Your message dated Sun, 21 Feb 2016 10:56:54 +0000 with message-id <20160221105654.GO6200@betterave.cristau.org> and subject line Re: Bug#719632: Prepared a new Wheezy update for Nova has caused the Debian Bug report #719632, regarding pu: package nova/2012.1.1-18 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 719632: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719632 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pu: package nova/2012.1.1-18
- From: Thomas Goirand <zigo@debian.org>
- Date: Tue, 13 Aug 2013 20:46:34 +0200
- Message-id: <20130813184634.7052.87721.reportbug@buzig.gplhost.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Dear release team, Please find attached a serrie of correction I want to add to the current Nova package. It comes from the output of git format-patch of the wheezy branch of the Nova package, since the global debdiff for the package was less readable. In the 0001-CVE-2013-2096-OSSA-2013-012-Check-QCOW2-image-size-d.patch patch, there's normally a quilt refresh output, which I have removed from attached file so that you can read it better. Please let me know which of these patches is considered acceptable form the release team point of view. Cheers, Thomas Goirand (zigo)>From 4f384d61f29b604601bc69f66bfa8b10d440dcac Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 22:37:23 +0800 Subject: [PATCH 2/6] Do not use file from /usr/share/doc/nova-compute-xen in postinst (Closes: #710507) --- debian/changelog | 2 ++ debian/nova-compute-xen.postinst | 2 +- debian/rules | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3c5bf44..6e6eaaf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk creation (Closes: #710157). * Refreshes various patches (removes offsets when applying). + * Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks + to Andreas Beckmann for reporting (Closes: #710507). -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800 diff --git a/debian/nova-compute-xen.postinst b/debian/nova-compute-xen.postinst index f74e389..098c2c2 100644 --- a/debian/nova-compute-xen.postinst +++ b/debian/nova-compute-xen.postinst @@ -10,7 +10,7 @@ if [ "$1" = "configure" -o "$1" = "reconfigure" ]; then mkdir /etc/nova fi if ! [ -f ${XENAPI_CONFFILE} ] ; then - cp /usr/share/doc/nova-compute-xen/nova-compute.conf.dist ${XENAPI_CONFFILE} + cp /usr/share/nova-compute-xen/nova-compute.conf.dist ${XENAPI_CONFFILE} fi . /usr/share/debconf/confmodule diff --git a/debian/rules b/debian/rules index 6c91641..6fc41f1 100755 --- a/debian/rules +++ b/debian/rules @@ -30,7 +30,7 @@ override_dh_install: for hypervisor in qemu kvm uml lxc; do \ install -D -m 0600 $(CURDIR)/debian/nova-compute-$${hypervisor}.conf $(CURDIR)/debian/nova-compute-$${hypervisor}/etc/nova/nova-compute.conf; \ done - install -D -m 0600 $(CURDIR)/debian/nova-compute-xen.conf.dist $(CURDIR)/debian/nova-compute-xen/usr/share/doc/nova-compute-xen/nova-compute.conf.dist + install -D -m 0600 $(CURDIR)/debian/nova-compute-xen.conf.dist $(CURDIR)/debian/nova-compute-xen/usr/share/nova-compute-xen/nova-compute.conf.dist override_dh_fixperms: dh_fixperms -Xnova_sudoers -- 1.7.10.4>From 55f8951757e0923c6919381e280ca4e7a3f7c321 Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 23:03:05 +0800 Subject: [PATCH 4/6] Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log (Closes: #706011) --- debian/changelog | 5 +++++ debian/nova-console.logrotate | 2 +- debian/nova-xvpvncproxy.logrotate | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 6c73dd9..a873cb7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low + [ Thomas Goirand ] * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk creation (Closes: #710157). * Refreshes various patches (removes offsets when applying). @@ -7,6 +8,10 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low to Andreas Beckmann for reporting (Closes: #710507). * Updates debian/gbp.conf to use the debian/wheezy branch for building. + [ Julien Cristau ] + * Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log + (Closes: #706011). + -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800 nova (2012.1.1-18) unstable; urgency=low diff --git a/debian/nova-console.logrotate b/debian/nova-console.logrotate index a56813d..1ff85db 100644 --- a/debian/nova-console.logrotate +++ b/debian/nova-console.logrotate @@ -1,4 +1,4 @@ -/var/log/nova/nova-console.log { +/var/log/nova/nova-console.log /var/log/nova/nova-consoleauth.log { daily copytruncate missingok diff --git a/debian/nova-xvpvncproxy.logrotate b/debian/nova-xvpvncproxy.logrotate index 1526551..c10ec6a 100644 --- a/debian/nova-xvpvncproxy.logrotate +++ b/debian/nova-xvpvncproxy.logrotate @@ -1,4 +1,4 @@ -/var/log/nova/nova-vncproxy.log { +/var/log/nova/nova-xvpvncproxy.log { daily missingok -} \ No newline at end of file +} -- 1.7.10.4>From 6eb5f96ec63bb8033f8a06394c1144211e653971 Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 23:17:23 +0800 Subject: [PATCH 6/6] Applies https://review.openstack.org/#/c/10168/: resolves issue where querying /v1.1/$tenant/os-hosts returns an empty list (Closes: #689318). --- debian/changelog | 2 + ..._os-hosts_does_not_return_a_list_of_hosts.patch | 62 ++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 65 insertions(+) create mode 100644 debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch diff --git a/debian/changelog b/debian/changelog index 97340c6..8fd817d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low * Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks to Andreas Beckmann for reporting (Closes: #710507). * Updates debian/gbp.conf to use the debian/wheezy branch for building. + * Applies https://review.openstack.org/#/c/10168/: resolves issue where + querying /v1.1/$tenant/os-hosts returns an empty list (Closes: #689318). [ Julien Cristau ] * Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log diff --git a/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch b/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch new file mode 100644 index 0000000..d3036cb --- /dev/null +++ b/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch @@ -0,0 +1,62 @@ +Description: API 'v1.1/{tenant_id}/os-hosts' does not return a list of hosts + Backports fix for bug 1014925 to stable/essex, which resolves issue + where querying /v1.1/$tenant/os-hosts returns an empty list. + . + Original fix by Joe Gordon reviewed into Folsom at: + https://review.openstack.org/#/c/8682/2 +Author: Adam Gandelman <adamg@canonical.com> +Origin: https://review.openstack.org/#/c/10168/ +Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1014925 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689318 +Date: Mon, 23 Jul 2012 13:16:46 -0700 + +diff --git a/nova/api/openstack/compute/contrib/hosts.py b/nova/api/openstack/compute/contrib/hosts.py +index a93da9e..202c8ca 100644 +--- a/nova/api/openstack/compute/contrib/hosts.py ++++ b/nova/api/openstack/compute/contrib/hosts.py +@@ -98,7 +97,10 @@ def _list_hosts(req, service=None): + by service type. + """ + context = req.environ['nova.context'] +- hosts = scheduler_api.get_host_list(context) ++ services = db.service_get_all(context, False) ++ hosts = [] ++ for host in services: ++ hosts.append({"host_name": host['host'], 'service': host['topic']}) + if service: + hosts = [host for host in hosts + if host["service"] == service] +diff --git a/nova/tests/api/openstack/compute/contrib/test_hosts.py b/nova/tests/api/openstack/compute/contrib/test_hosts.py +index 77beeae..0482eb5 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_hosts.py ++++ b/nova/tests/api/openstack/compute/contrib/test_hosts.py +@@ -36,10 +36,15 @@ HOST_LIST = [ + {"host_name": "host_c2", "service": "compute"}, + {"host_name": "host_v1", "service": "volume"}, + {"host_name": "host_v2", "service": "volume"}] ++SERVICES_LIST = [ ++ {"host": "host_c1", "topic": "compute"}, ++ {"host": "host_c2", "topic": "compute"}, ++ {"host": "host_v1", "topic": "volume"}, ++ {"host": "host_v2", "topic": "volume"}] + + +-def stub_get_host_list(req): +- return HOST_LIST ++def stub_service_get_all(self, req): ++ return SERVICES_LIST + + + def stub_set_host_enabled(context, host, enabled): +@@ -104,7 +109,7 @@ class HostTestCase(test.TestCase): + super(HostTestCase, self).setUp() + self.controller = os_hosts.HostController() + self.req = FakeRequest() +- self.stubs.Set(scheduler_api, 'get_host_list', stub_get_host_list) ++ self.stubs.Set(db, 'service_get_all', stub_service_get_all) + self.stubs.Set(self.controller.api, 'set_host_enabled', + stub_set_host_enabled) + self.stubs.Set(self.controller.api, 'set_host_maintenance', +-- +1.7.9.5 + diff --git a/debian/patches/series b/debian/patches/series index 09870f1..368396f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ CVE-2013-0335_VNC-unit-tests-fixes.patch CVE-2013-1838-Nova_DoS_by_allocating_all_Fixed_IPs_essex.patch Fixed_broken_vncproxy_flush_tokens.patch CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch +api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch -- 1.7.10.4>From ee41980298466701db4235eef432e81c4fa28fe2 Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 22:48:06 +0800 Subject: [PATCH 3/6] Updates debian/gbp.conf to use the debian/wheezy branch for building. --- debian/changelog | 1 + debian/gbp.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 6e6eaaf..6c73dd9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low * Refreshes various patches (removes offsets when applying). * Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks to Andreas Beckmann for reporting (Closes: #710507). + * Updates debian/gbp.conf to use the debian/wheezy branch for building. -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800 diff --git a/debian/gbp.conf b/debian/gbp.conf index ccf8702..91ccdf6 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = master -debian-branch = debian/unstable +debian-branch = debian/wheezy upstream-tag = %(version)s compression = xz -- 1.7.10.4>From 3e006e5a949d6f2a57e1a84888d4a44dd1a354ba Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 22:32:52 +0800 Subject: [PATCH 1/6] * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk creation (Closes: #710157). * Refreshes various patches (removes offsets when applying). --- debian/changelog | 8 ++ ...-volume-from-specifying-arbitrary-volumes.patch | 23 +++-- ...335_VNC-proxy-can-connect-to-the-wrong-VM.patch | 57 ++++++------- ...ova_DoS_by_allocating_all_Fixed_IPs_essex.patch | 90 ++++++++++---------- ...COW2_image_size_during_root_disk_creation.patch | 34 ++++++++ .../Fixed_broken_vncproxy_flush_tokens.patch | 36 ++++---- debian/patches/series | 1 + 7 files changed, 143 insertions(+), 106 deletions(-) create mode 100644 debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch diff --git a/debian/changelog b/debian/changelog index 4de16bf..3c5bf44 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low + + * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk + creation (Closes: #710157). + * Refreshes various patches (removes offsets when applying). + + -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800 + nova (2012.1.1-18) unstable; urgency=low * nova-common isn't anymore using /usr/share/doc to store configuration files diff --git a/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch b/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch new file mode 100644 index 0000000..000e0b3 --- /dev/null +++ b/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch @@ -0,0 +1,34 @@ +Description: Check QCOW2 image size during root disk creation + glance can only tell us the size of the file, not the virtual + size of the QCOW2. As such we need to check the virtual size of + the image once its cached and ensure it's <= to the flavor's + root disk size. Based on I833467284126557eb598b8350a84e10c06292fa9 +Author: Jamie Strandboge <jamie@canonical.com> +Origin: https://bugs.launchpad.net/nova/+bug/1177830/comments/21 +Bug-Ubuntu: https://launchpad.net/bugs/1177830 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710157 +Last-Update: 2013-07-13 + +Index: nova/nova/virt/libvirt/connection.py +=================================================================== +--- nova.orig/nova/virt/libvirt/connection.py 2013-07-13 22:30:01.000000000 +0800 ++++ nova/nova/virt/libvirt/connection.py 2013-07-13 22:30:01.000000000 +0800 +@@ -1125,6 +1125,18 @@ + if cow: + cow_base = base + if size: ++ # NOTE(cfb): Having a flavor that sets the root size to ++ # 0 and having nova effectively ignore that ++ # size and use the size of the image is ++ # considered a feature at this time, not a ++ # bug. ++ if os.path.exists(cow_base) and \ ++ size < disk.get_image_virtual_size(cow_base): ++ LOG.error(_("%(base)s virtual size larger than " ++ "flavor root disk size %(size)s" % ++ {'base': cow_base, 'size': size})) ++ raise exception.ImageTooLarge() ++ + size_gb = size / (1024 * 1024 * 1024) + cow_base += "_%d" % size_gb + if not os.path.exists(cow_base): diff --git a/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch b/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch index 1ba22c2..b605564 100644 --- a/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch +++ b/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch>From d67817dbf1a5406d43ae2eadec76d4fa291ca9e2 Mon Sep 17 00:00:00 2001 From: Thomas Goirand <thomas@goirand.fr> Date: Sat, 13 Jul 2013 23:06:28 +0800 Subject: [PATCH 5/6] * Add optional postgresql dependency to a number of init script to ensure proper startup ordering if nova is configured to use a local postgresql backend. (applied patch from jcristau). --- debian/changelog | 3 +++ debian/nova-cert.init | 2 ++ debian/nova-console.init | 2 ++ debian/nova-console.nova-consoleauth.init | 2 ++ debian/nova-scheduler.init | 2 ++ debian/nova-volume.init | 2 ++ 6 files changed, 13 insertions(+) diff --git a/debian/changelog b/debian/changelog index a873cb7..97340c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,9 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low [ Julien Cristau ] * Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log (Closes: #706011). + * Add optional postgresql dependency to a number of init script to ensure + proper startup ordering if nova is configured to use a local postgresql + backend (Closes: #706013). -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800 diff --git a/debian/nova-cert.init b/debian/nova-cert.init index b8d822e..0b7edee 100644 --- a/debian/nova-cert.init +++ b/debian/nova-cert.init @@ -3,6 +3,8 @@ # Provides: nova-cert # Required-Start: $network $local_fs $remote_fs $syslog # Required-Stop: $remote_fs +# Should-Start: postgresql mysql +# Should-Stop: postgresql mysql # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Nova Cert server diff --git a/debian/nova-console.init b/debian/nova-console.init index 399354e..6a47de2 100644 --- a/debian/nova-console.init +++ b/debian/nova-console.init @@ -3,6 +3,8 @@ # Provides: nova-console # Required-Start: $network $local_fs $remote_fs $syslog # Required-Stop: $remote_fs +# Should-Start: postgresql mysql +# Should-Stop: postgresql mysql # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Nova Console for XenServer and XVP diff --git a/debian/nova-console.nova-consoleauth.init b/debian/nova-console.nova-consoleauth.init index 1a5f2a5..1103747 100644 --- a/debian/nova-console.nova-consoleauth.init +++ b/debian/nova-console.nova-consoleauth.init @@ -3,6 +3,8 @@ # Provides: nova-consoleauth # Required-Start: $network $local_fs $remote_fs $syslog # Required-Stop: $remote_fs +# Should-Start: postgresql mysql +# Should-Stop: postgresql mysql # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Nova Console auth system for XenServer and XVP diff --git a/debian/nova-scheduler.init b/debian/nova-scheduler.init index 19337af..de4dff4 100644 --- a/debian/nova-scheduler.init +++ b/debian/nova-scheduler.init @@ -3,6 +3,8 @@ # Provides: nova-scheduler # Required-Start: $network $local_fs $remote_fs $syslog # Required-Stop: $remote_fs +# Should-Start: postgresql mysql +# Should-Stop: postgresql mysql # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Nova Scheduler diff --git a/debian/nova-volume.init b/debian/nova-volume.init index ab77119..6392839 100644 --- a/debian/nova-volume.init +++ b/debian/nova-volume.init @@ -3,6 +3,8 @@ # Provides: nova-volume # Required-Start: $network $local_fs $remote_fs $syslog # Required-Stop: $remote_fs +# Should-Start: postgresql mysql +# Should-Stop: postgresql mysql # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Nova Volume -- 1.7.10.4
--- End Message ---
--- Begin Message ---
- To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 719632-done@bugs.debian.org
- Cc: Moritz Mühlenhoff <jmm@inutil.org>, Thomas Goirand <zigo@debian.org>
- Subject: Re: Bug#719632: Prepared a new Wheezy update for Nova
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 21 Feb 2016 10:56:54 +0000
- Message-id: <20160221105654.GO6200@betterave.cristau.org>
- In-reply-to: <4efd2a7bb2df20b71410d3f9b6b40d05@mail.adsl.funky-badger.org>
- References: <4efd2a7bb2df20b71410d3f9b6b40d05@mail.adsl.funky-badger.org>
On Sat, Jan 17, 2015 at 12:03:43 +0000, Adam D. Barratt wrote: > On 2013-12-09 17:12, Moritz Mühlenhoff wrote: > >>Here's the new changelog, with the remarks of J.Cristau taken into > >>account: > >> > >>[ Thomas Goirand ] > >>* CVE-2013-4261: [OSSA 2013-026] Fix problem with long messages in Qpid. > >>* CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk > >> creation (Closes: #710157). > > > >The security tracker lists more issues potentially affecting stable: > > > >CVE-2013-0326 > >CVE-2013-2255 Inconsistent and non-validating HTTPS client > >CVE-2013-4179 The security group extension in OpenStack Compute (Nova) > >Grizzly ... > >CVE-2013-4185 Algorithmic complexity vulnerability in OpenStack > >Compute (Nova) ... > >CVE-2013-4463 Compressed disk image DoS > >CVE-2013-4469 OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when > >... > >CVE-2013-4497 The XenAPI backend in OpenStack Compute (Nova) Folsom, > >Grizzly, and ... > > > >Do these affect stable and can they be fixed along? > > Ping? > No reply in over a year, closing. Cheers, JulienAttachment: signature.asc
Description: PGP signature
--- End Message ---