The debdiff
Bastien
diff -Nru fence-agents-4.0.7.1/debian/changelog
fence-agents-4.0.7.1/debian/changelog
--- fence-agents-4.0.7.1/debian/changelog 2014-09-23 20:58:24.000000000
+0200
+++ fence-agents-4.0.7.1/debian/changelog 2014-11-16 14:51:30.000000000
+0100
@@ -1,3 +1,13 @@
+fence-agents (4.0.7.1-2.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Security Bug fix (CVE-2014-0104): "fence-agents:
+ no verification of remote SSL certificates",
+ thanks to Moritz Muehlenhoff (Closes: #764801).
+ Need to build-dep on python-requests.
+
+ -- Bastien Roucariès <roucaries.bastien+deb...@gmail.com> Sun, 16 Nov 2014
14:39:37 +0100
+
fence-agents (4.0.7.1-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru fence-agents-4.0.7.1/debian/control
fence-agents-4.0.7.1/debian/control
--- fence-agents-4.0.7.1/debian/control 2014-09-23 21:00:37.000000000 +0200
+++ fence-agents-4.0.7.1/debian/control 2014-11-16 14:50:41.000000000 +0100
@@ -15,6 +15,7 @@
python,
python-pexpect,
python-pycurl,
+ python-requests,
python-suds,
xsltproc,
libxml2-utils,
diff -Nru fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff
fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff
--- fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff
1970-01-01 01:00:00.000000000 +0100
+++ fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff
2014-11-16 14:37:22.000000000 +0100
@@ -0,0 +1,224 @@
+From e51df7a73141c4d378d12e4a3ade12776e48ebff Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mg...@redhat.com>
+Date: Wed, 5 Mar 2014 12:49:17 +0100
+Subject: [PATCH] fencing: Add new options --ssl-secure and --ssl-insecure
+
+These new options extends current --ssl (same as --ssl-secure). Until now
certificate of the fence device
+was not validated what can possibly lead to attack on infrastructe. With this
patch, user can decide
+if certificate should (--ssl-secure) or should not (--ssl-insecure) be
verified.
+
+This patch fix CVE-2014-0104.
+
+bug-fedora: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0104
+bug-debian: https://bugs.debian.org/764801
+---
+ fence/agents/cisco_ucs/fence_cisco_ucs.py | 10 ++++++-
+ fence/agents/lib/fencing.py.py | 29 ++++++++++++++++++---
+ fence/agents/rhevm/fence_rhevm.py | 11 ++++++--
+ fence/agents/vmware_soap/fence_vmware_soap.py | 34 +++++++++++++++++++++---
+ 4 files changed, 70 insertions(+), 14 deletions(-)
+
+diff a/fence/agents/cisco_ucs/fence_cisco_ucs.py
b/fence/agents/cisco_ucs/fence_cisco_ucs.py
+index 71782cb..1e9d983 100644
+Index: fence-agents-4.0.7.1/fence/agents/cisco_ucs/fence_cisco_ucs.py
+===================================================================
+--- fence-agents-4.0.7.1.orig/fence/agents/cisco_ucs/fence_cisco_ucs.py
++++ fence-agents-4.0.7.1/fence/agents/cisco_ucs/fence_cisco_ucs.py
+@@ -85,8 +85,14 @@ def send_command(opt, command, timeout):
+ c.setopt(pycurl.POSTFIELDS, command)
+ c.setopt(pycurl.WRITEFUNCTION, b.write)
+ c.setopt(pycurl.TIMEOUT, timeout)
+- c.setopt(pycurl.SSL_VERIFYPEER, 0)
+- c.setopt(pycurl.SSL_VERIFYHOST, 0)
++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
++ c.setopt(pycurl.SSL_VERIFYPEER, 1)
++ c.setopt(pycurl.SSL_VERIFYHOST, 2)
++
++ if opt.has_key("--ssl-insecure"):
++ c.setopt(pycurl.SSL_VERIFYPEER, 0)
++ c.setopt(pycurl.SSL_VERIFYHOST, 0)
++
+ c.perform()
+ result = b.getvalue()
+
+Index: fence-agents-4.0.7.1/fence/agents/lib/fencing.py.py
+===================================================================
+--- fence-agents-4.0.7.1.orig/fence/agents/lib/fencing.py.py
++++ fence-agents-4.0.7.1/fence/agents/lib/fencing.py.py
+@@ -170,6 +170,23 @@ all_opt = {
+ "required" : "0",
+ "shortdesc" : "SSL connection",
+ "order" : 1 },
++ "ssl_insecure" : {
++ "getopt" : "9",
++ "longopt" : "ssl-insecure",
++ "help" : "--ssl-insecure Use ssl connection
without verifying certificate",
++ "required" : "0",
++ "shortdesc" : "SSL connection without verifying fence device's
certificate",
++ "order" : 1 },
++ "ssl_secure" : {
++ "getopt" : "9",
++ "longopt" : "ssl-secure",
++ "help" : "--ssl-secure Use ssl connection
with verifying certificate",
++ "required" : "0",
++ "shortdesc" : "SSL connection with verifying fence device's
certificate",
++ "order" : 1 },
++ "notls" : {
++ "getopt" : "t",
++ "longopt" : "notls"},
+ "port" : {
+ "getopt" : "n:",
+ "longopt" : "plug",
+@@ -362,6 +379,7 @@ DEPENDENCY_OPT = {
+ "secure" : [ "identity_file", "ssh_options" ],
+ "ipaddr" : [ "ipport", "inet4_only", "inet6_only" ],
+ "port" : [ "separator" ],
++ "ssl" : [ "ssl_secure", "ssl_insecure" ],
+ "community" : [ "snmp_auth_prot", "snmp_sec_level",
"snmp_priv_prot", \
+ "snmp_priv_passwd", "snmp_priv_passwd_script" ]
+ }
+@@ -637,7 +655,7 @@ def check_input(device_opt, opt):
+ elif options.has_key("--ssh"):
+ all_opt["ipport"]["default"] = 22
+ all_opt["ipport"]["help"] = "-u, --ipport=[port]
TCP/UDP port to use (default 22)"
+- elif options.has_key("--ssl"):
++ elif options.has_key("--ssl") or
options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
+ all_opt["ipport"]["default"] = 443
+ all_opt["ipport"]["help"] = "-u, --ipport=[port]
TCP/UDP port to use (default 443)"
+ elif device_opt.count("web"):
+@@ -730,7 +748,7 @@ def check_input(device_opt, opt):
+ if options.has_key("--ipport") == False:
+ if options.has_key("--ssh"):
+ options["--ipport"] = 22
+- elif options.has_key("--ssl"):
++ elif options.has_key("--ssl") or
options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
+ options["--ipport"] = 443
+ elif device_opt.count("web"):
+ options["--ipport"] = 80
+@@ -960,7 +978,17 @@ def fence_login(options, re_login_string
+ re_pass = re.compile("(password)|(pass phrase)", re.IGNORECASE)
+
+ if options.has_key("--ssl"):
+- command = '%s --insecure --crlf -p %s %s' % (SSL_PATH,
options["--ipport"], options["--ip"])
++ gnutls_opts = ""
++ ssl_opts = ""
++
++ if options.has_key("--notls"):
++ gnutls_opts = "--priority
\"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
++
++ # --ssl is same as the --ssl-secure
++ if options.has_key("--ssl-insecure"):
++ ssl_opts = "--insecure"
++
++ command = '%s %s %s --crlf -p %s %s' % (SSL_PATH,
gnutls_opts, ssl_opts, options["--ipport"], options["--ip"])
+ try:
+ conn = fspawn(options, command)
+ except pexpect.ExceptionPexpect, ex:
+Index: fence-agents-4.0.7.1/fence/agents/rhevm/fence_rhevm.py
+===================================================================
+--- fence-agents-4.0.7.1.orig/fence/agents/rhevm/fence_rhevm.py
++++ fence-agents-4.0.7.1/fence/agents/rhevm/fence_rhevm.py
+@@ -84,8 +84,13 @@ def send_command(opt, command, method =
+ c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
+ c.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
+ c.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
+- c.setopt(pycurl.SSL_VERIFYPEER, 0)
+- c.setopt(pycurl.SSL_VERIFYHOST, 0)
++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
++ c.setopt(pycurl.SSL_VERIFYPEER, 1)
++ c.setopt(pycurl.SSL_VERIFYHOST, 2)
++
++ if opt.has_key("--ssl-insecure"):
++ c.setopt(pycurl.SSL_VERIFYPEER, 0)
++ c.setopt(pycurl.SSL_VERIFYHOST, 0)
+
+ if (method == "POST"):
+ c.setopt(pycurl.POSTFIELDS, "<action />")
+Index: fence-agents-4.0.7.1/fence/agents/vmware_soap/fence_vmware_soap.py
+===================================================================
+--- fence-agents-4.0.7.1.orig/fence/agents/vmware_soap/fence_vmware_soap.py
++++ fence-agents-4.0.7.1/fence/agents/vmware_soap/fence_vmware_soap.py
+@@ -2,10 +2,14 @@
+
+ import sys, exceptions, time
+ import shutil, tempfile, suds
++import logging, requests, cookielib
++
+ sys.path.append("@FENCEAGENTSLIBDIR@")
+
+ from suds.client import Client
+ from suds.sudsobject import Property
++from suds.transport.http import HttpAuthenticated
++from suds.transport import Reply, TransportError
+ from fencing import *
+
+ #BEGIN_VERSION_GENERATION
+@@ -14,13 +18,32 @@ REDHAT_COPYRIGHT=""
+ BUILD_DATE="April, 2011"
+ #END_VERSION_GENERATION
+
++class RequestsTransport(HttpAuthenticated):
++ def __init__(self, **kwargs):
++ self.cert = kwargs.pop('cert', None)
++ self.verify = kwargs.pop('verify', True)
++ self.cookiejar = cookielib.CookieJar()
++ # super won't work because not using new style class
++ HttpAuthenticated.__init__(self, **kwargs)
++
++ def send(self, request):
++ self.addcredentials(request)
++ resp = requests.post(request.url, data = request.message,
headers = request.headers, cert = self.cert, verify = self.verify, cookies =
self.cookiejar)
++ result = Reply(resp.status_code, resp.headers, resp.content)
++ return result
++
+ def soap_login(options):
+ if options["-o"] in ["off", "reboot"]:
+ time.sleep(int(options["--delay"]))
+
+- if options.has_key("--ssl"):
++ if options.has_key("--ssl") or options.has_key("--ssl-secure") or
options.has_key("--ssl-insecure"):
++ if options.has_key("--ssl-insecure"):
++ verify = False
++ else:
++ verify = True
+ url = "https://";
+ else:
++ verify = False
+ url = "http://";
+
+ url += options["--ip"] + ":" + str(options["--ipport"]) + "/sdk"
+@@ -28,10 +51,10 @@ def soap_login(options):
+ tmp_dir = tempfile.mkdtemp()
+ tempfile.tempdir = tmp_dir
+ atexit.register(remove_tmp_dir, tmp_dir)
+-
++
+ try:
+- conn = Client(url + "/vimService.wsdl")
+- conn.set_options(location = url)
++ headers = {"Content-Type" : "text/xml;charset=UTF-8",
"SOAPAction" : ""}
++ conn = Client(url + "/vimService.wsdl", location = url,
transport = RequestsTransport(verify = verify), headers = headers)
+
+ mo_ServiceInstance = Property('ServiceInstance')
+ mo_ServiceInstance._type = 'ServiceInstance'
+@@ -40,6 +63,8 @@ def soap_login(options):
+ mo_SessionManager._type = 'SessionManager'
+
+ SessionManager = conn.service.Login(mo_SessionManager,
options["--username"], options["--password"])
++ except requests.exceptions.SSLError, ex:
++ fail_usage("Server side certificate verification failed")
+ except Exception, ex:
+ fail(EC_LOGIN_DENIED)
+
+@@ -199,6 +224,11 @@ Alternatively you can always use UUID to
+ docs["vendorurl"] = "http://www.vmware.com";
+ show_docs(options, docs)
+
++
++ logging.basicConfig(level=logging.INFO)
++ logging.getLogger('suds.client').setLevel(logging.CRITICAL)
++ logging.getLogger("requests").setLevel(logging.CRITICAL)
++
+ ##
+ ## Operate the fencing device
+ ####
diff -Nru fence-agents-4.0.7.1/debian/patches/series
fence-agents-4.0.7.1/debian/patches/series
--- fence-agents-4.0.7.1/debian/patches/series 2013-03-21 09:28:38.000000000
+0100
+++ fence-agents-4.0.7.1/debian/patches/series 2014-11-16 14:27:59.000000000
+0100
@@ -0,0 +1 @@
+0001-verify-ssl-certificate.diff
diff -Nru fence-agents-4.0.7.1/debian/.pc/.quilt_patches
fence-agents-4.0.7.1/debian/.pc/.quilt_patches
--- fence-agents-4.0.7.1/debian/.pc/.quilt_patches 1970-01-01
01:00:00.000000000 +0100
+++ fence-agents-4.0.7.1/debian/.pc/.quilt_patches 2014-11-16
14:28:14.000000000 +0100
@@ -0,0 +1 @@
+patches
diff -Nru fence-agents-4.0.7.1/debian/.pc/.quilt_series
fence-agents-4.0.7.1/debian/.pc/.quilt_series
--- fence-agents-4.0.7.1/debian/.pc/.quilt_series 1970-01-01
01:00:00.000000000 +0100
+++ fence-agents-4.0.7.1/debian/.pc/.quilt_series 2014-11-16
14:28:14.000000000 +0100
@@ -0,0 +1 @@
+series
diff -Nru fence-agents-4.0.7.1/debian/.pc/.version
fence-agents-4.0.7.1/debian/.pc/.version
--- fence-agents-4.0.7.1/debian/.pc/.version 1970-01-01 01:00:00.000000000
+0100
+++ fence-agents-4.0.7.1/debian/.pc/.version 2014-11-16 14:28:14.000000000
+0100
@@ -0,0 +1 @@
+2
