Bug #1033832 [src:php-db] php-db: autopkgtest regression: FAIL DB::DB_Error[DB-1.11.0/tests/db_error.phpt] Ignoring request to alter tags of bug #1033832 to the same tags previously set -- 1033832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1035820: 9base: leaves entries in /etc/shells after upgrade from bullseye
Processing commands for cont...@bugs.debian.org: > reassign 1035820 usrmerge Bug #1035820 [9base] 9base: leaves entries in /etc/shells after upgrade from bullseye Bug reassigned from package '9base' to 'usrmerge'. No longer marked as found in versions 9base/1:6-13. Ignoring request to alter fixed versions of bug #1035820 to the same values previously set > forcemerge 1033167 1035820 Bug #1033167 [usrmerge] usrmerge: messes with /etc/shells Bug #1035820 [usrmerge] 9base: leaves entries in /etc/shells after upgrade from bullseye Added indication that 1035820 affects dash,debianutils Marked as found in versions usrmerge/25. Merged 1033167 1035820 > affects 1035820 + 9base Bug #1035820 [usrmerge] 9base: leaves entries in /etc/shells after upgrade from bullseye Bug #1033167 [usrmerge] usrmerge: messes with /etc/shells Added indication that 1035820 affects 9base Added indication that 1033167 affects 9base > thanks Stopping processing here. Please contact me if you need assistance. -- 1033167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033167 1035820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035820 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: reassign 1035978 to src:python-glance-store, forcibly merging 1035962 1035978
Processing commands for cont...@bugs.debian.org:
> reassign 1035978 src:python-glance-store
Bug #1035978 {Done: Thomas Goirand } [python3-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Bug reassigned from package 'python3-glance-store' to 'src:python-glance-store'.
No longer marked as found in versions python-glance-store/4.3.0-1.
No longer marked as fixed in versions python-glance-store/4.3.0-2,
nova/2:27.0.0-3, and python-glance-store/4.1.0-4.
> forcemerge 1035962 1035978
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Bug #1035978 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088: Unauthorized volume access through deleted volume attachments
Marked as found in versions python-glance-store/4.1.0-3.
Added tag(s) security, upstream, and fixed-upstream.
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Added tag(s) patch.
Merged 1035962 1035978
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1035962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035962
1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1035961: marked as done (CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 11:49:07 + with message-id and subject line Bug#1035961: fixed in cinder 2:21.1.0-3 has caused the Debian Bug report #1035961, regarding CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: python-os-brick Version: 6.2.0-1 Severity: grave OSSA-2023-003: Unauthorized volume access through deleted volume attachments :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user
Processed (with 1 error): forcibly merging 1035962 1035978
Processing commands for cont...@bugs.debian.org:
> forcemerge 1035962 1035978
Bug #1035962 {Done: Thomas Goirand } [src:python-glance-store]
CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted
volume attachments
Unable to merge bugs because:
package of #1035978 is 'python3-glance-store' not 'src:python-glance-store'
Failed to forcibly merge 1035962: Did not alter merged bugs.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1035962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035962
1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Processed: forcibly merging 1035963 1035981
Processing commands for cont...@bugs.debian.org:
> forcemerge 1035963 1035981
Bug #1035963 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Bug #1035981 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Added tag(s) fixed-upstream, upstream, and security.
Bug #1035963 {Done: Thomas Goirand } [src:nova] CVE-2023-2088
/ OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Marked as fixed in versions nova/2:27.0.0-4 and nova/2:26.1.0-4.
Added tag(s) patch.
Merged 1035963 1035981
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1035963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035963
1035981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035981
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1035995: bazel-bootstrap: Depend on libgeronimo-annotation-1.3-spec-java instead of libtomcat9-java
Package: bazel-bootstrap Version: 4.2.3+ds-8 Severity: serious bazel-bootstrap depends on libtomcat9-java, only to use tomcat9-annotations-api.jar which provides the javax.annotations package. Since libtomcat9-java is about to be removed this needs to be replaced. libtomcat10-java provides a new version of the annotations API but under the jakarta.annotation package. It would involve patching bazel-bootstrap heavily. The javax.annotations package is also provided by libgeronimo-annotation-1.3-spec-java, it could be used as a replacement.
Bug#1035994: heat-cfntools: package is missing main module 'heat_cfntools'
Package: heat-cfntools Version: 1.4.2-2.1 Severity: grave Justification: renders package unusable Dear Maintainer, The package only include the stubs executables and lack the main modules required to function: # /usr/bin/cfn-init Traceback (most recent call last): File "/usr/bin/cfn-init", line 22, in from heat_cfntools.cfntools import cfn_helper ModuleNotFoundError: No module named 'heat_cfntools' # dpkg -L heat-cfntools /. /usr /usr/bin /usr/bin/cfn-create-aws-symlinks /usr/bin/cfn-get-metadata /usr/bin/cfn-hup /usr/bin/cfn-init /usr/bin/cfn-push-stats /usr/bin/cfn-signal /usr/share /usr/share/doc /usr/share/doc/heat-cfntools /usr/share/doc/heat-cfntools/changelog.Debian.gz /usr/share/doc/heat-cfntools/changelog.gz /usr/share/doc/heat-cfntools/copyright /usr/share/man /usr/share/man/man1 /usr/share/man/man1/cfn-create-aws-symlinks.1.gz /usr/share/man/man1/cfn-get-metadata.1.gz /usr/share/man/man1/cfn-hup.1.gz /usr/share/man/man1/cfn-init.1.gz /usr/share/man/man1/cfn-push-stats.1.gz /usr/share/man/man1/cfn-signal.1.gz And the package doesn't include dependencies that would solve that: Depends: python3-boto (>= 2.12.0), python3-pbr (>= 0.6), python3-psutil (>= 1.1.1), python3:any -- System Information: Debian Release: 11.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-21-amd64 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages heat-cfntools depends on: ii python3 3.9.2-3 ii python3-boto2.49.0-3 ii python3-pbr 5.5.0-2 ii python3-psutil 5.8.0-1 heat-cfntools recommends no packages. heat-cfntools suggests no packages. -- debconf-show failed
Bug#1035992: marked as done (apache-log4j-extras1.2: Error while generating Javadoc: Unable to write 'options' temporary file)
Your message dated Fri, 12 May 2023 10:48:53 + with message-id and subject line Bug#1035992: fixed in apache-log4j-extras1.2 1.2.17-3 has caused the Debian Bug report #1035992, regarding apache-log4j-extras1.2: Error while generating Javadoc: Unable to write 'options' temporary file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035992: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035992 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: apache-log4j-extras1.2 Version: 1.2.17-2 Severity: serious Tags: ftbfs apache-log4j-extras1.2 fails to build with the following error: [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 3.437 s [INFO] Finished at: 2023-05-12T10:19:16Z [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.4.1:jar (default-cli) on project apache-log4j-extras: MavenReportException: Error while generating Javadoc: Unable to write 'options' temporary file for command execution: Input length = 1 -> [Help 1] [ERROR] --- End Message --- --- Begin Message --- Source: apache-log4j-extras1.2 Source-Version: 1.2.17-3 Done: Emmanuel Bourg We believe that the bug you reported is fixed in the latest version of apache-log4j-extras1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated apache-log4j-extras1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 12 May 2023 12:34:54 +0200 Source: apache-log4j-extras1.2 Architecture: source Version: 1.2.17-3 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Closes: 1035992 Changes: apache-log4j-extras1.2 (1.2.17-3) unstable; urgency=medium . * Removed the -java-doc package (Closes: #1035992) * Use salsa.debian.org Vcs-* URLs Checksums-Sha1: 68872849a921083f3faeebc2232b1eec69641f97 2274 apache-log4j-extras1.2_1.2.17-3.dsc 89ec35c411ca1ed9cbfbcd0571f10031a9a00207 2892 apache-log4j-extras1.2_1.2.17-3.debian.tar.xz 6a787b1288d5edde44aa4c66fa852247711fd69b 15804 apache-log4j-extras1.2_1.2.17-3_source.buildinfo Checksums-Sha256: 24a460166d992680265cb81b5e35233e06bbaf970b8d79ae27aebda4e0bd70db 2274 apache-log4j-extras1.2_1.2.17-3.dsc a7e76f45749fe3103fb903bc4de3402bdcada288623aa702ddefa5d8900284eb 2892 apache-log4j-extras1.2_1.2.17-3.debian.tar.xz dd386581912a727cb822e33c1d35a554e74b5a52ae7304aaa6bbb29040556b45 15804 apache-log4j-extras1.2_1.2.17-3_source.buildinfo Files: 78bf018bfc174fdc889b601d56d5a404 2274 java optional apache-log4j-extras1.2_1.2.17-3.dsc 5501423db6cdc6da1464eba5d70ba8d5 2892 java optional apache-log4j-extras1.2_1.2.17-3.debian.tar.xz 63e90752540453bd56933a46aae4bf53 15804 java optional apache-log4j-extras1.2_1.2.17-3_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmReFmwSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsUvAQAIYx1dbXhJ6q3m7yoOOCjeNhjbdCFGuT lYgZ+JcnUebtF6QWpLKhH5ySXJvKr4BGMJz2UEdytLAysMe5dH0eHqBp1D3a33fv HjqYt/rhD+LVdJVu0LERyKz2tWpMc/a/fqHJCxIBNOSi8wOHv6iUdjX7CJiIYA7w +qsA4KW0jAuVxemvggbb/p9yb2766LNAcVZujp08fuyZLv4IpYmjCiJ3Mde0s2ck wp+z7TM5XHKHGDcHzeoVW/zI9DGZugahpQYX1QNPQCYDoaIZObXzCmhsJID9N7vh /CqNS1YWon00ArxBNeNRMqW7RD7X2JWQLipBXrCERQm5bDI45IEhTO/iL9pAt2uL Sn+ExXVmo6C6ZBXQl6iAdP7xkxW8WgR7Cc+WC5t+wGc8Tc6nBHjAT7XDMM3XqxBD L1Wcy657DCob9G2GFAO/6N1gbdqF3tMOvcX9VCJrskpwuV1+/Y2m6le6JgATugB5 ifS91yD5LomGl3v0jbSRJsf3cBcuAfwzM8EC38jS0ZXA3U1JegDvwSAKn0BqnlHy kXdakccYEsPdEjfetx9zfPsK9Itbl+95x2k5/zVR66jAFpC03J6J/tftP4OKFHNo tn9gIeIDSn5sYI7I0zQfH23muH1ZsDMb3A5Vr46ZW/AgUoRR9MRg+ploWt7J9Jl2 olhjxnuLXPsZ =09v7 -END PGP SIGNATURE End Message ---
Bug#1035961: marked as done (CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 10:49:18 + with message-id and subject line Bug#1035961: fixed in cinder 2:22.0.0-3 has caused the Debian Bug report #1035961, regarding CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: python-os-brick Version: 6.2.0-1 Severity: grave OSSA-2023-003: Unauthorized volume access through deleted volume attachments :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user
Bug#1035992: apache-log4j-extras1.2: Error while generating Javadoc: Unable to write 'options' temporary file
Source: apache-log4j-extras1.2 Version: 1.2.17-2 Severity: serious Tags: ftbfs apache-log4j-extras1.2 fails to build with the following error: [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 3.437 s [INFO] Finished at: 2023-05-12T10:19:16Z [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.4.1:jar (default-cli) on project apache-log4j-extras: MavenReportException: Error while generating Javadoc: Unable to write 'options' temporary file for command execution: Input length = 1 -> [Help 1] [ERROR]
Processed: closing 1034224
Processing commands for cont...@bugs.debian.org: > # binNMUs were scheduled > close 1034224 Bug #1034224 [pvpgn] pvpgn: dh_installsystemd doesn't handle files in /usr/lib/systemd/system Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 1034224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035981: marked as done (CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 09:04:18 + with message-id and subject line Bug#1035981: fixed in nova 2:26.1.0-4 has caused the Debian Bug report #1035981, regarding CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035981 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nova Version: 2:26.1.0-2 Severity: grave Tags: patch Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user (covered by the linked patches). b. In order to recognize that a request is being made by a service on behalf of a user, Nova must be configured to send a service token along with the user token. If this configuration change is not made, the cinder
Bug#1035984: libpopplerkit0: unhandled symlink to directory conversion: /usr/lib/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Resources
Package: libpopplerkit0 Version: 0.0.20051227svn-11 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, an upgrade test with piuparts revealed that your package installs files over existing symlinks and possibly overwrites files owned by other packages. This usually means an old version of the package shipped a symlink but that was later replaced by a real (and non-empty) directory. This kind of overwriting another package's files cannot be detected by dpkg. This was observed on the following upgrade paths: testing -> unstable For /usr/share/doc/PACKAGE this may not be problematic as long as both packages are installed, ship byte-for-byte identical files and are upgraded in lockstep. But once one of the involved packages gets removed, the other one will lose its documentation files, too, including the copyright file, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information For other overwritten locations anything interesting may happen. Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.maintscript. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. >From the attached log (scroll to the bottom...): 1m20.3s ERROR: installs objects over existing directory symlinks: /usr/lib/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Resources/Info-gnustep.plist (libpopplerkit0) != /usr/share/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Info-gnustep.plist (?) /usr/lib/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Resources -> ../../../../../../share/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0 Excerpts from debdiff libpopplerkit0_0.0.20051227svn-10+b1_amd64.deb libpopplerkit0_0.0.20051227svn-11_amd64.deb Files in first .deb but not in second - -rw-r--r-- root/root /usr/share/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Info-gnustep.plist -rw-r--r-- root/root /usr/share/doc/libpopplerkit0/changelog.Debian.amd64.gz lrwxrwxrwx root/root /usr/lib/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Resources -> ../../../../../../share/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0 Files in second .deb but not in first - -rw-r--r-- root/root /usr/lib/GNUstep/Frameworks/PopplerKit.framework/Versions/1.0/Resources/Info-gnustep.plist Was the move of Info-gnustep.plist from /usr/share to /usr/lib intentional? The easies fix would be to move it back to /usr/share and let dpkg clean up the unused and messed up paths/symlinks in /usr/lib. cheers, Andreas libpopplerkit0_0.0.20051227svn-11.log.gz Description: application/gzip
Bug#1030284: nodejs: [arm64] RangeError: Maximum call stack size exceeded
On Thu, 11 May 2023 at 23:54, Thorsten Glaser wrote: > > James Addison dixit: > > >On Thu, 11 May 2023 at 02:43, Andres Salomon wrote: > > >> For ARM64, he says that raising the stack limit is not safe for v8 > >> *embedded inside WebView*, and therefore not appropriate for upstream > >> v8. But then he says it could/should be safe for v8 *embedded inside > >> NodeJS*. > >> > >> Based on that, I suggest patching Debian's NodeJS with the patch to > >> adjust armhf/arm64 stack limit size > > That would be a good thing (huh, wasn’t armhf good?), but… > > >I have a question: if we apply the patch and begin using the same > >constant stack size of 984kb on 32-bit ARM and 64-bit ARM as is > >defined for other architectures, then does NodeJS on those platforms > >begin supporting exactly the same stack frame capacity (maximum call > >depth for any given recursive function, for example) as a build of the > >same NodeJS source on x86 and amd64 respectively? > > … no, because both stack usage and other stuff on stack differ. Ok, that's what I thought, but I'm not familiar with the details here. So: a fix here won't achieve stack capacity equality across architectures. (I say this because I think we should be clear about what the bugreport is about, and, where possible, the known limitations of fixes) Or, to put it another way: applying an increase (either static or dynamic, either ARM-specific or across all architectures) for stack size determination would move the problem, and another architecture would take the place of "architecture where RangeError can occur in code x that doesn't occur on other architectures". Do those statements seem true? (they make sense to me, but I also think it's possible that I've misunderstood something here) > Which is why I’d rather have the getrlimit-based one for nodejs. > That would give us twice to four times the limit. That makes sense, and I agree that dynamic stack-sizing could help (perhaps quite a lot on some systems). We'd need a patch to implement it, though - and based on their current policy, NodeJS upstream seem unlikely to accept it since they don't want to modify their vendored V8. But if it showed significant benefits then perhaps we could use that to contribute to further discussion with either/both of those projects.
Bug#1035981: marked as done (CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 08:24:13 + with message-id and subject line Bug#1035981: fixed in nova 2:27.0.0-4 has caused the Debian Bug report #1035981, regarding CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035981 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nova Version: 2:26.1.0-2 Severity: grave Tags: patch Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user (covered by the linked patches). b. In order to recognize that a request is being made by a service on behalf of a user, Nova must be configured to send a service token along with the user token. If this configuration change is not made, the cinder
Bug#1035978: marked as done (CVE-2023-2088: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 08:23:45 + with message-id and subject line Bug#1035978: fixed in nova 2:27.0.0-3 has caused the Debian Bug report #1035978, regarding CVE-2023-2088: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: python3-glance-store Version: 4.3.0-1 Severity: grave Tags: patch OSSA-2023-003: Unauthorized volume access through deleted volume attachments :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user
Processed: user debian...@lists.debian.org, affects 1034755, affects 1026015, usertagging 1035847 ...
Processing commands for cont...@bugs.debian.org: > user debian...@lists.debian.org Setting user to debian...@lists.debian.org (was a...@debian.org). > affects 1034755 + education-thin-client Bug #1034755 [x2gothinclient-common] x2gothinclient-common: about .postinst and .postrm scripts Added indication that 1034755 affects education-thin-client > affects 1026015 + ilisp-doc Bug #1026015 [ilisp] ilisp: missing Depends: adduser Added indication that 1026015 affects ilisp-doc > usertags 1035847 piuparts There were no usertags set. Usertags are now: piuparts. > affects 1035847 + x2gobroker-agent x2gobroker-authservice x2gobroker-daemon > x2gobroker-loadchecker x2gobroker-ssh x2gobroker-wsgi Bug #1035847 [x2gobroker] x2gobroker-* packages fail to purge without adduser Added indication that 1035847 affects x2gobroker-agent, x2gobroker-authservice, x2gobroker-daemon, x2gobroker-loadchecker, x2gobroker-ssh, and x2gobroker-wsgi > thanks Stopping processing here. Please contact me if you need assistance. -- 1026015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026015 1034755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034755 1035847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Bug#1035981 marked as pending in nova
Processing control commands: > tag -1 pending Bug #1035981 [src:nova] CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments Added tag(s) pending. -- 1035981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035981 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035981: marked as pending in nova
Control: tag -1 pending Hello, Bug #1035981 in nova reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/nova/-/commit/a8f75b4d61e1503f2b289b7d8303b82cf7d05206 Closing the correct bug and fix patch header (Closes: #1035981). (this message was generated automatically) -- Greetings https://bugs.debian.org/1035981
Bug#1035981: CVE-2023-2088 / OSSA-2023-003: Unauthorized volume access through deleted volume attachments
Source: nova Version: 2:26.1.0-2 Severity: grave Tags: patch Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user (covered by the linked patches). b. In order to recognize that a request is being made by a service on behalf of a user, Nova must be configured to send a service token along with the user token. If this configuration change is not made, the cinder change will reject **any** request to delete an attachment associated with a volume that is attached to an instance. Nova must be configured to send a service token to Cinder, and Cinder must be configured to accept service tokens. This is described in the following document and **IS NOT AUTOMATICALLY APPLIED BY THE LINKED PATCHES:** (Using service tokens to prevent long-running job failures) https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html The Nova patch mentioned in step 2 includes a similar document more focused on Nova: doc/source/admin/configuration/service-user-token.rst 5. The cinder glance_store driver does not attach volumes to instances; instead, it attaches volumes directly to the Glance node. Thus, the Cinder change in step 4 w
Bug#1035978: marked as done (CVE-2023-2088: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 07:34:57 + with message-id and subject line Bug#1035978: fixed in python-glance-store 4.3.0-2 has caused the Debian Bug report #1035978, regarding CVE-2023-2088: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: python3-glance-store Version: 4.3.0-1 Severity: grave Tags: patch OSSA-2023-003: Unauthorized volume access through deleted volume attachments :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of
Bug#1035978: marked as done (CVE-2023-2088: Unauthorized volume access through deleted volume attachments)
Your message dated Fri, 12 May 2023 07:34:48 + with message-id and subject line Bug#1035978: fixed in python-glance-store 4.1.0-4 has caused the Debian Bug report #1035978, regarding CVE-2023-2088: Unauthorized volume access through deleted volume attachments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: python3-glance-store Version: 4.3.0-1 Severity: grave Tags: patch OSSA-2023-003: Unauthorized volume access through deleted volume attachments :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes - Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of
Bug#1011597: marked as done (tiles: FTBFS with OpenJDK 17 due to an illegal reflective access in maven-autotag-plugin)
Your message dated Fri, 12 May 2023 07:35:06 + with message-id and subject line Bug#1011597: fixed in tiles 3.0.7-5 has caused the Debian Bug report #1011597, regarding tiles: FTBFS with OpenJDK 17 due to an illegal reflective access in maven-autotag-plugin to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011597 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: tiles Version: 3.0.7-4 Severity: important Tags: ftbfs sid bookworm User: debian-j...@lists.debian.org Usertags: default-java17 tiles fails to build with OpenJDK 17, there is an illegal reflective access when executing the maven-autotag-plugin. It's not clear if the root cause comes from tiles, tiles-autotag or libxstream-java. [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 2.791 s [INFO] Finished at: 2022-05-25T04:23:38Z [INFO] [ERROR] Failed to execute goal org.apache.tiles.autotag.plugin:maven-autotag-plugin:1.2:generate-jsp (default) on project tiles-jsp: Execution default of goal org.apache.tiles.autotag.plugin:maven-autotag-plugin:1.2:generate-jsp failed: An API incompatibility was encountered while executing org.apache.tiles.autotag.plugin:maven-autotag-plugin:1.2:generate-jsp: java.lang.ExceptionInInitializerError: null [ERROR] - [ERROR] realm = plugin>org.apache.tiles.autotag.plugin:maven-autotag-plugin:1.2 [ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy [ERROR] urls[0] = file:/<>/debian/maven-repo/org/apache/tiles/autotag/plugin/maven-autotag-plugin/1.2/maven-autotag-plugin-1.2.jar [ERROR] urls[1] = file:/<>/debian/maven-repo/javax/enterprise/cdi-api/debian/cdi-api-debian.jar [ERROR] urls[2] = file:/<>/debian/maven-repo/org/apache/geronimo/specs/geronimo-interceptor_3.0_spec/debian/geronimo-interceptor_3.0_spec-debian.jar [ERROR] urls[3] = file:/<>/debian/maven-repo/org/codehaus/plexus/plexus-utils/2.x/plexus-utils-2.x.jar [ERROR] urls[4] = file:/<>/debian/maven-repo/org/sonatype/plexus/plexus-build-api/debian/plexus-build-api-debian.jar [ERROR] urls[5] = file:/<>/debian/maven-repo/org/apache/tiles/tiles-autotag-core/debian/tiles-autotag-core-debian.jar [ERROR] urls[6] = file:/<>/debian/maven-repo/com/thoughtworks/qdox/qdox/debian/qdox-debian.jar [ERROR] urls[7] = file:/<>/debian/maven-repo/org/apache/tiles/tiles-autotag-core-runtime/debian/tiles-autotag-core-runtime-debian.jar [ERROR] urls[8] = file:/<>/debian/maven-repo/org/apache/velocity/velocity/debian/velocity-debian.jar [ERROR] urls[9] = file:/<>/debian/maven-repo/commons-collections/commons-collections/3.x/commons-collections-3.x.jar [ERROR] urls[10] = file:/<>/debian/maven-repo/commons-lang/commons-lang/debian/commons-lang-debian.jar [ERROR] urls[11] = file:/<>/debian/maven-repo/com/thoughtworks/xstream/xstream/debian/xstream-debian.jar [ERROR] urls[12] = file:/<>/debian/maven-repo/xpp3/xpp3/debian/xpp3-debian.jar [ERROR] urls[13] = file:/<>/debian/maven-repo/org/apache/tiles/tiles-autotag-jsp/debian/tiles-autotag-jsp-debian.jar [ERROR] urls[14] = file:/<>/debian/maven-repo/org/codehaus/plexus/plexus-interpolation/debian/plexus-interpolation-debian.jar [ERROR] urls[15] = file:/<>/debian/maven-repo/org/codehaus/plexus/plexus-sec-dispatcher/debian/plexus-sec-dispatcher-debian.jar [ERROR] urls[16] = file:/<>/debian/maven-repo/org/codehaus/plexus/plexus-cipher/debian/plexus-cipher-debian.jar [ERROR] urls[17] = file:/<>/debian/maven-repo/org/apache/maven/maven-builder-support/3.x/maven-builder-support-3.x.jar [ERROR] urls[18] = file:/<>/debian/maven-repo/org/apache/maven/resolver/maven-resolver-util/debian/maven-resolver-util-debian.jar [ERROR] urls[19] = file:/<>/debian/maven-repo/org/apache/maven/shared/maven-shared-utils/debian/maven-shared-utils-debian.jar [ERROR] urls[20] = file:/<>/debian/maven-repo/commons-io/commons-io/debian/commons-io-debian.jar [ERROR] urls[21] = file:/<>/debian/maven-repo/org/eclipse/sisu/org.eclipse.sisu.inject/debian/org.eclipse.sisu.inject-debian.jar [ERROR] urls[22] = file:/<>/debian/maven-repo/com/google/inject/guice/debian/guice-debian-no_aop.jar [ERROR] urls[23] = file:/<>/debian/maven-repo/aopalliance/aopalliance/debian/aopalliance-debian.jar [ERR
Processed: Bug#1035978 marked as pending in python-glance-store
Processing control commands: > tag -1 pending Bug #1035978 [python3-glance-store] CVE-2023-2088: Unauthorized volume access through deleted volume attachments Ignoring request to alter tags of bug #1035978 to the same tags previously set -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035978: marked as pending in python-glance-store
Control: tag -1 pending Hello, Bug #1035978 in python-glance-store reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/libs/python-glance-store/-/commit/4478fea6a70a174d0ca5f642c77c88fd5d7e9c86 * CVE-2023-2088: Unauthorized volume access through deleted volume attachments. Applied upstream patch: Add force to os-brick disconnect. (Closes: #1035978). (this message was generated automatically) -- Greetings https://bugs.debian.org/1035978
Bug#1035978: marked as pending in python-glance-store
Control: tag -1 pending Hello, Bug #1035978 in python-glance-store reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/libs/python-glance-store/-/commit/f4b953f6b9f16f34c9a8b0a5c31354c5e32b8372 * CVE-2023-2088: Unauthorized volume access through deleted volume attachments. Applied upstream patch: Add force to os-brick disconnect. (Closes: #1035978). (this message was generated automatically) -- Greetings https://bugs.debian.org/1035978
Processed: Bug#1035978 marked as pending in python-glance-store
Processing control commands: > tag -1 pending Bug #1035978 [python3-glance-store] CVE-2023-2088: Unauthorized volume access through deleted volume attachments Ignoring request to alter tags of bug #1035978 to the same tags previously set -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035979: redmine-plugin-pretend: fails to install: rake aborted! LoadError: cannot load such file -- redmine_pretend
Package: redmine-plugin-pretend Version: 0.0.2+git20130821-5 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity. >From the attached log (scroll to the bottom...): ... Setting up redmine (5.0.4-5) ... [ESC][33mDon't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.[ESC][0m dbconfig-common: writing config to /etc/dbconfig-common/redmine/instances/default.conf Creating config file /etc/dbconfig-common/redmine/instances/default.conf with new version Creating config file /etc/redmine/default/database.yml with new version creating database redmine_default: success. verifying database redmine_default exists: success. rake aborted! LoadError: cannot load such file -- redmine_pretend /usr/share/rubygems-integration/all/gems/zeitwerk-2.6.1/lib/zeitwerk/kernel.rb:35:in `require' /usr/share/rubygems-integration/all/gems/zeitwerk-2.6.1/lib/zeitwerk/kernel.rb:35:in `require' /usr/share/redmine/plugins/redmine_pretend/init.rb:1:in `' /usr/share/redmine/lib/redmine/plugin_loader.rb:31:in `load' /usr/share/redmine/lib/redmine/plugin_loader.rb:31:in `run_initializer' /usr/share/redmine/lib/redmine/plugin_loader.rb:108:in `each' /usr/share/redmine/lib/redmine/plugin_loader.rb:108:in `block in load' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:427:in `instance_exec' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:427:in `block in make_lambda' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:198:in `block (2 levels) in halting' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:604:in `block (2 levels) in default_terminator' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:603:in `catch' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:603:in `block in default_terminator' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:199:in `block in halting' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:512:in `block in invoke_before' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:512:in `each' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:512:in `invoke_before' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/callbacks.rb:105:in `run_callbacks' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/reloader.rb:88:in `prepare!' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/application/finisher.rb:124:in `block in ' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/initializable.rb:32:in `instance_exec' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/initializable.rb:32:in `run' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/initializable.rb:61:in `block in run_initializers' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/initializable.rb:60:in `run_initializers' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/application.rb:391:in `initialize!' /usr/share/redmine/config/environment.rb:16:in `' /usr/share/rubygems-integration/all/gems/zeitwerk-2.6.1/lib/zeitwerk/kernel.rb:35:in `require' /usr/share/rubygems-integration/all/gems/zeitwerk-2.6.1/lib/zeitwerk/kernel.rb:35:in `require' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/dependencies.rb:332:in `block in require' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/dependencies.rb:299:in `load_dependency' /usr/share/rubygems-integration/all/gems/activesupport-6.1.7.3/lib/active_support/dependencies.rb:332:in `require' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/application.rb:367:in `require_environment!' /usr/share/rubygems-integration/all/gems/railties-6.1.7.3/lib/rails/application.rb:533:in `block in run_tasks_blocks' Tasks: TOP => db:migrate => db:load_config => environment (See full trace by running task with --trace) dpkg: error processing package redmine (--configure): installed redmine package post-installation script subprocess returned error exit status 1 dpkg: dependency problems prevent configuration of redmine-plugin-pretend: redmine-plugin-pretend depends on redmine (>= 4~); h
Processed: Bug#1035978 marked as pending in python-glance-store
Processing control commands: > tag -1 pending Bug #1035978 [python3-glance-store] CVE-2023-2088: Unauthorized volume access through deleted volume attachments Ignoring request to alter tags of bug #1035978 to the same tags previously set -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1035978: marked as pending in python-glance-store
Control: tag -1 pending Hello, Bug #1035978 in python-glance-store reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/libs/python-glance-store/-/commit/7e272c6e31442a2cbd321cebda2fd95a23dde492 * CVE-2023-2088: Unauthorized volume access through deleted volume attachments. Applied upstream patch: Add force to os-brick disconnect. (Closes: #1035978). (this message was generated automatically) -- Greetings https://bugs.debian.org/1035978
Bug#1035978: marked as pending in python-glance-store
Control: tag -1 pending Hello, Bug #1035978 in python-glance-store reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/libs/python-glance-store/-/commit/100f9981489cd8dd09086538b6c4a4298e5011f9 * CVE-2023-2088: Unauthorized volume access through deleted volume attachments. Applied upstream patch: Add force to os-brick disconnect. (Closes: #1035978). (this message was generated automatically) -- Greetings https://bugs.debian.org/1035978
Processed: Bug#1035978 marked as pending in python-glance-store
Processing control commands: > tag -1 pending Bug #1035978 [python3-glance-store] CVE-2023-2088: Unauthorized volume access through deleted volume attachments Added tag(s) pending. -- 1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Bug#1011597 marked as pending in tiles
Processing control commands: > tag -1 pending Bug #1011597 [src:tiles] tiles: FTBFS with OpenJDK 17 due to an illegal reflective access in maven-autotag-plugin Added tag(s) pending. -- 1011597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011597 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1011597: marked as pending in tiles
Control: tag -1 pending Hello, Bug #1011597 in tiles reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/java-team/tiles/-/commit/30d709f2a8c99607e4376671491fa5a1117bcc4d Fixed the build failure with Java 17 (Closes: #1011597) (this message was generated automatically) -- Greetings https://bugs.debian.org/1011597
