[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036089: marked as done (unblock: python-os-brick/6.1.0-3 python-glance-store/4.1.0-4 nova/2:26.1.0-4 cinder/2:21.1.0-3 (CVE-2023-2088))

Your message dated Tue, 16 May 2023 20:06:31 +0000
with message-id <E1pz0wJ-003rYA-Sv@respighi.debian.org>
and subject line unblock python-os-brick
has caused the Debian Bug report #1036089,
regarding unblock: python-os-brick/6.1.0-3 python-glance-store/4.1.0-4 nova/2:26.1.0-4 cinder/2:21.1.0-3 (CVE-2023-2088)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036089
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: python-os-brick@packages.debian.org
Control: affects -1 + src:python-os-brick

Dear release team,
Please unblock package python-os-brick, python-glance-store, cinder and
nova.

[ Reason ]
When using the LVM / iSCSI backend of Cinder, under some circonstances,
it may be possible for a user to access the data of a volume from another
user. Glance, Cinder and Nova are affected, through the common library
python-os-brick (that is the glue between them).

The change is adding a "force_disconnect" in the Cinder API, and checking
that users are allowed to destroy volume exports.

[ Impact ]
See CVE-2023-2088 (that I'm copy/pasting here...):

**Accidental case:** If there is a problem with network connectivity
during a normal detach operation, OpenStack may fail to clean the
situation up properly. Instead of force-detaching the compute node
device, Nova ignores the error, assuming the instance has already
been deleted. Due to this incomplete operation OpenStack may end up
selecting the wrong multipath device when connecting another volume
to an instance.

**Intentional case:** A regular user can create an instance with a
volume, and then delete the volume attachment directly in Cinder,
which neglects to notify Nova. The compute node SCSI plumbing (over
iSCSI/FC) will continue trying to connect to the original
host/port/LUN, not knowing the attachment has been deleted. If a
subsequent volume attachment re-uses the host/port/LUN for a
different instance and volume, the original instance will gain
access to it once the SCSI plumbing reconnects.

[ Tests ]
Unit tests are run during package build, and with autopkgtest.
Upstream runs an extensive set of functional tests.

[ Risks ]
Considering the amount of testing in OpenStack, the risks are
always mitigated, and it should be safe from regressions.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Note that I've added a diff of the 4 packages in a tarball attached
to this message.

Please also note that I did a mistake in the python-os-brick, using
the wrong CVE number (ie: CVE-2023-30861 instead of CVE-2023-2088).
If you think I should re-upload to fix only that, please let me know.

Cheers,

Thomas Goirand (zigo)

unblock python-os-brick/6.1.0-3
python-glance-store/4.1.0-4
nova/2:26.1.0-4
cinder/2:21.1.0-3

Attachment: all-diff.tar.gz
Description: application/gzip


--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: