Debian Patches

Status for glance/2:21.0.0-2+deb11u1

Patch Description Author Forwarded Bugs Origin Last update
sql_conn-registry.patch Fixes default connection in glance-registry.conf & glance-api.conf
===================================================================
Thomas Goirand <zigo@debian.org> no 2014-04-15
missing-files.patch package missing files Thomas Goirand <zigo@debian.org> not-needed 2017-10-08
cve-2022-47951-glance-stable-victoria.patch CVE-2022-47951: Enforce image safety during image_conversion This does two things:
.
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.

diff --git a/glance/async_/flows/plugins/image_conversion.py b/glance/async_/flows/plugins/image_conversion.py
index a5165b0ab..8a6c759c6 100644
Dan Smith <dansmith@redhat.com> yes upstream upstream, https://review.opendev.org/c/openstack/glance/+/871623 2022-01-18

All known versions for source package 'glance'

Links