Bug#1112282: trixie-pu: package watcher/14.0.0-2

To: Thomas Goirand <zigo@debian.org>
Cc: 1112282@bugs.debian.org
Subject: Bug#1112282: trixie-pu: package watcher/14.0.0-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 2 Nov 2025 14:16:54 +0100
Message-id: <[🔎] aQdZxic4P6hfw3V8@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1112282@bugs.debian.org
In-reply-to: <aLG24tKeoRJaI1gJ@eldamar.lan>
References: <175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch> <175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch> <aLG24tKeoRJaI1gJ@eldamar.lan> <175636799178.120539.4493768423160555713.reportbug@zbuz.infomaniak.ch>

Hi Thomas,

On Fri, Aug 29, 2025 at 04:19:14PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Thu, Aug 28, 2025 at 09:59:51AM +0200, Thomas Goirand wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: trixie
> > X-Debbugs-Cc: watcher@packages.debian.org
> > Control: affects -1 + src:watcher
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > [ Reason ]
> > I'd like to fix: https://bugs.debian.org/1111692
> > in Trixie. This is a vulnerability where an OpenStack volume
> > may be mounted to a wrong VM.
> > 
> > [ Impact ]
> > Someone could access the volume of another tenant in an
> > OpenStack deployment.
> > 
> > [ Tests ]
> > Upstream has intensive unit and functional tests. I use it
> > too with the packaged version (that's on top of unit tests
> > at build time and in autopkgtest).
> > 
> > [ Risks ]
> > Not much risk thanks to testing.
> > 
> > [ Checklist ]
> >   [x] *all* changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in (old)stable
> >   [x] the issue is verified as fixed in unstable
> > 
> > Please allow me to upload watcher/14.0.0-2+deb13u1 to Trixe
> > proposed-updates as per attached debdiff.
> > 
> > Cheers,
> > 
> > Thomas Goirand (zigo)
> > 
> > P.S: I'm following-up with the same request for Nova, as
> > both have fixes for OSSN-0094.
> 
> > diff -Nru watcher-14.0.0/debian/changelog watcher-14.0.0/debian/changelog
> > --- watcher-14.0.0/debian/changelog	2025-07-11 14:45:24.000000000 +0200
> > +++ watcher-14.0.0/debian/changelog	2025-08-21 10:27:37.000000000 +0200
> > @@ -1,3 +1,15 @@
> > +watcher (14.0.0-2+deb13u1) trixie; urgency=high
> > +
> > +  * A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
> > +    in conjunction with volume swap operations performed by the Watcher
> > +    service. Under specific circumstances, this can lead to a situation where
> > +    two Nova libvirt instances could reference the same block device, allowing
> > +    accidental information disclosure to the unauthorized instance. Added
> > +    upstream patch: OSSN-0094_use_cinder_migrate_for_swap_volume.patch.
> > +    (Closes: #1111692).
> > +
> > + -- Thomas Goirand <zigo@debian.org>  Thu, 21 Aug 2025 10:27:37 +0200
> 
> Something is odd here: trixie has 14.0.0-1, so believe the update
> should be based on top of 14.0.0-1 and versioned 14.0.0-1+deb13u1 ?
> 
> Or can you argue why it should be based on top of the 14.0.0-2 which
> did back then hit unstable but not moved to trixie, i.e. are those
> changes needed in the point release update?

Any news here?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1112282: trixie-pu: package watcher/14.0.0-2
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1119926: marked as done (Need help for testing migration of golang-github-charmbracelet-* packages)
Next by thread: Bug#1112282: trixie-pu: package watcher/14.0.0-2
Index(es):
- Date
- Thread