Add releasenote for CVE-2024-32498 fix

Related-Bug: #2059809 Change-Id: I3259dd013ba5e3fefd0e172bf0e7cc502158c8db (cherry picked from commit 867d1dd) (cherry picked from commit b5b29a0) (cherry picked from commit 835c89c)
stackhpc · Jul 8, 2024 · edd75b7 · edd75b7
1 parent 2fe7575
commit edd75b7
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml b/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml
@@ -0,0 +1,17 @@
+---
+security:
+  - |
+    Images in the qcow2 format with an external data file are now
+    rejected from glance because such images could be used in an
+    exploit to expose host information. See `Bug #2059809
+    <https://bugs.launchpad.net/glance/+bug/2059809>`_ for details.
+fixes:
+  - |
+    `Bug #2059809 <https://bugs.launchpad.net/glance/+bug/2059809>`_:
+    Fixed issue where a qcow2 format image with an external data file
+    could expose host information. Such an image format with an external
+    data file will be rejected from glance. To achieve the same,
+    format_inspector has been extended by adding safety checks for qcow2
+    and vmdk files in glance. Unsafe qcow and vmdk files will be rejected
+    by pre-examining them with a format inspector to ensure safe
+    configurations prior to any qemu-img operations.