Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id
<2cfc9645343bdb910fe19c07bddfec2c428346a3.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #941901,
regarding buster-pu: package octavia/3.0.0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear release team,
Since Buster was frozen, I worked quite a long time on Octavia, and was
able to make the octavia-agent work properly, as well as building an
Octavia base image using Debian only stuff [1]. It works super well
using the next version of OpenStack, ie: Stein, while Buster has Rocky.
Though I'd like to be able to provide a working Amphorae image using
only stuff from Buster, if possible. This is what this update is about.
The update contains:
- Fix for the vrrp script template.
- Fix for detecting the OS from within Octavia itself.
- Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
- Fix for the octavia-agent package init / systemd scripts.
Debdiff is attached. Please allow me to update the Octavia package in
Buster accordingly. Next up, I hope to be able to provide a Debian image
for Octavia through the official cdimage.debian.org repo. I'll do that
through Testing first.
Cheers,
Thomas Goirand (zigo)
[1] If you don't know what Octavia is, it is haproxy as a service, with
a base virtual machine image containing Haproxy and the Octavia Agent.
This image is called "Amphorae", and can be used to provide load balancer
as a service. This is quite nice technology!
diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog
--- octavia-3.0.0/debian/changelog 2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/changelog 2019-04-30 12:07:21.000000000 +0200
@@ -1,3 +1,14 @@
+octavia (3.0.0-3+deb10u1) buster; urgency=medium
+
+ * Fix octavia-agent binary in init/service file, fix the startup.
+ * Add Fix-osutils.py-to-detect-Debian.patch.
+ * CVE-2019-17134: Client certificates aren't checked properly in the Amphora.
+ Applied upstream patch (Closes: #941897):
+ - Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch.
+ * Add Fix_template_that_generates_vrrp_check_script.patch.
+
+ -- Thomas Goirand <[email protected]> Tue, 30 Apr 2019 12:07:21 +0200
+
octavia (3.0.0-3) unstable; urgency=medium
* Add an octavia-agent package.
diff -Nru octavia-3.0.0/debian/octavia-agent.install
octavia-3.0.0/debian/octavia-agent.install
--- octavia-3.0.0/debian/octavia-agent.install 1970-01-01 01:00:00.000000000
+0100
+++ octavia-3.0.0/debian/octavia-agent.install 2019-04-30 12:07:21.000000000
+0200
@@ -0,0 +1,2 @@
+debian/octavia-agent-ramfs-start /sbin
+debian/octavia-agent-ramfs-stop /sbin
diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
--- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in 2019-01-21
17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in 2019-04-30
12:07:21.000000000 +0200
@@ -17,3 +17,5 @@
NAME=${PROJECT_NAME}-agent
SYSTEM_USER=root
SYSTEM_GROUP=root
+CONFIG_FILE=/etc/octavia/amphora-agent.conf
+DAEMON=/usr/bin/amphora-agent
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start
octavia-3.0.0/debian/octavia-agent-ramfs-start
--- octavia-3.0.0/debian/octavia-agent-ramfs-start 1970-01-01
01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-start 2019-04-30
12:07:21.000000000 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+modprobe brd rd_size=1024000 max_part=2 rd_nr=1
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print
$3}')
+if [ -z "${certs_path}" ] ; then
+ certs_path=/var/lib/octavia/certs
+fi
+mkdir -p "${certs_path}"
+chown octavia:octavia ${certs_path}
+echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs ${certs_path}
+chown octavia:octavia ${certs_path}
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop
octavia-3.0.0/debian/octavia-agent-ramfs-stop
--- octavia-3.0.0/debian/octavia-agent-ramfs-stop 1970-01-01
01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-stop 2019-04-30
12:07:21.000000000 +0200
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf
$3}')
+umount "${certs_path}"
+cryptsetup luksClose /dev/mapper/certfs-ramfs
diff -Nru
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
---
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
1970-01-01 01:00:00.000000000 +0100
+++
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,73 @@
+Description: [PATCH] Fix urgent amphora two-way auth security bug
+ The value of gunicorn's option 'cert_reqs` for client-cert requirement
+ does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
+ .
+Story: 2006660
+Task: 36916
+Author: Adam Harwell <[email protected]>
+Date: Fri, 4 Oct 2019 01:04:20 -0700
+SecurityImpact: CVE-2019-17134
+Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
+Bug-Debian: https://bugs.debian.org/941897
+Origin: https://review.opendev.org/#/c/686544/
+Last-Update: 2019-10-07
+
+diff --git a/octavia/cmd/agent.py b/octavia/cmd/agent.py
+index 861ad75..759cf4b 100644
+--- a/octavia/cmd/agent.py
++++ b/octavia/cmd/agent.py
+@@ -15,6 +15,7 @@
+ # make sure PYTHONPATH includes the home directory if you didn't install
+
+ import multiprocessing as multiproc
++import ssl
+ import sys
+
+ import gunicorn.app.base
+@@ -74,7 +75,7 @@ def main():
+ 'timeout': CONF.amphora_agent.agent_request_read_timeout,
+ 'certfile': CONF.amphora_agent.agent_server_cert,
+ 'ca_certs': CONF.amphora_agent.agent_server_ca,
+- 'cert_reqs': True,
++ 'cert_reqs': ssl.CERT_REQUIRED,
+ 'preload_app': True,
+ 'accesslog': '/var/log/amphora-agent.log',
+ 'errorlog': '/var/log/amphora-agent.log',
+diff --git a/octavia/tests/unit/cmd/test_agent.py
b/octavia/tests/unit/cmd/test_agent.py
+index 551ab56..22ca4ff 100644
+--- a/octavia/tests/unit/cmd/test_agent.py
++++ b/octavia/tests/unit/cmd/test_agent.py
+@@ -9,6 +9,7 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++import ssl
+
+ import mock
+
+@@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase):
+
+ agent.main()
+
++ # Ensure gunicorn is initialized with the correct cert_reqs option.
++ # This option is what enforces use of a valid client certificate.
++ self.assertEqual(
++ ssl.CERT_REQUIRED,
++ mock_amp.call_args[0][1]['cert_reqs'])
++
+ mock_health_proc.start.assert_called_once_with()
+ mock_amp_instance.run.assert_called_once()
+diff --git
a/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+new file mode 100644
+index 0000000..e348b14
+--- /dev/null
++++
b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++ - |
++ Correctly require two-way certificate authentication to connect to the
++ amphora agent API (CVE-2019-17134).
+--
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
--- octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix is_os_name in osutils.py to detect Debian
+ Otherwise, the OCtavia agent just dies...
+Author: Thomas Goirand <[email protected]>
+Forwarded: no
+Last-Update: 2019-04-30
+
+Index: octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+===================================================================
+--- octavia.orig/octavia/amphorae/backends/agent/api_server/osutils.py
++++ octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+@@ -233,7 +233,7 @@ class Ubuntu(BaseOS):
+
+ @classmethod
+ def is_os_name(cls, os_name):
+- return os_name in ['ubuntu']
++ return os_name in ['ubuntu', 'debian']
+
+ def cmd_get_version_of_installed_package(self, package_name):
+ name = self._map_package_name(package_name)
diff -Nru
octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
---
octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
1970-01-01 01:00:00.000000000 +0100
+++
octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,30 @@
+Author: Rene Luria <[email protected]>
+Subject: [PATCH] Fix template that generates vrrp check script
+ Correct the inline comment to not include an empty new line at the start
+ of generated /var/lib/octavia/vrrp/check_script.sh that leads to this
+ kind of error:
+ .
+ > Aug 26 11:49:32 amphora-12184e15-1ec3-4d80-98a7-c7d1ddb6716f
+ > Keepalived_vrrp[15265]: Error exec-ing command
+ > '/var/lib/octavia/vrrp/check_script.sh', error 8: Exec format error
+Date: Mon, 26 Aug 2019 13:50:42 +0200
+Change-Id: Icddd2873abeb56a389a35356995df6dde70872b2
+Origin: upstream, https://review.opendev.org/678525
+Last-Update: 2019-08-26
+
+diff --git
a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+index bb1eceb..e2c85c4 100644
+---
a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
++++
b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+@@ -13,7 +13,7 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ #
+-#}
++-#}
+ #!/bin/bash
+
+ # Don't try to run the directory when it is empty
+--
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/series
octavia-3.0.0/debian/patches/series
--- octavia-3.0.0/debian/patches/series 2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/patches/series 2019-04-30 12:07:21.000000000 +0200
@@ -1,2 +1,5 @@
fix-py36-compatibility.patch
install-missing-files.patch
+Fix-osutils.py-to-detect-Debian.patch
+CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
+Fix_template_that_generates_vrrp_check_script.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.13
Hi,
Each of the updates referenced in these bugs was included in today's
10.13 point release.
Regards,
Adam
--- End Message ---
