Package: nova / 2:26.2.2-1~deb12u3
Metadata
| Package | Version | Patches format |
|---|---|---|
| nova | 2:26.2.2-1~deb12u3 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| Install missed files.patch | (download) |
MANIFEST.in |
11 11 + 0 - 0 ! |
install missed files |
| remove svg converter from doc conf.py.patch | (download) |
doc/source/conf.py |
1 0 + 1 - 0 ! |
remove sphinxcontrib.rsvgconverter from doc conf.py |
| Add a healtcheck url.patch | (download) |
etc/nova/api-paste.ini |
15 10 + 5 - 0 ! |
[patch] add a /healthcheck url This is useful for operators to configure HAProxy and for monitoring. |
| libvirt_Add_encryption_support_to_qemu img_create_command.patch | (download) |
nova/tests/unit/virt/libvirt/test_utils.py |
43 40 + 3 - 0 ! |
[patch] libvirt: add encryption support to qemu-img create command This adds handling of options needed for qemu-img create to generate encrypted images. |
| CVE 2024 32498_1_nova stable 2023.1_Reject_qcow_files_with_data file_attributes.patch | (download) |
nova/tests/unit/virt/libvirt/test_utils.py |
1 1 + 0 - 0 ! |
[patch 1/3] reject qcow files with data-file attributes |
| CVE 2024 32498_2_nova stable 2023.1_Check_images_with_format_inspector_for_safety_2.patch | (download) |
nova/conf/workarounds.py |
10 10 + 0 - 0 ! |
[patch] check images with format_inspector for safety It has been asserted that we should not be calling qemu-img info on untrusted files. That means we need to know if they have a backing_file, data_file or other unsafe configuration *before* we use qemu-img to probe or convert them. This grafts glance's format_inspector module into nova/images so we can use it to check the file early for safety. The expectation is that this will be moved to oslo.utils (or something) later and thus we will just delete the file from nova and change our import when that happens. NOTE: This includes whitespace changes from the glance version of format_inspector.py because of autopep8 demands. Bug: #2059809 |
| CVE 2024 32498_3_nova stable 2023.1_Additional qemu safety checking on base images_2.patch | (download) |
nova/image/format_inspector.py |
68 59 + 9 - 0 ! |
[patch] additional qemu safety checking on base images There is an additional way we can be fooled into using a qcow2 file with a data-file, which is uploading it as raw to glance and then booting an instance from it. Because when we go to create the ephemeral disk from a cached base image, we've lost the information about the original source's format, we probe the image's file type without a strict format specified. If a qcow2 file is listed in glance as a raw, we won't notice it until it is too late. This brings over another piece of code (proposed against) glance's format inspector which provides a safe format detection routine. This patch uses that to detect the format of and run a safety check on the base image each time we go to use it to create an ephemeral disk image from it. This also detects QED files and always marks them as unsafe as we do not support that format at all. Since we could be fooled into downloading one and passing it to qemu-img if we don't recognize it, we need to detect and reject it as unsafe. |
| CVE 2024 32498_4_Fix vmdk_allowed_types checking_2.patch | (download) |
nova/tests/unit/virt/libvirt/test_utils.py |
25 23 + 2 - 0 ! |
[patch] fix vmdk_allowed_types checking This restores the vmdk_allowed_types checking in create_image() that was unintentionally lost by tightening the qemu-type-matches-glance code in the fetch patch recently. Since we are still detecting the format of base images without metadata, we would have treated a vmdk file that claims to be raw as raw in fetch, but then read it like a vmdk once it was used as a base image for something else. Bug: #2059809 |
| CVE 2024 40767_1_port_format_inspector_tests_from_glance_antelope.patch | (download) |
nova/tests/unit/image/test_format_inspector.py |
517 517 + 0 - 0 ! |
cve-2024-40767: port format inspector tests from glance This commit is a direct port of the format inspector unit tests from glance as of commit 0d8e79b713bc31a78f0f4eac14ee594ca8520999 . the only changes to the test are as follows . "from glance.common import format_inspector" was updated to "from nova.image import format_inspector" . "from glance.tests import utils as test_utils" was replaced with "from nova import test" . "test_utils.BaseTestCase" was replaced with "test.NoDBTestCase" . "glance-unittest-formatinspector-" was replaced with "nova-unittest-formatinspector-" . This makes the test funtional in nova. . TestFormatInspectors requries qemu-img to be installed on the host which would be a new depency for executing unit tests. to avoid that we skip TestFormatInspectors if qemu-img is not installed. TestFormatInspectorInfra and TestFormatInspectorsTargeted do not have a qemu-img dependency so no changes to the test assertions were required. |
| CVE 2024 40767_2_Reproduce_iso_regression_with_deep_format_inspection_antelope.patch | (download) |
nova/tests/unit/image/test_format_inspector.py |
72 63 + 9 - 0 ! |
cve-2024-40767: reproduce iso regression with deep format inspection This change adds a reproducer for the regression in iso file support when workarounds.disable_deep_image_inspection = False |
| CVE 2024 40767_3_Add iso file format inspector_antelope.patch | (download) |
nova/image/format_inspector.py |
109 104 + 5 - 0 ! |
cve-2024-40767: add iso file format inspector This change includes unit tests for the ISO format inspector using mkisofs to generate the iso files. . A test for stashing qcow content in the system_area of an iso file is also included. . This change modifies format_inspector.detect_file_format to evaluate all inspectors until they are complete and raise an InvalidDiskInfo exception if multiple formats match. |
| CVE 2024 40767_4_Change force_format strategy to catch mismatches_antelope.patch | (download) |
nova/tests/unit/virt/libvirt/test_utils.py |
23 13 + 10 - 0 ! |
cve-2024-40767: change force_format strategy to catch mismatches |