Patches

Debian Patches

Status for glance/2:30.0.0-3+deb13u1

Patch	Description	Author	Forwarded	Bugs	Origin	Last update
sql_conn-registry.patch	Fixes default connection in glance-registry.conf & glance-api.conf ===================================================================	Thomas Goirand <zigo@debian.org>	no			2014-04-15
missing-files.patch	package missing files	Thomas Goirand <zigo@debian.org>	not-needed			2017-10-08
CVE-2026-34881_OSSA-2026-004_Fix_SSRF_vulnerabilities_in_image_import_API.patch	CVE-2026-34881 / OSSA-2026-004: Fix SSRF vulnerabilities in image import API Fixed Server-Side Request Forgery (SSRF) vulnerabilities in Glance's image import functionality that could allow attackers to bypass URL validation and access internal resources. . The fix includes: - IP address validation using Python's ipaddress module to reject encoded IP formats (decimal, hexadecimal, octal) that could bypass blacklist checks - HTTP redirect validation for web-download, glance-download, and OVF processing to prevent redirect-based SSRF attacks - URI validation for OVF processing which previously had no protection . The implementation uses Python's built-in ipaddress module which inherently rejects all non-standard IP encodings and only accepts standard formats, providing robust protection against IP encoding bypass attacks. . ===================================================================	Abhishek Kekane <akekane@redhat.com>	yes	debian upstream	upstream, https://review.opendev.org/c/openstack/glance/+/981298	2026-03-19

All known versions for source package 'glance'

• 2:32.0.0-2 (sid, forky)
• 2:30.0.0-3+deb13u1 (trixie-proposed-updates)
• 2:30.0.0-3 (trixie)
• 2:25.1.0-2+deb12u1 (bookworm-security, bookworm)

Links

• Package Tracker for 'glance'
• Debian Maintainer Dashboard for 'glance'
• Browse sources for 'glance/2:30.0.0-3+deb13u1' on sources.debian.org
• DEP3: Patch Tagging Guidelines