From 2fef6c41fa8c5ea772cde227a119dcf22ce7a07d Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Wed, 7 Jun 2023 18:01:12 -0400 Subject: [PATCH] [stable-em-only] Add CVE-2023-2088 warning The Cinder project team does not intend to backport a fix for CVE-2023-2088 to stable/wallaby, so add a warning to the README so that consumers are aware of the vulnerability of this branch of the cinder code. Change-Id: I83b5232076250553650b8b97409cbf72e90c15b9 Related-bug: #2004555 --- README.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.rst b/README.rst index 4cbd0b1b1d1..dd8913ba2bd 100644 --- a/README.rst +++ b/README.rst @@ -7,6 +7,22 @@ OpenStack Cinder .. Change things from this point on +.. warning:: + The stable/wallaby branch of cinder does not contain a fix for + CVE-2023-2088_. Be aware that such a fix must span cinder, os-brick, + nova, and, depending on your deployment configuration, glance_store + and ironic. *The Cinder project team advises against using the code + in this branch unless a mitigation against CVE-2023-2088 is applied.* + + .. _CVE-2023-2088: https://nvd.nist.gov/vuln/detail/CVE-2023-2088 + + References: + + * https://nvd.nist.gov/vuln/detail/CVE-2023-2088 + * https://bugs.launchpad.net/cinder/+bug/2004555 + * https://security.openstack.org/ossa/OSSA-2023-003.html + * https://wiki.openstack.org/wiki/OSSN/OSSN-0092 + OpenStack Cinder is a storage service for an open cloud computing service. You can learn more about Cinder at: