Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
Control: tag -1 moreinfo
Hi Thomas,
On Tue, Aug 17, 2021 at 12:57:50PM +0200, Thomas Goirand wrote:
> Also, I would like to get Nova upgraded to the latest point
> release, to fix numerous small issues. The release notes for
> Nova are there:
>
> https://docs.openstack.org/releasenotes/nova/victoria.html
>
That looks incomplete? Please include a complete description of the
changes you want approved.
[...]
> [ Risks ]
> No risk during upgrade that I know of.
>
That is.. not reassuring.
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [ ] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> The debdiff being too big, please find it, together with the
> built packages, at:
> http://shade.infomaniak.ch/bullseye-pu/nova/
>
> [ Changes ]
> Here's the details of the debian/changelog explained.
>
> * Tune nova-api-{,metadata-}uwsgi.ini for performance.
>
> This is a minor tweak to the uwsgi.ini default configuration,
> which I've started pushing on all OpenStack packages in Debian.
> It's only better with it...
>
I don't think this is appropriate for stable. There's no information on
what environment(s) this is tuned for, or benchmarked in.
> * New upstream release.
>
> See above.
>
I'll reserve my opinion on that until we have a better description of
the changes. It seems plausible, broadly.
> * CVE-2021-3654: novnc allows open redirection. Added upstream patch:
> Reject_open_redirection_in_the_console_proxy.patch (Closes: #991441).
>
> This addresses the main issue that mandates the pu.
>
> * Do not maintain glance_api_servers through debconf (as the default of
> reading its URL in the Keystone catalogue is better).
>
> This avoids tweaking nova.conf on upgrades, which could otherwise
> potentially destroy one's deployment. Indeed, one very valid (and in
> fact recommended) way to deploy, is to *NOT* set the glance_api_servers
> directive. With the debconf code, this forces having something. After
> removing the debconf integration for this directive, upgrade to the
> proposed update isn't breaking deployments anymore, while leaving already
> configured glance_api_servers alone (so not destroying anyone setup).
>
Shouldn't nova/glance_api_servers be cleaned up from the debconf
database if it's no longer used? I'm also not convinced this is
appropriate for stable.
Cheers,
Julien
Reply to: