From 60f705d722fc6b7c434194a9f3b11595294d6aa0 Mon Sep 17 00:00:00 2001
From: Brian Rosmaita <rosmaita.fossdev@gmail.com>
Date: Wed, 7 Jun 2023 18:01:12 -0400
Subject: [PATCH] [stable-em-only] Add CVE-2023-2088 warning

The Cinder project team does not intend to backport a fix for
CVE-2023-2088 to stable/ussuri, so add a warning to the README
so that consumers are aware of the vulnerability of this branch
of the cinder code.

Change-Id: I5c55ab7ca6c85d23c5ab7d2d383a18226735aaf2
Related-bug: #2004555
---
 README.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.rst b/README.rst
index 4cbd0b1b1d1..458f424d31c 100644
--- a/README.rst
+++ b/README.rst
@@ -7,6 +7,22 @@ OpenStack Cinder
 
 .. Change things from this point on
 
+.. warning::
+   The stable/ussuri branch of cinder does not contain a fix for
+   CVE-2023-2088_.  Be aware that such a fix must span cinder, os-brick,
+   nova, and, depending on your deployment configuration, glance_store
+   and ironic.  *The Cinder project team advises against using the code
+   in this branch unless a mitigation against CVE-2023-2088 is applied.*
+
+   .. _CVE-2023-2088: https://nvd.nist.gov/vuln/detail/CVE-2023-2088
+
+   References:
+
+   * https://nvd.nist.gov/vuln/detail/CVE-2023-2088
+   * https://bugs.launchpad.net/cinder/+bug/2004555
+   * https://security.openstack.org/ossa/OSSA-2023-003.html
+   * https://wiki.openstack.org/wiki/OSSN/OSSN-0092
+
 OpenStack Cinder is a storage service for an open cloud computing service.
 
 You can learn more about Cinder at: