Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package nova This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends to >= 54~, to make sure the nova-api config script doesn't use /sbin/route and /bin/ip if they aren't available (as they aren't essential packages). Please unblock nova/14.0.0-4, Cheers, Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog --- nova-14.0.0/debian/changelog 2016-12-09 16:40:19.000000000 +0000 +++ nova-14.0.0/debian/changelog 2017-04-02 10:52:50.000000000 +0000 @@ -1,3 +1,14 @@ +nova (2:14.0.0-4) unstable; urgency=medium + + [ David Rabel ] + * Team upload. + * Bump build dependency on openstack-pkg-tools (Closes: #858708, #858710). + + [ Thomas Goirand ] + * CVE-2017-7214: apply upstream patch (Closes: 858568). + + -- Thomas Goirand <z...@debian.org> Sun, 02 Apr 2017 12:52:50 +0200 + nova (2:14.0.0-3) unstable; urgency=medium [ Ondřej Nový ] diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control --- nova-14.0.0/debian/control 2016-12-09 16:40:19.000000000 +0000 +++ nova-14.0.0/debian/control 2017-04-02 10:52:50.000000000 +0000 @@ -7,7 +7,7 @@ Build-Depends: debhelper (>= 10), dh-python, dh-systemd, - openstack-pkg-tools (>= 52~), + openstack-pkg-tools (>= 54~), po-debconf, python-all, python-pbr (>= 1.8), diff -Nru nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch --- nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 1970-01-01 00:00:00.000000000 +0000 +++ nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 2017-04-02 10:52:50.000000000 +0000 @@ -0,0 +1,50 @@ +Description: CVE-2017-7214: do not include context to exception notification + The wrap_exception decorator optionally emited a notification. + Based on the code comments the original intention was not to include the + context to that notification due to security reasons. However the + implementation did included the context to the payload of the legacy + notification. + . + Recently we saw circural reference errors during the payload serialization + of this notification. Based on the logs the only complex data structure + that could cause circural reference is the context. So this patch + removes the context from the legacy exception notification. + . + The versioned exception notification is not affected as it does not + contain the args of the decorated function. +Author: Balazs Gibizer <balazs.gibi...@ericsson.com> +Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100) +X-Git-Tag: 14.0.5~1 +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b +Origin: https://review.openstack.org/447072 +Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569 +Bug-Debian: https://bugs.debian.org/858568 +Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688 +Last-Update: 2017-04-02 + +diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py +index 5b74c3b..5051b83 100644 +--- a/nova/exception_wrapper.py ++++ b/nova/exception_wrapper.py +@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw): + # self can't be serialized and shouldn't be in the + # payload + call_dict.pop('self', None) ++ # NOTE(gibi) remove context as well as it contains sensitive information ++ # and it can also contain circular references ++ call_dict.pop('context', None) + return _cleanse_dict(call_dict) + + +diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py +index a9bada1..55478a6 100644 +--- a/nova/tests/unit/test_exception.py ++++ b/nova/tests/unit/test_exception.py +@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase): + self.assertEqual(3, notification.payload['args']['extra']) + for key in ['exception', 'args']: + self.assertIn(key, notification.payload.keys()) ++ self.assertNotIn('context', notification.payload['args'].keys()) + + self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS)) + notification = fake_notifier.VERSIONED_NOTIFICATIONS[0] diff -Nru nova-14.0.0/debian/patches/series nova-14.0.0/debian/patches/series --- nova-14.0.0/debian/patches/series 2016-12-09 16:40:19.000000000 +0000 +++ nova-14.0.0/debian/patches/series 2017-04-02 10:52:50.000000000 +0000 @@ -4,3 +4,4 @@ fix-requirements.txt.patch clean-up-build_requests-table-on-upgrades.patch allow-using-sqla-1.1.patch +CVE-2017-7214_do_not_include_context_to_exception_notification.patch