Bug#684452: CVE-2012-3447 unblock: nova/2012.1.1-6
On Fri, 2012-08-10 at 14:25 +0800, Thomas Goirand wrote:
> Please unblock the nova package. This fixes CVE-2012-3447, which is a
> file injection vulnerability in the host filesystem, using a specially
> crafted guest image.
>
> The relevant diff is available here:
> http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=55e78f9cbaa1c4657a97c6b20797a94968030e75
Please don't do that. It needs a context switch, doesn't work when
reading mail offline and means that the list archive doesn't stand alone
as a historical, well, archive of what was okayed. There's a reason
that the freeze policy explicitly asks for debdiffs.
> The patch comes directly from upstream, as per the patch header (I just
> applied it manually, then did dpkg-source --commit).
>
> Note that this also includes a (needed) tweak in the configuration files
> as per this commit:
> http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=4cd725c5d164484a3ddb6bf95f37fb715cb51169
Two questions:
1) Why is there no mention of the above changes in the changelog?
2) Why does "Add nova-compute.conf files to nova-compute init if exist"
require
-DAEMON_ARGS="--flagfile=/etc/nova/nova.conf"
+DAEMON_ARGS="--config-file=/etc/nova/nova.conf"
and a bunch of
+[DEFAULT]
?
> Also, Ubuntu folks already fixed the issue in 12.04.
How is that at all relevant to the Debian freeze?
Regards,
Adam
Reply to: