Debian Patches
Status for glance/2:32.0.0~rc1-4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| OSSA-2026-004_Fix_SSRF_vulnerabilities_in_image_import_API.patch | OSSA-2026-004: Fix SSRF vulnerabilities in image import API Fixed Server-Side Request Forgery (SSRF) vulnerabilities in Glance's image import functionality that could allow attackers to bypass URL validation and access internal resources. . The fix includes: - IP address validation using Python's ipaddress module to reject encoded IP formats (decimal, hexadecimal, octal) that could bypass blacklist checks - HTTP redirect validation for web-download, glance-download, and OVF processing to prevent redirect-based SSRF attacks - URI validation for OVF processing which previously had no protection . The implementation uses Python's built-in ipaddress module which inherently rejects all non-standard IP encodings and only accepts standard formats, providing robust protection against IP encoding bypass attacks. diff --git a/glance/async_/flows/_internal_plugins/glance_download.py b/glance/async_/flows/_internal_plugins/glance_download.py index bcf1963..b2e1536 100644 |
Abhishek Kekane <akekane@redhat.com> | yes | debian upstream | https://review.opendev.org/c/openstack/glance/+/981296 | 2026-03-19 |
| sql_conn-registry.patch | Fixes default connection in glance-registry.conf & glance-api.conf =================================================================== |
Thomas Goirand <zigo@debian.org> | no | 2014-04-15 | ||
| missing-files.patch | package missing files | Thomas Goirand <zigo@debian.org> | not-needed | 2026-03-14 | ||
| No_DNS_resolution_in_test.patch | No DNS resolution in test This avoids DNS resolution during unit tests: test_utils.ImportURITestCase.test_ignored_filtering_options and test_utils.ImportURITestCase.test_validate_import_uri . which are failing in downstream distributions that do not have Internet access when running tests. =================================================================== |
Thomas Goirand <zigo@debian.org> | yes | 2026-03-20 |
All known versions for source package 'glance'
- 2:32.0.0~rc1-4 (experimental)
- 2:31.0.0-4 (sid)
- 2:31.0.0-2 (forky)
- 2:30.0.0-3 (trixie)
- 2:25.1.0-2+deb12u1 (bookworm-security, bookworm)