--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
The security fix "Nova DoS by allocating all Fixed IPs" broke the
vncproxy feature of Nova. Version 2012.1.1-16 correct this.
Also, there was a typo in the nova-common postinst, which this
upload corrects:
if [ " $RET" = "false" ]; then
(see the added space, which makes the statement always false...)
Last, Julien Cristau reported (as a Nova user, not as a release
team member) that postgresql:// works, but not pgsql://, so I
fixed the nova-common.postinst for that.
Debdiff is attached. Please unblock nova/2012.1.1-16.
Thomas Goirand (zigo)
diff -Nru nova-2012.1.1/debian/changelog nova-2012.1.1/debian/changelog
--- nova-2012.1.1/debian/changelog 2013-03-14 21:09:18.000000000 +0000
+++ nova-2012.1.1/debian/changelog 2013-04-01 14:49:11.000000000 +0000
@@ -1,3 +1,12 @@
+nova (2012.1.1-16) unstable; urgency=low
+
+ * Fixes console auth after security fix (Closes: #703242).
+ * Fixes a typo in debian/nova-common.postinst when activating NOVA_ENABLE.
+ * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and not
+ qgsql://.
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 18 Mar 2013 13:32:52 +0800
+
nova (2012.1.1-15) unstable; urgency=low
* CVE-2013-1838: Nova DoS by allocating all Fixed IPs (Closes: #703064).
diff -Nru nova-2012.1.1/debian/nova-common.postinst nova-2012.1.1/debian/nova-common.postinst
--- nova-2012.1.1/debian/nova-common.postinst 2013-03-14 21:09:18.000000000 +0000
+++ nova-2012.1.1/debian/nova-common.postinst 2013-04-01 14:49:11.000000000 +0000
@@ -55,7 +55,7 @@
;;
pgsql)
[ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
- SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
+ SQL_CONNECTION="postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
;;
*)
SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
@@ -71,7 +71,7 @@
fi
fi
db_get nova-common/start_services
- if [ " $RET" = "false" ]; then
+ if [ "$RET" = "false" ]; then
sed -e "s,^NOVA_ENABLE=.\+,NOVA_ENABLE=false," -i /etc/default/nova
fi
fi
diff -Nru nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
--- nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 1970-01-01 00:00:00.000000000 +0000
+++ nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 2013-04-01 14:49:11.000000000 +0000
@@ -0,0 +1,98 @@
+Description: Fixed broken vncproxy flush tokens patch
+ This review (https://review.openstack.org/22872) attempted to
+ resolve a critical security issue but ended up completely breaking
+ the vncproxy. The wrong dict keys were being used for Essex and the
+ API calls were incomplete. This patch makes the proxy work again.
+Author: Rafi Khardalian <rafi@metacloud.com>
+Origin: upstream, https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=48e81f1554ce41c3d4f7445421d19f4a8128e98d
+Bug-Debian: http://bugs.debian.org/703242
+Bug-Ubuntu: https://launchpad.net/bugs/1125378
+Date: Thu, 7 Mar 2013 00:19:08 +0000 (+0000)
+
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index a317c44..8309fbb 100644
+--- a/nova/compute/api.py
++++ b/nova/compute/api.py
+@@ -1561,12 +1561,14 @@ class API(BaseAPI):
+ return {'url': connect_info['access_url']}
+
+ @wrap_check_policy
+- def validate_vnc_console(self, context, instance_id, host, port):
++ def validate_vnc_console(self, context, instance_id, host, port,
++ console_type):
+ """Validate VNC Console for an instance."""
+ instance = self.get(context, instance_id)
+ output = self._call_compute_message('get_vnc_console',
+- context,
+- instance)
++ context,
++ instance,
++ params={"console_type": console_type})
+ return (port == output['port'] and host == output['host'])
+
+ @wrap_check_policy
+diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py
+index 5690ef3..507bdc5 100644
+--- a/nova/consoleauth/manager.py
++++ b/nova/consoleauth/manager.py
+@@ -84,14 +84,15 @@ class ConsoleAuthManager(manager.Manager):
+
+ LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals())
+
+- def _validate_console(self, token):
++ def _validate_console(self, context, token):
+ console_valid = False
+ token_dict = self.tokens[token]
+ try:
+ console_valid = self.compute_api.validate_vnc_console(context,
+- token_dict['instance_uuid'],
++ token_dict['instance_id'],
+ token_dict['host'],
+- token_dict['port'])
++ token_dict['port'],
++ token_dict['console_type'])
+ except exception.InstanceNotFound:
+ pass
+ return console_valid
+@@ -99,7 +100,7 @@ class ConsoleAuthManager(manager.Manager):
+ def check_token(self, context, token):
+ token_valid = token in self.tokens
+ LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals())
+- if token_valid and self._validate_console(token):
++ if token_valid and self._validate_console(context, token):
+ return self.tokens[token]
+
+ def delete_tokens_for_instance(self, context, instance_id):
+diff --git a/nova/tests/test_compute.py b/nova/tests/test_compute.py
+index 7bd6fcd..bff08a4 100644
+--- a/nova/tests/test_compute.py
++++ b/nova/tests/test_compute.py
+@@ -767,7 +767,8 @@ class ComputeTestCase(BaseTestCase):
+ console_valid = self.compute_api.validate_vnc_console(self.context,
+ instance['uuid'],
+ 'myhost',
+- '5900')
++ '5900',
++ 'novnc')
+ self.assertTrue(console_valid)
+ self.compute.terminate_instance(self.context, instance['uuid'])
+
+@@ -783,7 +784,8 @@ class ComputeTestCase(BaseTestCase):
+ console_valid = self.compute_api.validate_vnc_console(self.context,
+ instance['uuid'],
+ 'myhost',
+- '5900')
++ '5900',
++ 'novnc')
+ self.assertFalse(console_valid)
+ self.compute.terminate_instance(self.context, instance['uuid'])
+
+@@ -793,7 +795,7 @@ class ComputeTestCase(BaseTestCase):
+ self.compute.run_instance(self.context, instance['uuid'])
+ self.assertRaises(exception.InstanceNotFound,
+ self.compute_api.validate_vnc_console,
+- self.context, 5555, 'myhost', '5900')
++ self.context, 5555, 'myhost', '5900', 'novnc')
+ self.compute.terminate_instance(self.context, instance['uuid'])
+
+ def test_xvpvnc_vnc_console(self):
diff -Nru nova-2012.1.1/debian/patches/series nova-2012.1.1/debian/patches/series
--- nova-2012.1.1/debian/patches/series 2013-03-14 21:09:18.000000000 +0000
+++ nova-2012.1.1/debian/patches/series 2013-04-01 14:49:11.000000000 +0000
@@ -11,3 +11,4 @@
CVE-2013-0335_VNC-proxy-can-connect-to-the-wrong-VM.patch
CVE-2013-0335_VNC-unit-tests-fixes.patch
CVE-2013-1838-Nova_DoS_by_allocating_all_Fixed_IPs_essex.patch
+Fixed_broken_vncproxy_flush_tokens.patch
--- End Message ---
--- Begin Message ---
On Tue, 2013-04-02 at 01:07 +0800, Thomas Goirand wrote:
> On 04/01/2013 11:24 PM, Adam D. Barratt wrote:
> > On Mon, 2013-04-01 at 23:08 +0800, Thomas Goirand wrote:
> >> The security fix "Nova DoS by allocating all Fixed IPs" broke the
> >> vncproxy feature of Nova. Version 2012.1.1-16 correct this.
> >
> > You downgraded the relevant bug (#703242) from grave to "only" important
> > a few days ago. Could you clarify what you consider the severity of this
> > issue to be?
[...]
> So depending if the bug severity applies to the binary package
> nova-xvpvncproxy, or to all of Nova, it could be considered either Grave
> or Important.
Well, if it makes the binary package unusable, then it's RC for that
binary package.
> I downgraded this bug because I thought it didn't deserve a huge
> highlight at this point of the release, and I thought it was a bad idea
> to have it as RC at this point in time. In other words: I didn't #704468
> was a reason good enough to delay Wheezy, and have others focus on it
> when I knew that upstream was working on validating the patch, even
> though a fix would have been nice.
>
> I hope you will find my reasoning correct.
The reason I asked is that as per the last release update on d-d-a,
we're only looking at RC fixes now. I'm inclined to say the bug should
be RC though, so unblocked.
Regards,
Adam
--- End Message ---