Bug#1112282: trixie-pu: package watcher/14.0.0-2

To: Thomas Goirand <zigo@debian.org>, 1112282@bugs.debian.org
Subject: Bug#1112282: trixie-pu: package watcher/14.0.0-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 29 Aug 2025 16:19:14 +0200
Message-id: <[🔎] aLG24tKeoRJaI1gJ@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1112282@bugs.debian.org
In-reply-to: <[🔎] 175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch>
References: <[🔎] 175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch> <[🔎] 175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch>

Hi,

On Thu, Aug 28, 2025 at 09:59:51AM +0200, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: trixie
> X-Debbugs-Cc: watcher@packages.debian.org
> Control: affects -1 + src:watcher
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> [ Reason ]
> I'd like to fix: https://bugs.debian.org/1111692
> in Trixie. This is a vulnerability where an OpenStack volume
> may be mounted to a wrong VM.
> 
> [ Impact ]
> Someone could access the volume of another tenant in an
> OpenStack deployment.
> 
> [ Tests ]
> Upstream has intensive unit and functional tests. I use it
> too with the packaged version (that's on top of unit tests
> at build time and in autopkgtest).
> 
> [ Risks ]
> Not much risk thanks to testing.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> Please allow me to upload watcher/14.0.0-2+deb13u1 to Trixe
> proposed-updates as per attached debdiff.
> 
> Cheers,
> 
> Thomas Goirand (zigo)
> 
> P.S: I'm following-up with the same request for Nova, as
> both have fixes for OSSN-0094.

> diff -Nru watcher-14.0.0/debian/changelog watcher-14.0.0/debian/changelog
> --- watcher-14.0.0/debian/changelog	2025-07-11 14:45:24.000000000 +0200
> +++ watcher-14.0.0/debian/changelog	2025-08-21 10:27:37.000000000 +0200
> @@ -1,3 +1,15 @@
> +watcher (14.0.0-2+deb13u1) trixie; urgency=high
> +
> +  * A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
> +    in conjunction with volume swap operations performed by the Watcher
> +    service. Under specific circumstances, this can lead to a situation where
> +    two Nova libvirt instances could reference the same block device, allowing
> +    accidental information disclosure to the unauthorized instance. Added
> +    upstream patch: OSSN-0094_use_cinder_migrate_for_swap_volume.patch.
> +    (Closes: #1111692).
> +
> + -- Thomas Goirand <zigo@debian.org>  Thu, 21 Aug 2025 10:27:37 +0200

Something is odd here: trixie has 14.0.0-1, so believe the update
should be based on top of 14.0.0-1 and versioned 14.0.0-1+deb13u1 ?

Or can you argue why it should be based on top of the 14.0.0-2 which
did back then hit unstable but not moved to trixie, i.e. are those
changes needed in the point release update?

Regards,
Salvatore

Reply to:

References:
- Bug#1112282: trixie-pu: package watcher/14.0.0-2
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#1110737: trixie-pu: package systemd/257.8-1~deb13u1
Next by Date: Processed: trixie-pu: package nginx/1.26.3-3+deb13u1 (fix CVE-2025-53859)
Previous by thread: Processed: trixie-pu: package watcher/14.0.0-2
Next by thread: Bug#1112283: trixie-pu: package nova/31.0.0-6
Index(es):
- Date
- Thread