diff -Nru python-glance-store-4.3.0/debian/changelog python-glance-store-4.3.0/debian/changelog --- python-glance-store-4.3.0/debian/changelog 2023-02-23 01:20:12.000000000 +0000 +++ python-glance-store-4.3.0/debian/changelog 2023-05-31 19:46:12.000000000 +0000 @@ -1,8 +1,36 @@ -python-glance-store (4.3.0-0ubuntu1~bpo23.04.1~ppa202302222020) lunar; urgency=medium +python-glance-store (4.3.0-0ubuntu1.3~bpo23.04.1~ppa202305311546) lunar; urgency=medium * No-change backport to lunar. - -- Corey Bryant Wed, 22 Feb 2023 20:20:12 -0500 + -- Corey Bryant Wed, 31 May 2023 15:46:12 -0400 + +python-glance-store (4.3.0-0ubuntu1.3) lunar-security; urgency=medium + + * SECURITY UPDATE: Unauthorized File Access (LP: #2021980) + - debian/patches/CVE-2023-2088.patch: Add force to os-brick + disconnect. + - CVE-2023-2088 + + -- Corey Bryant Wed, 31 May 2023 15:42:32 -0400 + +python-glance-store (4.3.0-0ubuntu1.2) lunar-security; urgency=medium + + * SECURITY REGRESSION: Regressions in other projects (LP: #2020111) + - debian/patches/series: Do not apply CVE-2023-2088.patch until + patches are ready for all upstream OpenStack projects. + - CVE-2023-2088 + + -- Corey Bryant Thu, 18 May 2023 11:10:29 -0400 + +python-glance-store (4.3.0-0ubuntu1.1) lunar-security; urgency=medium + + * d/gbp.conf: Create stable/2023.1 branch. + * SECURITY UPDATE: Unauthorized File Access + - debian/patches/CVE-2023-2088.patch: Add force to os-brick + disconnect. + - CVE-2023-2088 + + -- Corey Bryant Thu, 04 May 2023 10:15:44 +0200 python-glance-store (4.3.0-0ubuntu1) lunar; urgency=medium diff -Nru python-glance-store-4.3.0/debian/gbp.conf python-glance-store-4.3.0/debian/gbp.conf --- python-glance-store-4.3.0/debian/gbp.conf 2023-02-22 18:13:26.000000000 +0000 +++ python-glance-store-4.3.0/debian/gbp.conf 2023-05-31 19:42:32.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = master +debian-branch = stable/2023.1 upstream-tag = %(version)s pristine-tar = True diff -Nru python-glance-store-4.3.0/debian/patches/CVE-2023-2088.patch python-glance-store-4.3.0/debian/patches/CVE-2023-2088.patch --- python-glance-store-4.3.0/debian/patches/CVE-2023-2088.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-glance-store-4.3.0/debian/patches/CVE-2023-2088.patch 2023-05-31 19:42:32.000000000 +0000 @@ -0,0 +1,80 @@ +From a7eed0263e436f841a3c277e051bdc6d6e07447d Mon Sep 17 00:00:00 2001 +From: Brian Rosmaita +Date: Tue, 18 Apr 2023 11:22:27 -0400 +Subject: [PATCH] Add force to os-brick disconnect + +In order to be sure that devices are being removed from the host, +we should be using the 'force' parameter with os-brick's +disconnect_volume() method. + +Closes-bug: #2004555 +Change-Id: I63d09ad9ef465bc154c85a9ea125449c039d1b90 +(cherry picked from commit 1d8033e54e009bbc4408f6e16aec4f6c01687c91) +--- + glance_store/_drivers/cinder/base.py | 3 ++- + glance_store/tests/unit/cinder/test_base.py | 2 +- + glance_store/tests/unit/cinder/test_cinder_base.py | 2 +- + releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml | 11 +++++++++++ + 4 files changed, 15 insertions(+), 3 deletions(-) + create mode 100644 releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml + +diff --git a/glance_store/_drivers/cinder/base.py b/glance_store/_drivers/cinder/base.py +index 20fb897..26d83f6 100644 +--- a/glance_store/_drivers/cinder/base.py ++++ b/glance_store/_drivers/cinder/base.py +@@ -50,7 +50,8 @@ class BaseBrickConnectorInterface(object): + return device + + def disconnect_volume(self, device): +- self.conn.disconnect_volume(self.connection_info, device) ++ # Bug #2004555: use force so there aren't any leftovers ++ self.conn.disconnect_volume(self.connection_info, device, force=True) + + def extend_volume(self): + self.conn.extend_volume(self.connection_info) +diff --git a/glance_store/tests/unit/cinder/test_base.py b/glance_store/tests/unit/cinder/test_base.py +index 488cf1a..7c0add5 100644 +--- a/glance_store/tests/unit/cinder/test_base.py ++++ b/glance_store/tests/unit/cinder/test_base.py +@@ -102,7 +102,7 @@ class TestBaseBrickConnectorInterface(test_base.StoreBaseTest): + self.mock_object(self.connector.conn, 'disconnect_volume') + self.connector.disconnect_volume(fake_device) + self.connector.conn.disconnect_volume.assert_called_once_with( +- self.connection_info, fake_device) ++ self.connection_info, fake_device, force=True) + + def test_extend_volume(self): + self.mock_object(self.connector.conn, 'extend_volume') +diff --git a/glance_store/tests/unit/cinder/test_cinder_base.py b/glance_store/tests/unit/cinder/test_cinder_base.py +index acdb70b..7a0b0b1 100644 +--- a/glance_store/tests/unit/cinder/test_cinder_base.py ++++ b/glance_store/tests/unit/cinder/test_cinder_base.py +@@ -319,7 +319,7 @@ class TestCinderStoreBase(object): + fake_connector.connect_volume.assert_called_once_with( + mock.ANY) + fake_connector.disconnect_volume.assert_called_once_with( +- mock.ANY, fake_devinfo) ++ mock.ANY, fake_devinfo, force=True) + fake_conn_obj.assert_called_once_with( + mock.ANY, root_helper, conn=mock.ANY, + use_multipath=multipath_supported) +diff --git a/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml b/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml +new file mode 100644 +index 0000000..8d982c6 +--- /dev/null ++++ b/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml +@@ -0,0 +1,11 @@ ++security: ++ - | ++ Cinder glance_store driver: in order to avoid a situation where a ++ leftover device could be mapped to a different volume than the one ++ intended, the cinder glance_store driver now instructs the os-brick ++ library to force detach volumes, which ensures that devices are ++ removed from the host. ++ ++ See `Bug #2004555 ++ `_ for more ++ information about this issue. +-- +2.39.2 + diff -Nru python-glance-store-4.3.0/debian/patches/series python-glance-store-4.3.0/debian/patches/series --- python-glance-store-4.3.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ python-glance-store-4.3.0/debian/patches/series 2023-05-31 19:42:32.000000000 +0000 @@ -0,0 +1 @@ +CVE-2023-2088.patch