--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package nova
This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
and /bin/ip if they aren't available (as they aren't essential packages).
Please unblock nova/14.0.0-4,
Cheers,
Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/changelog 2017-04-02 10:52:50.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2:14.0.0-4) unstable; urgency=medium
+
+ [ David Rabel ]
+ * Team upload.
+ * Bump build dependency on openstack-pkg-tools (Closes: #858708, #858710).
+
+ [ Thomas Goirand ]
+ * CVE-2017-7214: apply upstream patch (Closes: 858568).
+
+ -- Thomas Goirand <zigo@debian.org> Sun, 02 Apr 2017 12:52:50 +0200
+
nova (2:14.0.0-3) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/control 2017-04-02 10:52:50.000000000 +0000
@@ -7,7 +7,7 @@
Build-Depends: debhelper (>= 10),
dh-python,
dh-systemd,
- openstack-pkg-tools (>= 52~),
+ openstack-pkg-tools (>= 54~),
po-debconf,
python-all,
python-pbr (>= 1.8),
diff -Nru nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 1970-01-01 00:00:00.000000000 +0000
+++ nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 2017-04-02 10:52:50.000000000 +0000
@@ -0,0 +1,50 @@
+Description: CVE-2017-7214: do not include context to exception notification
+ The wrap_exception decorator optionally emited a notification.
+ Based on the code comments the original intention was not to include the
+ context to that notification due to security reasons. However the
+ implementation did included the context to the payload of the legacy
+ notification.
+ .
+ Recently we saw circural reference errors during the payload serialization
+ of this notification. Based on the logs the only complex data structure
+ that could cause circural reference is the context. So this patch
+ removes the context from the legacy exception notification.
+ .
+ The versioned exception notification is not affected as it does not
+ contain the args of the decorated function.
+Author: Balazs Gibizer <balazs.gibizer@ericsson.com>
+Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100)
+X-Git-Tag: 14.0.5~1
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b
+Origin: https://review.openstack.org/447072
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569
+Bug-Debian: https://bugs.debian.org/858568
+Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
+Last-Update: 2017-04-02
+
+diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py
+index 5b74c3b..5051b83 100644
+--- a/nova/exception_wrapper.py
++++ b/nova/exception_wrapper.py
+@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw):
+ # self can't be serialized and shouldn't be in the
+ # payload
+ call_dict.pop('self', None)
++ # NOTE(gibi) remove context as well as it contains sensitive information
++ # and it can also contain circular references
++ call_dict.pop('context', None)
+ return _cleanse_dict(call_dict)
+
+
+diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
+index a9bada1..55478a6 100644
+--- a/nova/tests/unit/test_exception.py
++++ b/nova/tests/unit/test_exception.py
+@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
+ self.assertEqual(3, notification.payload['args']['extra'])
+ for key in ['exception', 'args']:
+ self.assertIn(key, notification.payload.keys())
++ self.assertNotIn('context', notification.payload['args'].keys())
+
+ self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS))
+ notification = fake_notifier.VERSIONED_NOTIFICATIONS[0]
diff -Nru nova-14.0.0/debian/patches/series nova-14.0.0/debian/patches/series
--- nova-14.0.0/debian/patches/series 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/patches/series 2017-04-02 10:52:50.000000000 +0000
@@ -4,3 +4,4 @@
fix-requirements.txt.patch
clean-up-build_requests-table-on-upgrades.patch
allow-using-sqla-1.1.patch
+CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- End Message ---
--- Begin Message ---
Thomas Goirand:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package nova
>
> This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
> to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
> and /bin/ip if they aren't available (as they aren't essential packages).
>
> Please unblock nova/14.0.0-4,
> Cheers,
>
> Thomas Goirand (zigo)
>
Unblocked, thanks.
~Niels
--- End Message ---