Your message dated Sat, 08 Apr 2017 06:07:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)
has caused the Debian Bug report #859819,
regarding unblock: nova/14.0.0-4 (CVE-2017-7214)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859819
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package nova
This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
and /bin/ip if they aren't available (as they aren't essential packages).
Please unblock nova/14.0.0-4,
Cheers,
Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/changelog 2017-04-02 10:52:50.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2:14.0.0-4) unstable; urgency=medium
+
+ [ David Rabel ]
+ * Team upload.
+ * Bump build dependency on openstack-pkg-tools (Closes: #858708, #858710).
+
+ [ Thomas Goirand ]
+ * CVE-2017-7214: apply upstream patch (Closes: 858568).
+
+ -- Thomas Goirand <[email protected]> Sun, 02 Apr 2017 12:52:50 +0200
+
nova (2:14.0.0-3) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/control 2017-04-02 10:52:50.000000000 +0000
@@ -7,7 +7,7 @@
Build-Depends: debhelper (>= 10),
dh-python,
dh-systemd,
- openstack-pkg-tools (>= 52~),
+ openstack-pkg-tools (>= 54~),
po-debconf,
python-all,
python-pbr (>= 1.8),
diff -Nru nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 1970-01-01 00:00:00.000000000 +0000
+++ nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch 2017-04-02 10:52:50.000000000 +0000
@@ -0,0 +1,50 @@
+Description: CVE-2017-7214: do not include context to exception notification
+ The wrap_exception decorator optionally emited a notification.
+ Based on the code comments the original intention was not to include the
+ context to that notification due to security reasons. However the
+ implementation did included the context to the payload of the legacy
+ notification.
+ .
+ Recently we saw circural reference errors during the payload serialization
+ of this notification. Based on the logs the only complex data structure
+ that could cause circural reference is the context. So this patch
+ removes the context from the legacy exception notification.
+ .
+ The versioned exception notification is not affected as it does not
+ contain the args of the decorated function.
+Author: Balazs Gibizer <[email protected]>
+Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100)
+X-Git-Tag: 14.0.5~1
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b
+Origin: https://review.openstack.org/447072
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569
+Bug-Debian: https://bugs.debian.org/858568
+Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
+Last-Update: 2017-04-02
+
+diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py
+index 5b74c3b..5051b83 100644
+--- a/nova/exception_wrapper.py
++++ b/nova/exception_wrapper.py
+@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw):
+ # self can't be serialized and shouldn't be in the
+ # payload
+ call_dict.pop('self', None)
++ # NOTE(gibi) remove context as well as it contains sensitive information
++ # and it can also contain circular references
++ call_dict.pop('context', None)
+ return _cleanse_dict(call_dict)
+
+
+diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
+index a9bada1..55478a6 100644
+--- a/nova/tests/unit/test_exception.py
++++ b/nova/tests/unit/test_exception.py
+@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
+ self.assertEqual(3, notification.payload['args']['extra'])
+ for key in ['exception', 'args']:
+ self.assertIn(key, notification.payload.keys())
++ self.assertNotIn('context', notification.payload['args'].keys())
+
+ self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS))
+ notification = fake_notifier.VERSIONED_NOTIFICATIONS[0]
diff -Nru nova-14.0.0/debian/patches/series nova-14.0.0/debian/patches/series
--- nova-14.0.0/debian/patches/series 2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/patches/series 2017-04-02 10:52:50.000000000 +0000
@@ -4,3 +4,4 @@
fix-requirements.txt.patch
clean-up-build_requests-table-on-upgrades.patch
allow-using-sqla-1.1.patch
+CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- End Message ---
--- Begin Message ---
Thomas Goirand:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package nova
>
> This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
> to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
> and /bin/ip if they aren't available (as they aren't essential packages).
>
> Please unblock nova/14.0.0-4,
> Cheers,
>
> Thomas Goirand (zigo)
>
Unblocked, thanks.
~Niels
--- End Message ---
