Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)

To: Thomas Goirand <zigo@debian.org>, 992330@bugs.debian.org
Subject: Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 3 Dec 2021 15:11:35 +0100
Message-id: <[🔎] Yaoll29e7iLH+Ru2@jcristau-z4>
Reply-to: Julien Cristau <jcristau@debian.org>, 992330@bugs.debian.org
In-reply-to: <162919787049.62780.7426151943519409927.reportbug@zbuz.infomaniak.ch>
References: <162919787049.62780.7426151943519409927.reportbug@zbuz.infomaniak.ch> <162919787049.62780.7426151943519409927.reportbug@zbuz.infomaniak.ch>

Control: tag -1 moreinfo

Hi Thomas,

On Tue, Aug 17, 2021 at 12:57:50PM +0200, Thomas Goirand wrote:
> Also, I would like to get Nova upgraded to the latest point
> release, to fix numerous small issues. The release notes for
> Nova are there:
> 
> https://docs.openstack.org/releasenotes/nova/victoria.html
> 
That looks incomplete?  Please include a complete description of the
changes you want approved.

[...]
> [ Risks ]
> No risk during upgrade that I know of.
> 
That is.. not reassuring.

> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [ ] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> The debdiff being too big, please find it, together with the
> built packages, at:
> http://shade.infomaniak.ch/bullseye-pu/nova/
> 
> [ Changes ]
> Here's the details of the debian/changelog explained.
> 
>    * Tune nova-api-{,metadata-}uwsgi.ini for performance.
> 
> This is a minor tweak to the uwsgi.ini default configuration,
> which I've started pushing on all OpenStack packages in Debian.
> It's only better with it...
> 
I don't think this is appropriate for stable.  There's no information on
what environment(s) this is tuned for, or benchmarked in.

>    * New upstream release.
> 
> See above.
> 
I'll reserve my opinion on that until we have a better description of
the changes.  It seems plausible, broadly.

>    * CVE-2021-3654: novnc allows open redirection. Added upstream patch:
>      Reject_open_redirection_in_the_console_proxy.patch (Closes: #991441).
> 
> This addresses the main issue that mandates the pu.
> 
>    * Do not maintain glance_api_servers through debconf (as the default of
>      reading its URL in the Keystone catalogue is better).
> 
> This avoids tweaking nova.conf on upgrades, which could otherwise
> potentially destroy one's deployment. Indeed, one very valid (and in
> fact recommended) way to deploy, is to *NOT* set the glance_api_servers
> directive. With the debconf code, this forces having something. After
> removing the debconf integration for this directive, upgrade to the
> proposed update isn't breaking deployments anymore, while leaving already
> configured glance_api_servers alone (so not destroying anyone setup).
> 
Shouldn't nova/glance_api_servers be cleaned up from the debconf
database if it's no longer used?  I'm also not convinced this is
appropriate for stable.

Cheers,
Julien

Reply to:

Follow-Ups:
- Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#999565: marked as done (transition: fluidsynth)
Next by Date: Processed: Re: Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
Previous by thread: Bug#999565: marked as done (transition: fluidsynth)
Next by thread: Processed: Re: Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
Index(es):
- Date
- Thread