Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
---|---|---|---|---|---|---|
install-missing-files.patch | Install missing files | Thomas Goirand <zigo@debian.org> | not-needed | 2016-03-22 | ||
do-not-use-urllib3-from-botocore.patch | Do not use urllib3 from botocore Cinder is using urllib3 vendored version from botocore, which we unvendor in Debian. |
Thomas Goirand <zigo@debian.org> | no | 2021-03-27 | ||
remove-test_backup_s3.patch | Remove test_backup_s3.py This unit test file is using the moto library which we cannot package in Debian because it depends on "jose" which is Python 2 only. |
Thomas Goirand <zigo@debian.org> | no | 2021-03-27 | ||
py3.11-test_rbd_iscsi_Make_tests_compatible_with_python.patch | test_rbd_iscsi: Make tests compatible with python 3.11 This makes these tests work in Python 3.11. . Also includes a few cleanups such as reducing storing the driver in "self", and removal of unneeded fakes code for rbd_iscsi_client. |
Eric Harney <eharney@redhat.com> | no | 2023-01-05 | ||
CVE-2023-2088_Reject_unsafe_delete_attachment_calls.patch | [PATCH] Reject unsafe delete attachment calls Due to how the Linux SCSI kernel driver works there are some storage systems, such as iSCSI with shared targets, where a normal user can access other projects' volume data connected to the same compute host using the attachments REST API. This affects both single and multi-pathed connections. To prevent users from doing this, unintentionally or maliciously, cinder-api will now reject some delete attachment requests that are deemed unsafe. Cinder will process the delete attachment request normally in the following cases: - The request comes from an OpenStack service that is sending the service token that has one of the roles in `service_token_roles`. - Attachment doesn't have an instance_uuid value - The instance for the attachment doesn't exist in Nova - According to Nova the volume is not connected to the instance - Nova is not using this attachment record There are 3 operations in the actions REST API endpoint that can be used for an attack: - `os-terminate_connection`: Terminate volume attachment available at - `os-detach`: Detach a volume - `os-force_detach`: Force detach a volume In this endpoint we just won't allow anything that is not coming from a service. This should not be a problem because: - Cinder backup doesn't use the REST API but RPC calls via RabbitMQ - Glance doesn't use this interface Checking whether it's a service or not is done at the cinder-api level by checking that the service user that made the call has at least one of the roles in the `service_token_roles` configuration. These roles are retrieved from keystone by the keystone middleware using the value of the "X-Service-Token" header. If Cinder is configured with `service_token_roles_required = true` and an attacker provides non-service valid credentials the service will return a 401 error, otherwise it'll return 409 as if a normal user had made the call without the service token. (cherry picked from commit 6df1839bdf288107c600b3e53dff7593a6d4c161) Conflicts: cinder/exception.py (cherry picked from commit dd6010a9f7bf8cbe0189992f0848515321781747) |
Gorka Eguileor <geguileo@redhat.com> | no | 2023-02-16 |