-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Synopsis: Red Hat OpenStack Platform (openstack-glance) security update Advisory ID: RHSA-2023:1280-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1280 Issue date: 2023-03-15 CVE Names: CVE-2022-47951 ===================================================================== 1. Summary: An update for openstack-glance is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - ELS - noarch Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch Red Hat OpenStack Platform 16.1 - noarch Red Hat OpenStack Platform 16.2 - noarch 3. Description: OpenStack Image Service (code-named Glance) provides discovery, registration, and delivery services for virtual disk images. The Image Service API server provides a standard REST interface for querying information about virtual disk images stored in a variety of back-end stores, including OpenStack Object Storage. Clients can register new virtual disk images with the Image Service, query for information on publicly available disk images, and use the Image Service's client library for streaming virtual disk images. Security Fix(es): * Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2161812 - CVE-2022-47951 openstack: Arbitrary file access through custom VMDK flat descriptor 6. Package List: Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server: Source: openstack-glance-16.0.1-13.el7ost.src.rpm noarch: openstack-glance-16.0.1-13.el7ost.noarch.rpm python-glance-16.0.1-13.el7ost.noarch.rpm python-glance-tests-16.0.1-13.el7ost.noarch.rpm Red Hat OpenStack Platform 13.0 - ELS: Source: openstack-glance-16.0.1-13.el7ost.src.rpm noarch: openstack-glance-16.0.1-13.el7ost.noarch.rpm python-glance-16.0.1-13.el7ost.noarch.rpm python-glance-tests-16.0.1-13.el7ost.noarch.rpm Red Hat OpenStack Platform 16.1: Source: openstack-glance-19.0.4-1.20230207203320.5bbd356.el8ost.src.rpm noarch: openstack-glance-19.0.4-1.20230207203320.5bbd356.el8ost.noarch.rpm python3-glance-19.0.4-1.20230207203320.5bbd356.el8ost.noarch.rpm Red Hat OpenStack Platform 16.2: Source: openstack-glance-19.0.5-2.20220113204850.b3de9da.el8ost.src.rpm noarch: openstack-glance-19.0.5-2.20220113204850.b3de9da.el8ost.noarch.rpm python3-glance-19.0.5-2.20220113204850.b3de9da.el8ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-47951 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZBI1RNzjgjWX9erEAQiM5xAAhENOJVBXWRn2l2AvNUADJpe695mIu1Ii 6uI4X4PV6IWWUeB4LbP6TVmuWEiGw5kbs5F4kLsDS3hnNikFWB7Qn98NOVxDqRSU 8Nm7t8I5WW6Fgpd1+G0nkI0bdUI6EcaX+mYNlvO28aXszNZI9i+PJZ0UNxFuPDa8 GJp7B01FVckFN/Yvs27E3EHfs0HmLl0nqICmPRrhuiYg7YsmaiElLbcyCmUJZMPz zt9ShpcX7NViOmHqv0mCuRjD5+WaMqwkjHPaovMcQsNCGWpzFDllPS2YxV14wOTH OYRfJIeyAnIAHWGsTlb89I7e7L8YzhoFqFgdhU+gZd16GBpWZtAlw0OEY2EwR2/E LXsIh/kYXdsYTST46aeZvtK6XA2zuUjydUhKNOX9QSFAe0diSB5PoR0CaZTtLEtL mnLcDfGwMup1RuFjqdQr4G5Dwj/NdgR/a8kdynGOHmYZniaawxfGjLUhVx4C89x8 o10/R/j+sYcnjDG0H8ZsN3ssantogpbA7mDvU5NnYc7UqjOBIGaBD5z6hgLhnegP f6RyhpPY9vwvM40Tq9MRQPfKmF6YzGOX/AdfFNH70vJT3LWrehWe8qCiO2pRYHa9 FhRUeWFH0VsnKzEUjJqkPSEyKNHj/qoWmPZTsvpHFtECWEMibul6onMr8Sds7CPG gpwHYqoucEM= =Gw2F -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce