Add releasenote for CVE-2024-32498 fix

Related-Bug: #2059809 Change-Id: I3259dd013ba5e3fefd0e172bf0e7cc502158c8db (cherry picked from commit 867d1dd8b6)
2024-07-04 09:59:18 +00:00 · 2024-07-04 09:59:18 +00:00 · b5b29a0ae1
commit b5b29a0ae1
parent 2fc7e2e71e
1 changed files with 17 additions and 0 deletions
--- a/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml
+++ b/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml
@ -0,0 +1,17 @@
+---
+security:
+  - |
+    Images in the qcow2 format with an external data file are now
+    rejected from glance because such images could be used in an
+    exploit to expose host information. See `Bug #2059809
+    <https://bugs.launchpad.net/glance/+bug/2059809>`_ for details.
+fixes:
+  - |
+    `Bug #2059809 <https://bugs.launchpad.net/glance/+bug/2059809>`_:
+    Fixed issue where a qcow2 format image with an external data file
+    could expose host information. Such an image format with an external
+    data file will be rejected from glance. To achieve the same,
+    format_inspector has been extended by adding safety checks for qcow2
+    and vmdk files in glance. Unsafe qcow and vmdk files will be rejected
+    by pre-examining them with a format inspector to ensure safe
+    configurations prior to any qemu-img operations.