Debian Patches

Status for cinder/2:21.3.1-1~deb12u1

Patch Description Author Forwarded Bugs Origin Last update
install-missing-files.patch Install missing files Thomas Goirand <zigo@debian.org> not-needed 2016-03-22
do-not-use-urllib3-from-botocore.patch Do not use urllib3 from botocore Cinder is using urllib3 vendored version from botocore, which we unvendor
in Debian.
Thomas Goirand <zigo@debian.org> no 2021-03-27
remove-test_backup_s3.patch Remove test_backup_s3.py This unit test file is using the moto library which we cannot package in
Debian because it depends on "jose" which is Python 2 only.
Thomas Goirand <zigo@debian.org> no 2021-03-27
py3.11-test_rbd_iscsi_Make_tests_compatible_with_python.patch test_rbd_iscsi: Make tests compatible with python 3.11 This makes these tests work in Python 3.11.
.
Also includes a few cleanups such as reducing storing
the driver in "self", and removal of unneeded fakes code
for rbd_iscsi_client.
Eric Harney <eharney@redhat.com> no 2023-01-05
add-params-thin_provisioning-equal-one.patch Add "params thin_provisioning=1" in tgt export Add 'params thin_provisioning=1' in iscsi volume export
to allow fstrim to work with the lvm backend.
Thomas Goirand <zigo@debian.org> yes 2023-12-04
cve-2024-32498-cinder-stable-2023.1.patch [PATCH] CVE-2024-32498: Check for external qcow2 data file
Adds code to image_utils to check for a qcow2 external data
file, a recent feature of qemu which we do not support and
which can be used maliciously.

Advice from the qemu-img community is that it is dangerous
to call qemu-img info on untrusted files, so we copy over
the format_inspector module from Glance. This performs basic
analysis on the image data file so we can detect problematic
images before we call qemu-img info to get all the image
attributes. It is expected that this code will eventually be
added to oslo so it can be consumed by Glance, Cinder, and
Nova.

Because cinder itself may create qcow2 format images with a
backing file in nfs-based backends, the glance format_inspector
has been modified to optionally allow such files. Since we are
monkeying with the format_inspector code, we also copy over
its unit tests to prevent regressions and to add tests for the
changed code.

Includes an additional fix to prevent an issue where a user
could mount a raw volume and write a qcow2 header with a larger
virtual size on it. On reattaching the volume it would have the
new larger virtual size avaialable without actually changing
the size value in cinder. While we cannot prevent this we can
prevent the user from using this volume again, which makes this
exploit pointless.


(cherry picked from commit b207be3278f3dab6cfe945bd3d307db168f6f6c7)
(cherry picked from commit fe0940994ca93344c4d4a9923471ada6fb3a38ef)
(cherry picked from commit c7fbbba552ea8080965fccbabb4f54855651e7b9)
Brian Rosmaita <rosmaita.fossdev@gmail.com> no 2024-06-26

All known versions for source package 'cinder'

Links