Bug#769183: unblock: nova/2014.1.3-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
My last upload of nova fixes:
- CVE-2014-3708: Nova network DoS through API filtering (upstream patch).
- VM live migration over an NFS-based volume (fix from Mehdi who is a DM, and
does is a very active upstream contributors too).
Note also that this last upload fixes the last unit test failures at package
build time (these appeared after the CEPH patches were rebased against the
last point release). It is quite nice and conforting to see these problems
are now gone with this last upload.
Debdiff attached.
Please unblock nova/2014.1.3-6.
Cheers,
Thomas Goirand (zigo)
diff -Nru nova-2014.1.3/debian/changelog nova-2014.1.3/debian/changelog
--- nova-2014.1.3/debian/changelog 2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/changelog 2014-11-11 20:52:52.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2014.1.3-6) unstable; urgency=high
+
+ [ Mehdi Abaakouk ]
+ * Fix a issue into fix-live-migraton-nfs.patch.
+
+ [ Thomas Goirand ]
+ * CVE-2014-3708: Nova network DoS through API filtering. Applied upstream
+ patch: Fixes_DOS_issue_in_instance_list_ip_filter (Closes: #769163).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 12 Nov 2014 04:42:15 +0800
+
nova (2014.1.3-5) unstable; urgency=high
* CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
diff -Nru nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch
--- nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch 1970-01-01 00:00:00.000000000 +0000
+++ nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch 2014-11-11 20:52:52.000000000 +0000
@@ -0,0 +1,184 @@
+Description: Fixes DOS issue in instance list ip filter
+ Converts the ip filtering to filter the list locally based on the network info
+ cache instead of making an extremely expensive call over to nova network where
+ it attempts to retrieve a list of every instance in the system.
+Author: Vishvananda Ishaya <vishvananda@gmail.com>
+Origin: upstream, https://review.openstack.org/#/c/131461/
+Date: Tue, 23 Sep 2014 06:31:07 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=b6a080bbdaf1a5d8534e8e0519e150f55c46d18c
+Change-Id: I455f6ab4acdecacc5152b11a183027f933dc4475
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1358583
+Bug-Debian: https://bugs.debian.org/769163
+Last-Update: 2014-11-12
+
+Index: nova/nova/compute/api.py
+===================================================================
+--- nova.orig/nova/compute/api.py 2014-10-29 19:54:53.000000000 +0800
++++ nova/nova/compute/api.py 2014-11-12 04:42:04.000000000 +0800
+@@ -1885,6 +1885,9 @@
+ sort_key, sort_dir, limit=limit, marker=marker,
+ expected_attrs=expected_attrs)
+
++ if 'ip6' in filters or 'ip' in filters:
++ inst_models = self._ip_filter(inst_models, filters)
++
+ if want_objects:
+ return inst_models
+
+@@ -1895,18 +1898,29 @@
+
+ return instances
+
++ @staticmethod
++ def _ip_filter(inst_models, filters):
++ ipv4_f = re.compile(str(filters.get('ip')))
++ ipv6_f = re.compile(str(filters.get('ip6')))
++ result_objs = []
++ for instance in inst_models:
++ nw_info = compute_utils.get_nw_info_for_instance(instance)
++ for vif in nw_info:
++ for fixed_ip in vif.fixed_ips():
++ address = fixed_ip.get('address')
++ if not address:
++ continue
++ version = fixed_ip.get('version')
++ if ((version == 4 and ipv4_f.match(address)) or
++ (version == 6 and ipv6_f.match(address))):
++ result_objs.append(instance)
++ continue
++ return instance_obj.InstanceList(objects=result_objs)
++
+ def _get_instances_by_filters(self, context, filters,
+ sort_key, sort_dir,
+ limit=None,
+ marker=None, expected_attrs=None):
+- if 'ip6' in filters or 'ip' in filters:
+- res = self.network_api.get_instance_uuids_by_ip_filter(context,
+- filters)
+- # NOTE(jkoelker) It is possible that we will get the same
+- # instance uuid twice (one for ipv4 and ipv6)
+- uuids = set([r['instance_uuid'] for r in res])
+- filters['uuid'] = uuids
+-
+ fields = ['metadata', 'system_metadata', 'info_cache',
+ 'security_groups']
+ if expected_attrs:
+Index: nova/nova/tests/compute/test_compute.py
+===================================================================
+--- nova.orig/nova/tests/compute/test_compute.py 2014-11-12 04:41:35.000000000 +0800
++++ nova/nova/tests/compute/test_compute.py 2014-11-12 04:42:04.000000000 +0800
+@@ -58,6 +58,7 @@
+ from nova.objects import block_device as block_device_obj
+ from nova.objects import instance as instance_obj
+ from nova.objects import instance_group as instance_group_obj
++from nova.objects import instance_info_cache as cache_obj
+ from nova.objects import migration as migration_obj
+ from nova.objects import quotas as quotas_obj
+ from nova.openstack.common.gettextutils import _
+@@ -81,7 +82,6 @@
+ from nova.tests import matchers
+ from nova.tests.objects import test_flavor
+ from nova.tests.objects import test_migration
+-from nova.tests.objects import test_network
+ from nova import utils
+ from nova.virt import block_device as driver_block_device
+ from nova.virt import event
+@@ -6722,6 +6722,35 @@
+ self.assertIsNone(instance['task_state'])
+ return instance, instance_uuid
+
++ def test_ip_filtering(self):
++ info = [{
++ 'address': 'aa:bb:cc:dd:ee:ff',
++ 'id': 1,
++ 'network': {
++ 'bridge': 'br0',
++ 'id': 1,
++ 'label': 'private',
++ 'subnets': [{
++ 'cidr': '192.168.0.0/24',
++ 'ips': [{
++ 'address': '192.168.0.10',
++ 'type': 'fixed',
++ }]
++ }]
++ }
++ }]
++
++ info1 = cache_obj.InstanceInfoCache(network_info=jsonutils.dumps(info))
++ inst1 = instance_obj.Instance(id=1, info_cache=info1)
++ info[0]['network']['subnets'][0]['ips'][0]['address'] = '192.168.0.20'
++ info2 = cache_obj.InstanceInfoCache(network_info=jsonutils.dumps(info))
++ inst2 = instance_obj.Instance(id=2, info_cache=info2)
++ instances = instance_obj.InstanceList(objects=[inst1, inst2])
++
++ instances = self.compute_api._ip_filter(instances, {'ip': '.*10'})
++ self.assertEqual(len(instances), 1)
++ self.assertEqual(instances[0].id, 1)
++
+ def test_create_with_too_little_ram(self):
+ # Test an instance type with too little memory.
+
+@@ -7526,33 +7555,47 @@
+ db.instance_destroy(c, instance2['uuid'])
+ db.instance_destroy(c, instance3['uuid'])
+
+- @mock.patch('nova.db.network_get')
+- @mock.patch('nova.db.fixed_ips_by_virtual_interface')
+- def test_get_all_by_multiple_options_at_once(self, fixed_get, network_get):
++ def test_get_all_by_multiple_options_at_once(self):
+ # Test searching by multiple options at once.
+ c = context.get_admin_context()
+- network_manager = fake_network.FakeNetworkManager(self.stubs)
+- fixed_get.side_effect = (
+- network_manager.db.fixed_ips_by_virtual_interface)
+- network_get.return_value = (
+- dict(test_network.fake_network,
+- **network_manager.db.network_get(None, 1)))
+- self.stubs.Set(self.compute_api.network_api,
+- 'get_instance_uuids_by_ip_filter',
+- network_manager.get_instance_uuids_by_ip_filter)
++
++ def fake_network_info(ip):
++ info = [{
++ 'address': 'aa:bb:cc:dd:ee:ff',
++ 'id': 1,
++ 'network': {
++ 'bridge': 'br0',
++ 'id': 1,
++ 'label': 'private',
++ 'subnets': [{
++ 'cidr': '192.168.0.0/24',
++ 'ips': [{
++ 'address': ip,
++ 'type': 'fixed',
++ }]
++ }]
++ }
++ }]
++ return jsonutils.dumps(info)
+
+ instance1 = self._create_fake_instance({
+ 'display_name': 'woot',
+ 'id': 1,
+- 'uuid': '00000000-0000-0000-0000-000000000010'})
++ 'uuid': '00000000-0000-0000-0000-000000000010',
++ 'info_cache': {'network_info':
++ fake_network_info('192.168.0.1')}})
+ instance2 = self._create_fake_instance({
+ 'display_name': 'woo',
+ 'id': 20,
+- 'uuid': '00000000-0000-0000-0000-000000000020'})
++ 'uuid': '00000000-0000-0000-0000-000000000020',
++ 'info_cache': {'network_info':
++ fake_network_info('192.168.0.2')}})
+ instance3 = self._create_fake_instance({
+ 'display_name': 'not-woot',
+ 'id': 30,
+- 'uuid': '00000000-0000-0000-0000-000000000030'})
++ 'uuid': '00000000-0000-0000-0000-000000000030',
++ 'info_cache': {'network_info':
++ fake_network_info('192.168.0.3')}})
+
+ # ip ends up matching 2nd octet here.. so all 3 match ip
+ # but 'name' only matches one
diff -Nru nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch
--- nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch 2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch 2014-11-11 20:52:52.000000000 +0000
@@ -26,7 +26,7 @@
is_volume_backed = self.compute_api.is_volume_backed_instance(ctxt,
instance)
dest_check_data['is_volume_backed'] = is_volume_backed
-+ block_device_info = self._get_instance_volume_block_device_info(
++ block_device_info = self._get_instance_block_device_info(
+ ctxt, instance, refresh_conn_info=True)
return self.driver.check_can_live_migrate_source(ctxt, instance,
- dest_check_data)
@@ -44,14 +44,14 @@
self.mox.StubOutWithMock(self.compute.compute_api,
'is_volume_backed_instance')
+ self.mox.StubOutWithMock(self.compute,
-+ '_get_instance_volume_block_device_info')
++ '_get_instance_block_device_info')
self.mox.StubOutWithMock(self.compute.driver,
'check_can_live_migrate_source')
instance_p = obj_base.obj_to_primitive(instance)
self.compute.compute_api.is_volume_backed_instance(
self.context, instance).AndReturn(is_volume_backed)
-+ self.compute._get_instance_volume_block_device_info(
++ self.compute._get_instance_block_device_info(
+ self.context, instance, refresh_conn_info=True
+ ).AndReturn('fake-block-device-info')
self.compute.driver.check_can_live_migrate_source(
diff -Nru nova-2014.1.3/debian/patches/series nova-2014.1.3/debian/patches/series
--- nova-2014.1.3/debian/patches/series 2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/patches/series 2014-11-11 20:52:52.000000000 +0000
@@ -21,3 +21,4 @@
fix-live-migraton-nfs.patch
9990_update_german_programm_messages.patch
CVE-2014-7230_CVE-2014-7231_Sync_process_utils_from_oslo.patch
+CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch
Reply to: