[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#941901: marked as done (buster-pu: package octavia/3.0.0-3)

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #941901,
regarding buster-pu: package octavia/3.0.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
941901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941901
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

Since Buster was frozen, I worked quite a long time on Octavia, and was
able to make the octavia-agent work properly, as well as building an
Octavia base image using Debian only stuff [1]. It works super well
using the next version of OpenStack, ie: Stein, while Buster has Rocky.

Though I'd like to be able to provide a working Amphorae image using
only stuff from Buster, if possible. This is what this update is about.
The update contains:

- Fix for the vrrp script template.
- Fix for detecting the OS from within Octavia itself.
- Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
- Fix for the octavia-agent package init / systemd scripts.

Debdiff is attached. Please allow me to update the Octavia package in
Buster accordingly. Next up, I hope to be able to provide a Debian image
for Octavia through the official cdimage.debian.org repo. I'll do that
through Testing first.

Cheers,

Thomas Goirand (zigo)

[1] If you don't know what Octavia is, it is haproxy as a service, with
a base virtual machine image containing Haproxy and the Octavia Agent.
This image is called "Amphorae", and can be used to provide load balancer
as a service. This is quite nice technology!

diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog
--- octavia-3.0.0/debian/changelog	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/changelog	2019-04-30 12:07:21.000000000 +0200
@@ -1,3 +1,14 @@
+octavia (3.0.0-3+deb10u1) buster; urgency=medium
+
+  * Fix octavia-agent binary in init/service file, fix the startup.
+  * Add Fix-osutils.py-to-detect-Debian.patch.
+  * CVE-2019-17134: Client certificates aren't checked properly in the Amphora.
+    Applied upstream patch (Closes: #941897):
+    - Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch.
+  * Add Fix_template_that_generates_vrrp_check_script.patch.
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 30 Apr 2019 12:07:21 +0200
+
 octavia (3.0.0-3) unstable; urgency=medium
 
   * Add an octavia-agent package.
diff -Nru octavia-3.0.0/debian/octavia-agent.install octavia-3.0.0/debian/octavia-agent.install
--- octavia-3.0.0/debian/octavia-agent.install	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.install	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,2 @@
+debian/octavia-agent-ramfs-start	/sbin
+debian/octavia-agent-ramfs-stop		/sbin
diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
--- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in	2019-04-30 12:07:21.000000000 +0200
@@ -17,3 +17,5 @@
 NAME=${PROJECT_NAME}-agent
 SYSTEM_USER=root
 SYSTEM_GROUP=root
+CONFIG_FILE=/etc/octavia/amphora-agent.conf
+DAEMON=/usr/bin/amphora-agent
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start octavia-3.0.0/debian/octavia-agent-ramfs-start
--- octavia-3.0.0/debian/octavia-agent-ramfs-start	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-start	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+modprobe brd rd_size=1024000 max_part=2 rd_nr=1
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print $3}')
+if [ -z "${certs_path}" ] ; then
+	certs_path=/var/lib/octavia/certs
+fi
+mkdir -p "${certs_path}"
+chown octavia:octavia ${certs_path}
+echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs ${certs_path}
+chown octavia:octavia ${certs_path}
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop octavia-3.0.0/debian/octavia-agent-ramfs-stop
--- octavia-3.0.0/debian/octavia-agent-ramfs-stop	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-stop	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf $3}')
+umount "${certs_path}"
+cryptsetup luksClose /dev/mapper/certfs-ramfs
diff -Nru octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
--- octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,73 @@
+Description: [PATCH] Fix urgent amphora two-way auth security bug
+ The value of gunicorn's option 'cert_reqs` for client-cert requirement
+ does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
+ .
+Story: 2006660
+Task: 36916
+Author: Adam Harwell <flux.adam@gmail.com>
+Date: Fri, 4 Oct 2019 01:04:20 -0700
+SecurityImpact: CVE-2019-17134
+Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
+Bug-Debian: https://bugs.debian.org/941897
+Origin: https://review.opendev.org/#/c/686544/
+Last-Update: 2019-10-07
+
+diff --git a/octavia/cmd/agent.py b/octavia/cmd/agent.py
+index 861ad75..759cf4b 100644
+--- a/octavia/cmd/agent.py
++++ b/octavia/cmd/agent.py
+@@ -15,6 +15,7 @@
+ # make sure PYTHONPATH includes the home directory if you didn't install
+ 
+ import multiprocessing as multiproc
++import ssl
+ import sys
+ 
+ import gunicorn.app.base
+@@ -74,7 +75,7 @@ def main():
+         'timeout': CONF.amphora_agent.agent_request_read_timeout,
+         'certfile': CONF.amphora_agent.agent_server_cert,
+         'ca_certs': CONF.amphora_agent.agent_server_ca,
+-        'cert_reqs': True,
++        'cert_reqs': ssl.CERT_REQUIRED,
+         'preload_app': True,
+         'accesslog': '/var/log/amphora-agent.log',
+         'errorlog': '/var/log/amphora-agent.log',
+diff --git a/octavia/tests/unit/cmd/test_agent.py b/octavia/tests/unit/cmd/test_agent.py
+index 551ab56..22ca4ff 100644
+--- a/octavia/tests/unit/cmd/test_agent.py
++++ b/octavia/tests/unit/cmd/test_agent.py
+@@ -9,6 +9,7 @@
+ #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
++import ssl
+ 
+ import mock
+ 
+@@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase):
+ 
+         agent.main()
+ 
++        # Ensure gunicorn is initialized with the correct cert_reqs option.
++        # This option is what enforces use of a valid client certificate.
++        self.assertEqual(
++            ssl.CERT_REQUIRED,
++            mock_amp.call_args[0][1]['cert_reqs'])
++
+         mock_health_proc.start.assert_called_once_with()
+         mock_amp_instance.run.assert_called_once()
+diff --git a/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+new file mode 100644
+index 0000000..e348b14
+--- /dev/null
++++ b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++  - |
++    Correctly require two-way certificate authentication to connect to the
++    amphora agent API (CVE-2019-17134).
+-- 
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
--- octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix is_os_name in osutils.py to detect Debian
+ Otherwise, the OCtavia agent just dies...
+Author: Thomas Goirand <zigo@debian.org>
+Forwarded: no
+Last-Update: 2019-04-30
+
+Index: octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+===================================================================
+--- octavia.orig/octavia/amphorae/backends/agent/api_server/osutils.py
++++ octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+@@ -233,7 +233,7 @@ class Ubuntu(BaseOS):
+ 
+     @classmethod
+     def is_os_name(cls, os_name):
+-        return os_name in ['ubuntu']
++        return os_name in ['ubuntu', 'debian']
+ 
+     def cmd_get_version_of_installed_package(self, package_name):
+         name = self._map_package_name(package_name)
diff -Nru octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
--- octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,30 @@
+Author: Rene Luria <rene.luria@infomaniak.com>
+Subject: [PATCH] Fix template that generates vrrp check script
+ Correct the inline comment to not include an empty new line at the start
+ of generated /var/lib/octavia/vrrp/check_script.sh that leads to this
+ kind of error:
+ .
+ >  Aug 26 11:49:32 amphora-12184e15-1ec3-4d80-98a7-c7d1ddb6716f
+ > Keepalived_vrrp[15265]: Error exec-ing command
+ > '/var/lib/octavia/vrrp/check_script.sh', error 8: Exec format error
+Date: Mon, 26 Aug 2019 13:50:42 +0200
+Change-Id: Icddd2873abeb56a389a35356995df6dde70872b2
+Origin: upstream, https://review.opendev.org/678525
+Last-Update: 2019-08-26
+
+diff --git a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+index bb1eceb..e2c85c4 100644
+--- a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
++++ b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+@@ -13,7 +13,7 @@
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
+ #
+-#}
++-#}
+ #!/bin/bash
+ 
+ # Don't try to run the directory when it is empty
+-- 
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/series octavia-3.0.0/debian/patches/series
--- octavia-3.0.0/debian/patches/series	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/patches/series	2019-04-30 12:07:21.000000000 +0200
@@ -1,2 +1,5 @@
 fix-py36-compatibility.patch
 install-missing-files.patch
+Fix-osutils.py-to-detect-Debian.patch
+CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
+Fix_template_that_generates_vrrp_check_script.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam

--- End Message ---
Reply to: