Back to bug 2138238
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat One Jira (issues.redhat.com) | 2022-10-27 17:45:09 UTC | Link ID | Red Hat Issue Tracker OSP-19759 | |
| Alan Bishop | 2022-10-31 14:10:49 UTC | Comment | 0 | updated |
| Alan Bishop | 2022-11-01 14:56:10 UTC | Status | NEW | ON_DEV |
| Link ID | OpenStack gerrit 863142 | |||
| Alan Bishop | 2022-11-08 15:52:20 UTC | CC | johfulto | |
| Marian Krcmarik | 2022-11-09 01:39:14 UTC | CC | mkrcmari | |
| unmesh desale | 2022-11-24 09:52:33 UTC | CC | udesale | |
| Blocks | 2147467 | |||
| Alan Bishop | 2023-01-30 21:09:36 UTC | CC | msava | |
| Target Release | --- | 17.1 | ||
| Fixed In Version | openstack-tripleo-heat-templates-14.3.1-1.20230125220910.d766979.el9osttrunk | |||
| Target Milestone | --- | beta | ||
| Doc Type | If docs needed, set a value | Enhancement | ||
| Doc Text | Feature: Separate instances of the glance-api service are deployed. The instance that is accessible to OpenStack tenants is configured to not expose image location details, such as the image's direct URL and whether the image is available in multiple locations. The second instance is accessible to other openstack services (e.g. cinder and nova). This instance is configured to provide location information for images. Reason: This feature adopts the recommendations set forth in OSSN-0090, https://wiki.openstack.org/wiki/OSSN/OSSN-0090#Recommended_Actions Result: A malicious user cannot leverage an image's location information to upload an altered image. | |||
| Status | ON_DEV | MODIFIED | ||
| Lon Hohberger | 2023-01-31 07:01:11 UTC | Fixed In Version | openstack-tripleo-heat-templates-14.3.1-1.20230125220910.d766979.el9osttrunk | openstack-tripleo-heat-templates-14.3.1-1.20230125220910.d766979.el9ost |
| errata-xmlrpc | 2023-02-01 17:07:49 UTC | Status | MODIFIED | ON_QA |
| James Smith | 2023-02-03 01:01:14 UTC | CC | akekane, cyril, jamsmith, jelynch, mariel, pdeore | |
| Flags | needinfo?(abishop) needinfo?(cyril) needinfo?(jelynch) needinfo?(akekane) needinfo?(pdeore) needinfo?(mariel) | |||
| Cyril Roelandt | 2023-02-03 15:39:26 UTC | Flags | needinfo?(cyril) | |
| Alan Bishop | 2023-02-03 18:36:06 UTC | CC | pgrist | |
| Flags | needinfo?(pgrist) | |||
| Mikey Ariel | 2023-02-07 11:35:21 UTC | Flags | needinfo?(mariel) | |
| Paul Grist | 2023-02-08 17:49:53 UTC | Flags | needinfo?(pgrist) | needinfo?(udesale) |
| Alan Bishop | 2023-02-08 19:40:10 UTC | Flags | needinfo?(abishop) | |
| Jenny-Anne Lynch | 2023-02-20 16:59:49 UTC | Flags | needinfo?(jelynch) | needinfo?(abishop) |
| Jenny-Anne Lynch | 2023-02-20 17:00:33 UTC | Docs Contact | jelynch | |
| Alan Bishop | 2023-02-20 19:46:55 UTC | Flags | needinfo?(abishop) | |
| Jenny-Anne Lynch | 2023-02-21 10:34:21 UTC | Doc Text | Feature: Separate instances of the glance-api service are deployed. The instance that is accessible to OpenStack tenants is configured to not expose image location details, such as the image's direct URL and whether the image is available in multiple locations. The second instance is accessible to other openstack services (e.g. cinder and nova). This instance is configured to provide location information for images. Reason: This feature adopts the recommendations set forth in OSSN-0090, https://wiki.openstack.org/wiki/OSSN/OSSN-0090#Recommended_Actions Result: A malicious user cannot leverage an image's location information to upload an altered image. | With this update, you deploy two separate instances of the Image service (glance) API. The instance that is accessible to OpenStack tenants is configured to hide image location details, such as the direct URL of an image or whether the image is available in multiple locations. The second instance is accessible to OpenStack administrators and OpenStack services, such as the Block Storage service (cinder) and the Compute service (nova). This instance is configured to provide image location details. This enhancement addresses the recommendations of link:https://wiki.openstack.org/wiki/OSSN/OSSN-0090#Recommended_Actions[OSSN-0090] and link:https://access.redhat.com/security/cve/CVE-2022-4134[CVE-2022-4134]. With this update, a malicious user cannot leverage the location details of an image to upload an altered image. |
| Yogev Rabl | 2023-05-10 16:02:28 UTC | CC | yrabl | |
| QA Contact | jhakimra | ybenshim | ||
| Yosi Ben Shimon | 2023-06-08 18:16:30 UTC | Status | ON_QA | VERIFIED |
| Ian Frangs | 2023-08-03 15:46:23 UTC | Flags | needinfo?(abishop) | |
| Alan Bishop | 2023-08-03 17:34:08 UTC | Flags | needinfo?(abishop) | |
| Abhishek Kekane | 2023-08-04 15:25:29 UTC | Flags | needinfo?(akekane) | |
| errata-xmlrpc | 2023-08-16 00:03:58 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2023-08-16 01:12:28 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2023-08-16 01:12:28 UTC | |||
| errata-xmlrpc | 2023-08-16 01:12:52 UTC | Link ID | Red Hat Product Errata RHEA-2023:4577 |
Back to bug 2138238