-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 27 Jan 2023 11:32:53 +0100 Source: nova Architecture: source Version: 2:18.1.0-6+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Debian OpenStack <team+openstack@tracker.debian.org> Changed-By: Thomas Goirand <zigo@debian.org> Closes: 1029561 Changes: nova (2:18.1.0-6+deb10u2) buster-security; urgency=medium . * CVE-2022-47951: By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. Add upstream patches (Closes: #1029561): - cve-2022-47951-nova-stable-rocky.patch - images_Make_JSON_the_default_output_format_of_calls_to_qemu-img_info.patch - images_Move_qemu-img_info_calls_into_privsep.patch * Fixed minimum version of python3-oslo.utils (>= 3.36.5-0+deb10u3~), required by the above CVE patch. * Build-depends on qemu-utils (needed for new tests). * Blacklist non-working tests: - test_convert_image_with_prlimit_fail - test_qemu_img_info_with_disk_not_found - test_create_cow_image Checksums-Sha1: 24f5f1844185d5fb1a892addc1c7173fd26c7524 5892 nova_18.1.0-6+deb10u2.dsc d479978a9479de7a80b5cb4d058f1800b697452d 10826849 nova_18.1.0.orig.tar.gz 2926f9e93310a9c88195fe208f48741c4e6e2fd5 73928 nova_18.1.0-6+deb10u2.debian.tar.xz 384adb681fa94c64303f50cb34105c1b7865b56b 25043 nova_18.1.0-6+deb10u2_amd64.buildinfo Checksums-Sha256: 7ad52890c9c0a8ec2ba6cb819da751005d42e7b4d86a3a842071c46ad0ae0010 5892 nova_18.1.0-6+deb10u2.dsc 27e2fb0b5c7419a40b433730a9e9ecfab9662a9a6ebbdc99ee78aedeb2dee32b 10826849 nova_18.1.0.orig.tar.gz b0936d987dd3b00632ea7900bfb16786bbb357d81fcaf638e5788152d2ccd902 73928 nova_18.1.0-6+deb10u2.debian.tar.xz 1e3d522d1e0c60ac135034c756e12d4a9ea17236ef10cc6d88a6c6c167572cee 25043 nova_18.1.0-6+deb10u2_amd64.buildinfo Files: f25cceb3e1ffea83f42d988a9179366e 5892 net optional nova_18.1.0-6+deb10u2.dsc 0178de51807cfa0dd05ecb32773dd246 10826849 net optional nova_18.1.0.orig.tar.gz 64421b2831dd17f3002a89cc8580a37d 73928 net optional nova_18.1.0-6+deb10u2.debian.tar.xz 06aaf6e9dedff7cc3a106f41580f4223 25043 net optional nova_18.1.0-6+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPTyuAACgkQ1BatFaxr Q/5v2Q/8C1F651RY40+e5DYSpDG2JLdh0Ph40y/30X7doOYXJudUzgqFkl2SV+eI KsTVHGGhuufUMEP+0YZuGmsHwfbTSQko6sGR1ElwcEWOoN2Ux+P6Dg+rzQRlIV98 U2psdxcsfiveX0FeOyGOt46cKKBH+Dyb/Quuq919/ChPTPrkG2Pb4Z6zemWWpfmZ r0hE21oIuu1PzJvqwXuimIUhFv+UO0U26KLnHGLWenEV8xBRJK9MvJRmeyrj5iVm wTdH9a89hol0Lt5ZXFldl9q8aS93naH+wiA0jdFwYItGIOICd1NGHgWAd7tRBBEm mMXvcIWDLluiBfthoLiQAT+Fkdhhjo0Oi45XVFLtkdvY1wiXG1dwd8GE8/8Kn53/ IfsovrHXYSFuxbrkjX9voMmvqVZAqoEeV9ouVb7Hh3CbyuvVtqfZii441G56JuEM mNXCxyCaVsH5IfJdcgPsnxt11g9zgVlz7jTEX6VdNIuNtPq3Q+jdTb5EoBP7RkEH b6WRf+7lhvj+oMf6+Tve30X0iDa9RScw8+6U1YocIU0WVRGQztp3pnkmkRISj15k MySl80v5sbNXV4xKe5Pl2cr804H3ZtRqE14B8PDAJfwFZZPrLf/eKgQ9ueCVdRck pwQb/pC6EkzXO3z2mgYeCWQqe6dWsvgCNhaJP8nWKVJG/FnrZ3A= =y+II -----END PGP SIGNATURE-----