Jammy package 2:20.3.1-0ubuntu1.4 is missing the upstream privsep pieces

This is a regression as a result of the security fix for CVE-2024-32498 - the patch issued original was updated after the embargo lifted and Ubuntu still has the older version of the patch.

This will impact noble as well as it has the older version of the patch.

noble proposed update:

======
Totals
======
Ran: 94 tests in 827.0558 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 314.3333 sec.

single failure is an know issue in how the tests are configured for octavia and unrelated to this update.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:24.0.0-0ubuntu1.3
  Candidate: 2:24.0.0-0ubuntu1.3
  Version table:
 *** 2:24.0.0-0ubuntu1.3 500
        500 https://ppa.launchpadcontent.net/ubuntu-security-proposed/ppa/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status
     2:24.0.0-0ubuntu1.2 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     2:24.0.0-0ubuntu1 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages

jammy proposed update:

======
Totals
======
Ran: 94 tests in 751.9069 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 311.0578 sec.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:20.3.1-0ubuntu1.5
  Candidate: 2:20.3.1-0ubuntu1.5
  Version table:
 *** 2:20.3.1-0ubuntu1.5 500
        500 https://ppa.launchpadcontent.net/ubuntu-security-proposed/ppa/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status
     2:20.3.1-0ubuntu1.4 500
        500 http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:20.0.0-0ubuntu1 500
        500 http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

focal proposed update:

====== Totals
======
Ran: 94 tests in 988.8594 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 433.6734 sec.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:16.4.2-0ubuntu2.9
  Candidate: 2:16.4.2-0ubuntu2.9
  Version table:
 *** 2:16.4.2-0ubuntu2.9 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
     2:16.4.2-0ubuntu2.8 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     2:16.0.0~b3~git2020041012.eb915e2db-0ubuntu1 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

@mdeslaur - proposed updates regression tested OK for all three targets and I had confirmation from the bug reporter that the proposed package update fixes the specific issue (cinder volume -> glance image with an kernel drive backed block device backend).

@james-page thanks for the tests, will publish today.

This bug was fixed in the package cinder - 2:16.4.2-0ubuntu2.9

---------------
cinder (2:16.4.2-0ubuntu2.9) focal-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.
    - debian/patches/fix_CVE-2022-47951_test.patch: fix test after updating
      CVE-2024-32498 patch.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 08:29:59 -0500

This bug was fixed in the package cinder - 2:24.0.0-0ubuntu1.3

---------------
cinder (2:24.0.0-0ubuntu1.3) noble-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 07:16:36 -0500

This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.5

---------------
cinder (2:20.3.1-0ubuntu1.5) jammy-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 07:35:21 -0500

Hello Marcin, or anyone else affected,

Accepted cinder into bobcat-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:bobcat-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-bobcat-needed to verification-bobcat-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-bobcat-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Marcin, or anyone else affected,

Accepted cinder into antelope-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:antelope-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-antelope-needed to verification-antelope-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-antelope-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Marcin, or anyone else affected,

Accepted cinder into caracal-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:caracal-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-caracal-needed to verification-caracal-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-caracal-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Just a note that during my SRU shift I noticed that cinder 2:20.3.1-0ubuntu1.5 on jammy/s390x is consistently failing[1] its autopkgtests, including a migration-reference/0 run:

133s autopkgtest [18:26:22]: test cinder-daemons: [-----------------------
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:152: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s last_heartbeat = column_property(
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:160: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s num_hosts = column_property(
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:169: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s num_down_hosts = column_property(
134s 2024-11-14 18:26:23.805 9856 INFO cinder.db.migration [-] Applying migration(s)
134s 2024-11-14 18:26:23.806 9856 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
134s 2024-11-14 18:26:23.806 9856 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
134s 2024-11-14 18:26:23.817 9856 INFO alembic.runtime.migration [-] Running upgrade -> 921e1a36b076, Initial migration.
135s 2024-11-14 18:26:24.627 9856 INFO cinder.db.migration [-] Migration(s) applied
135s Job for cinder-scheduler.service failed.
135s See "systemctl status cinder-scheduler.service" and "journalctl -xeu cinder-scheduler.service" for details.
136s autopkgtest [18:26:25]: test cinder-daemons: -----------------------]
136s autopkgtest [18:26:25]: test cinder-daemons: - - - - - - - - - - results - - - - - - - - - -
136s cinder-daemons FAIL non-zero exit status 1

1. https://autopkgtest.ubuntu.com/packages/cinder/jammy/s390x

Hello Marcin, or anyone else affected,

Accepted cinder into yoga-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:yoga-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-yoga-needed to verification-yoga-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-yoga-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Marcin, or anyone else affected,

Accepted cinder into ussuri-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ussuri-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ussuri-needed to verification-ussuri-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ussuri-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package cinder - 2:24.0.0-0ubuntu1.3~cloud0
---------------

 cinder (2:24.0.0-0ubuntu1.3~cloud0) jammy-caracal; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 cinder (2:24.0.0-0ubuntu1.3) noble-security; urgency=medium
 .
   * SECURITY REGRESSION: regression due to missing privset handling
   (LP: #2085851)
     - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
       which differs from the patch provided during embargo.

Verification done on jammy-bobcat

Hello, I've done the necessary verification on Jammy Bobcat. I have a deployed a core openstack services and run the tempest tools to functionally test these services.

I have attached the script I used to perform the whole verification and the resulting logs.

Please note that in the case of jammy-bobcat, I've had to backport the versions from noble-caracal for tempest.

tempest: 29.0.0-3 -> 36.0.0-2

PPA holding these backport: https://launchpad.net/~gboutry/+archive/ubuntu/jammy-backports/+packages

Tempest is the functional testing tool for OpenStack services. I've preferred to use a more recent version of tempest to ensure right policy and testing.

Verified versions:
cinder 2:23.0.0-0ubuntu1.4~cloud1

Verification done on jammy-antelope

Hello, I've done the necessary verification on Jammy Antelope. I have a deployed a core openstack services and run the tempest tools to functionally test these services.

I have attached the script I used to perform the whole verification and the resulting logs.

Please note that in the case of jammy-antelope, I've had to backport the versions from noble-caracal for tempest and fasteners.

tempest: 29.0.0-3 -> 36.0.0-2
python3-fasters: 0.14.1-2 -> 0.18-3

PPA holding these backport: https://launchpad.net/~gboutry/+archive/ubuntu/jammy-backports/+packages

Tempest is the functional testing tool for OpenStack services. I've preferred to use a more recent version of tempest to ensure right policy and testing.

Verified versions:
cinder 2:22.1.1-0ubuntu1.3~cloud2

To reproduce my testing on bobcat and antelope. you can use the attached script as follow:

bash repro-ca.sh jammy-bobcat
lcx rm -f monostack
bash repro-ca.sh jammy-antelope

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package cinder - 2:23.0.0-0ubuntu1.4~cloud1
---------------

 cinder (2:23.0.0-0ubuntu1.4~cloud1) jammy-bobcat; urgency=medium
 .
   * SECURITY REGRESSION: regression due to missing privset handling
     (LP: #2085851)
     - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
       which differs from the patch provided during embargo.

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package cinder - 2:22.1.1-0ubuntu1.3~cloud2
---------------

 cinder (2:22.1.1-0ubuntu1.3~cloud2) jammy-antelope; urgency=medium
 .
   * SECURITY REGRESSION: regression due to missing privset handling
     (LP: #2085851)
     - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
       which differs from the patch provided during embargo.