Add releasenote for CVE-2024-32498 fix

Related-Bug: #2059809
Change-Id: I3259dd013ba5e3fefd0e172bf0e7cc502158c8db
(cherry picked from commit 867d1dd8b6)
This commit is contained in:
Pranali Deore 2024-07-04 09:59:18 +00:00
parent 2fc7e2e71e
commit b5b29a0ae1

View File

@ -0,0 +1,17 @@
---
security:
- |
Images in the qcow2 format with an external data file are now
rejected from glance because such images could be used in an
exploit to expose host information. See `Bug #2059809
<https://bugs.launchpad.net/glance/+bug/2059809>`_ for details.
fixes:
- |
`Bug #2059809 <https://bugs.launchpad.net/glance/+bug/2059809>`_:
Fixed issue where a qcow2 format image with an external data file
could expose host information. Such an image format with an external
data file will be rejected from glance. To achieve the same,
format_inspector has been extended by adding safety checks for qcow2
and vmdk files in glance. Unsafe qcow and vmdk files will be rejected
by pre-examining them with a format inspector to ensure safe
configurations prior to any qemu-img operations.