[stable-em-only] Add CVE-2023-2088 warning

The Cinder project team does not intend to backport a fix for CVE-2023-2088 to stable/victoria, so add a warning to the README so that consumers are aware of the vulnerability of this branch of the os-brick code. Change-Id: I37da3be26c7099307b46ae6b6320a3de7658e106 Related-bug: #2004555
2023-06-07 18:29:20 -04:00 · 2023-06-07 18:29:20 -04:00 · 78a0ea24a5
parent ffe0cbfc93
commit 78a0ea24a5
1 changed files with 15 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -21,6 +21,21 @@ brick

 OpenStack Cinder brick library for managing local volume attaches

+.. warning::
+   The stable/victoria branch of os-brick does not contain a fix for
+   CVE-2023-2088_.  Be aware that such a fix must span cinder, os-brick,
+   nova, and, depending on your deployment configuration, glance_store
+   and ironic.  *The Cinder project team advises against using the code
+   in this branch unless a mitigation against CVE-2023-2088 is applied.*
+
+   .. _CVE-2023-2088: https://nvd.nist.gov/vuln/detail/CVE-2023-2088
+
+   References:
+
+   * https://nvd.nist.gov/vuln/detail/CVE-2023-2088
+   * https://bugs.launchpad.net/cinder/+bug/2004555
+   * https://security.openstack.org/ossa/OSSA-2023-003.html
+   * https://wiki.openstack.org/wiki/OSSN/OSSN-0092

 Features
 --------