2026.1 Series Release Notes

32.0.0.0rc1-3

Security Issues

  • Fixed multiple Server-Side Request Forgery (SSRF) vulnerabilities in Glance’s image import functionality. These vulnerabilities could allow attackers to bypass URL validation and access internal resources.

    web-download Import Method SSRF:

    The web-download import method had two SSRF vulnerabilities:

    HTTP Redirect Bypass: The web-download import method did not validate redirect destinations when following HTTP redirects. An attacker could provide an initial URL that passed validation, but redirect to an internal or disallowed resource that would bypass the security checks. This has been fixed by implementing SafeRedirectHandler that validates redirect destinations before following them using the same validate_import_uri() checks as the initial URL.

    IP Address Encoding Bypass: The web-download import method’s URL validation could be bypassed by encoding IP addresses in alternative formats (decimal integer, hexadecimal, octal). For example, 127.0.0.1 could be encoded as 2130706433 (decimal) or 0x7f000001 (hexadecimal) to bypass blacklist checks. This has been fixed by implementing normalize_hostname() function that uses Python’s ipaddress module to validate IP addresses. The ipaddress module only accepts standard dotted-decimal notation for IPv4 and standard format for IPv6, automatically rejecting all encoded formats (decimal, hexadecimal, octal). Any attempt to use encoded IP formats is rejected, preventing SSRF bypass attacks.

    glance-download Import Method SSRF:

    The glance-download import method had redirect validation bypass vulnerabilities in two steps of the import flow:

    Image Data Download: When downloading image data from a remote Glance endpoint, redirects were not validated, allowing attackers to redirect to internal services.

    Metadata Fetch: When fetching image metadata from a remote Glance endpoint, redirects were not validated, allowing attackers to redirect to internal services.

    Both steps have been fixed by using SafeRedirectHandler to validate redirect destinations before following them.

    OVF Processing SSRF:

    The OVF processing functionality had a critical SSRF vulnerability with zero protection - no URI validation, no redirect validation, and no IP normalization. The code directly called urllib.request.urlopen(uri) without any validation checks. This has been fixed by adding URI validation using validate_import_uri() and redirect validation using SafeRedirectHandler.

    Affected Components:

    • glance.common.scripts.utils.get_image_data_iter()

    • glance.common.utils.validate_import_uri()

    • glance.async_.flows._internal_plugins.glance_download._DownloadGlanceImage.execute()

    • glance.async_.flows.api_image_import._ImportMetadata.execute()

    • glance.async_.flows.ovf_process._OVF_Process._get_ova_iter_objects()

    Impact:

    • Severity: High (web-download, glance-download), Critical (OVF processing)

    • Affected Versions: All versions prior to this fix

    • Workaround: Administrators can temporarily disable affected import methods by removing them from the enabled_import_methods configuration option

    Bugs #2138602, #2138672, #2138675

Bug Fixes

  • Bug 2138602: Fixed SSRF vulnerability in web-download import method via HTTP redirect bypass and IP address encoding bypass. Added redirect validation using SafeRedirectHandler and IP address validation using Python’s ipaddress module to reject encoded IP formats and prevent bypass attacks.

    Bug 2138672: Fixed SSRF vulnerability in glance-download import method via HTTP redirect bypass. Added redirect validation for both image data download and metadata fetch operations.

    Bug 2138675: Fixed SSRF vulnerability in OVF processing functionality which lacked URI validation. Added URI validation and redirect validation to prevent SSRF attacks when processing OVA files.

32.0.0.0rc1

New Features

  • Enhanced the custom property schema file (schema-image.json) to support an extended format that allows operators to define required properties. The schema file now supports a structured format with properties and required keys:

    {
    "properties": {
        "os_distro": {
            "description": "Operating system distribution",
            "type": "string"
        },
        "architecture": {
            "description": "Operating system architecture",
            "type": "string"
        }
    },
    "required": ["os_distro", "architecture"]
}

    When using this extended format, properties listed in the required array will be validated as mandatory fields during image creation. This allows operators to enforce that specific custom properties are provided when images are created, improving data quality and consistency.

    Backwards compatibility is fully maintained. The original flat format (with property definitions at the top level) continues to work as before, and existing schema-image.json files do not need to be modified. The schema loading logic automatically detects which format is being used.

    A sample extended format schema file is provided at etc/schema-image.json.extended-format-sample.

Deprecation Notes

  • The glance-cache-cleaner, glance-cache-prefetcher and glance-cache-pruner commands are deprecated in the 2025.1 release (Epoxy) and are subject to removal at the beginning of the 2026.1 (G) development cycle, following the OpenStack standard deprecation policy. The Cache API should be used instead.

  • The eventlet server has been deprecated. Glance must now be run using WSGI.

Bug Fixes

  • Bug 2137762: Fixed AttributeError when running glance-manage db

    without a subcommand.

  • Bug 2141673: image import can fail for bigger images with s3 backend

    Glance now tries to detect the image size in advance so that some backends can be more efficient when uploading image data. This is true for the S3 backend, which can use a multipart upload instead of a singlepart upload.

32.0.0.0b2

New Features

  • Glance now provides full production support for uWSGI deployment. All previous limitations with uWSGI deployment have been resolved, making it a recommended deployment method for production environments.

    Key Features: - Complete support for chunked transfer encoding - Full interoperable image import functionality - Proper graceful shutdown and reload capabilities - Native threading support for improved performance - Production-ready stability and reliability

    Supported Deployment Methods: - uWSGI HTTP mode (recommended) - mod_proxy_uwsgi with Apache HTTPD - mod_wsgi with Apache HTTPD

    Configuration: - Use the provided uWSGI configuration template in httpd/glance-api-uwsgi.ini - Enable http-auto-chunked and http-chunked-input for full compatibility - Configure appropriate process and thread counts for your environment - Set proper timeouts for large image transfers

    Migration: - Existing standalone Glance deployments can be migrated to uWSGI - No functionality loss compared to standalone deployment - Improved integration with web server infrastructure - Better resource utilisation and performance

    See the updated Running Glance in HTTPD documentation for complete deployment instructions, configuration examples, and best practices.

Upgrade Notes

  • The WSGI script glance-wsgi-api has been removed. Deployment tooling should instead reference the Python module path for this service, glance.wsgi.api, if their chosen WSGI server supports this (gunicorn, uWSGI) or implement a .wsgi script themselves if not (mod_wsgi).

Deprecation Notes

  • The add_image_location and fetch_image_location APIs policy rule default value role:admin or role:service is deprecated and will be changed to role:service in future releases.

Bug Fixes

  • Bug 2127798: Automatic S3 credential update when EC2 credentials are rotated

    Glance now automatically updates S3 image location URLs when EC2 credentials are rotated in Keystone. Previously, images with S3 locations would become inaccessible after credential rotation, requiring manual intervention to update location metadata. This fix ensures seamless credential rotation without breaking image access.

  • Bug #2085321: Fixed an issue that prevented users from using property protection files and image import or the inject metadata plugin. A valid “os_glance.*” section is now automatically added to the property protection file.

31.0.0

Upgrade Notes

  • The following metadata definitions have been modified in the Flamingo release:

    • Added hw_memory_encryption_model enumerations in the OS::Compute::Libvirt namespace.

    You may upgrade these definitions using:

    glance-manage db load_metadefs [--path <path>] [--merge] [--prefer_new]