[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770439: marked as done (unblock: neutron/2014.1.3-6 (CVE-2014-7821 fix: DoS through invalid DNS configuration))

Your message dated Fri, 21 Nov 2014 13:10:05 +0000
with message-id <cd830e4452f17a3156ab14c279c211d1@hogwarts.powdarrmonkey.net>
and subject line Re: Bug#770439: unblock: neutron/2014.1.3-7 (CVE-2014-7821 fix: DoS  through invalid DNS configuration)
has caused the Debian Bug report #770439,
regarding unblock: neutron/2014.1.3-6 (CVE-2014-7821 fix: DoS through invalid DNS configuration)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
770439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770439
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Version 2014.1.3-6 of Neutron include a fix for CVE-2014-7821: DoS through
invalid DNS configuration. The fix is really minimal, it's basically a change
in the regexp that was taking too long to validate input. Debdiff attached.

Please unblock neutron/2014.1.3-6.

Cheers,

Thomas Goirand (zigo)

diff -Nru neutron-2014.1.3/debian/changelog neutron-2014.1.3/debian/changelog
--- neutron-2014.1.3/debian/changelog	2014-10-25 08:09:28.000000000 +0000
+++ neutron-2014.1.3/debian/changelog	2014-11-21 08:26:09.000000000 +0000
@@ -1,3 +1,10 @@
+neutron (2014.1.3-6) unstable; urgency=high
+
+  * CVE-2014-7821: DoS through invalid DNS configuration. Applied upstream
+    patch: Fix hostname regex pattern (Closes: #770431).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 21 Nov 2014 16:25:18 +0800
+
 neutron (2014.1.3-5) unstable; urgency=medium
 
   * Adds Danish debconf translations thanks to Joe Dalton <joedalton2@yahoo.dk>
diff -Nru neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
--- neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch	1970-01-01 00:00:00.000000000 +0000
+++ neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch	2014-11-21 08:26:09.000000000 +0000
@@ -0,0 +1,38 @@
+Description: CVE-2014-7821: Fix hostname regex pattern
+ Current hostname_pattern regex complexity grows exponentially when given a
+ string of just digits, which can be exploited to cause neutron-server to
+ freeze.
+Author: John Perkins <john.perkins@rackspace.com>
+Origin: upstream, https://review.openstack.org/#/c/135624/
+Date:   Mon Oct 6 16:24:57 2014 -0500
+Bug-Debian: https://bugs.debian.org/770431
+Bug-Ubuntu: https://launchpad.net/bugs/1378450
+Last-Update: 2014-11-21
+
+Index: neutron/neutron/api/v2/attributes.py
+===================================================================
+--- neutron.orig/neutron/api/v2/attributes.py	2014-10-25 16:10:17.000000000 +0800
++++ neutron/neutron/api/v2/attributes.py	2014-11-21 16:22:21.000000000 +0800
+@@ -537,8 +537,8 @@
+         return [data]
+ 
+ 
+-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]"
+-                    "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)")
++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}"
++                    "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)")
+ 
+ HEX_ELEM = '[0-9A-Fa-f]'
+ UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
+Index: neutron/neutron/tests/unit/test_attributes.py
+===================================================================
+--- neutron.orig/neutron/tests/unit/test_attributes.py	2014-10-25 16:10:17.000000000 +0800
++++ neutron/neutron/tests/unit/test_attributes.py	2014-11-21 16:22:21.000000000 +0800
+@@ -283,6 +283,7 @@
+                     ['www.hostname.com', 'www.hostname.com'],
+                     ['77.hostname.com'],
+                     ['1000.0.0.1'],
++                    ['111111111111111111111111111111111111111111111111111111111111'],  # noqa
+                     None]
+ 
+         for ns in ns_pools:
diff -Nru neutron-2014.1.3/debian/patches/series neutron-2014.1.3/debian/patches/series
--- neutron-2014.1.3/debian/patches/series	2014-10-25 08:09:28.000000000 +0000
+++ neutron-2014.1.3/debian/patches/series	2014-11-21 08:26:09.000000000 +0000
@@ -5,3 +5,4 @@
 Properly_apply_column_default_in_migration_pool_monitor_status.patch
 #sane-defaults-for-ml2_conf.ini.patch
 #sane-defaults-for-dhcp_agent.ini.patch
+cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch

--- End Message ---
--- Begin Message --- 
On 2014-11-21 11:09, Thomas Goirand wrote:
Version 2014.1.3-6 of Neutron include a fix for CVE-2014-7821: DoS through invalid DNS configuration. The fix is really minimal, it's basically a change in the regexp that was taking too long to validate input. Debdiff attached. 

Please unblock neutron/2014.1.3-6.

Cheers,

Thomas Goirand (zigo)


Hi,

I've added another patch to remove the use of PROTOCOL_SSLv3 in oslo
incubator, included in Neutron, since that support is gone from Debian
Sid. I'm not sure if Neutron uses that, but I just want to be safe here. 
I've attached the new debdiff. (note that all unit tests but one Cisco
related one are passing, just like before...)


Unblocked.

--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

--- End Message ---
Reply to: