Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, The security fix "Nova DoS by allocating all Fixed IPs" broke the vncproxy feature of Nova. Version 2012.1.1-16 correct this. Also, there was a typo in the nova-common postinst, which this upload corrects: if [ " $RET" = "false" ]; then (see the added space, which makes the statement always false...) Last, Julien Cristau reported (as a Nova user, not as a release team member) that postgresql:// works, but not pgsql://, so I fixed the nova-common.postinst for that. Debdiff is attached. Please unblock nova/2012.1.1-16. Thomas Goirand (zigo)
diff -Nru nova-2012.1.1/debian/changelog nova-2012.1.1/debian/changelog --- nova-2012.1.1/debian/changelog 2013-03-14 21:09:18.000000000 +0000 +++ nova-2012.1.1/debian/changelog 2013-04-01 14:49:11.000000000 +0000 @@ -1,3 +1,12 @@ +nova (2012.1.1-16) unstable; urgency=low + + * Fixes console auth after security fix (Closes: #703242). + * Fixes a typo in debian/nova-common.postinst when activating NOVA_ENABLE. + * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and not + qgsql://. + + -- Thomas Goirand <z...@debian.org> Mon, 18 Mar 2013 13:32:52 +0800 + nova (2012.1.1-15) unstable; urgency=low * CVE-2013-1838: Nova DoS by allocating all Fixed IPs (Closes: #703064). diff -Nru nova-2012.1.1/debian/nova-common.postinst nova-2012.1.1/debian/nova-common.postinst --- nova-2012.1.1/debian/nova-common.postinst 2013-03-14 21:09:18.000000000 +0000 +++ nova-2012.1.1/debian/nova-common.postinst 2013-04-01 14:49:11.000000000 +0000 @@ -55,7 +55,7 @@ ;; pgsql) [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport - SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" + SQL_CONNECTION="postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" ;; *) SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname" @@ -71,7 +71,7 @@ fi fi db_get nova-common/start_services - if [ " $RET" = "false" ]; then + if [ "$RET" = "false" ]; then sed -e "s,^NOVA_ENABLE=.\+,NOVA_ENABLE=false," -i /etc/default/nova fi fi diff -Nru nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch --- nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 1970-01-01 00:00:00.000000000 +0000 +++ nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 2013-04-01 14:49:11.000000000 +0000 @@ -0,0 +1,98 @@ +Description: Fixed broken vncproxy flush tokens patch + This review (https://review.openstack.org/22872) attempted to + resolve a critical security issue but ended up completely breaking + the vncproxy. The wrong dict keys were being used for Essex and the + API calls were incomplete. This patch makes the proxy work again. +Author: Rafi Khardalian <r...@metacloud.com> +Origin: upstream, https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=48e81f1554ce41c3d4f7445421d19f4a8128e98d +Bug-Debian: http://bugs.debian.org/703242 +Bug-Ubuntu: https://launchpad.net/bugs/1125378 +Date: Thu, 7 Mar 2013 00:19:08 +0000 (+0000) + +diff --git a/nova/compute/api.py b/nova/compute/api.py +index a317c44..8309fbb 100644 +--- a/nova/compute/api.py ++++ b/nova/compute/api.py +@@ -1561,12 +1561,14 @@ class API(BaseAPI): + return {'url': connect_info['access_url']} + + @wrap_check_policy +- def validate_vnc_console(self, context, instance_id, host, port): ++ def validate_vnc_console(self, context, instance_id, host, port, ++ console_type): + """Validate VNC Console for an instance.""" + instance = self.get(context, instance_id) + output = self._call_compute_message('get_vnc_console', +- context, +- instance) ++ context, ++ instance, ++ params={"console_type": console_type}) + return (port == output['port'] and host == output['host']) + + @wrap_check_policy +diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py +index 5690ef3..507bdc5 100644 +--- a/nova/consoleauth/manager.py ++++ b/nova/consoleauth/manager.py +@@ -84,14 +84,15 @@ class ConsoleAuthManager(manager.Manager): + + LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals()) + +- def _validate_console(self, token): ++ def _validate_console(self, context, token): + console_valid = False + token_dict = self.tokens[token] + try: + console_valid = self.compute_api.validate_vnc_console(context, +- token_dict['instance_uuid'], ++ token_dict['instance_id'], + token_dict['host'], +- token_dict['port']) ++ token_dict['port'], ++ token_dict['console_type']) + except exception.InstanceNotFound: + pass + return console_valid +@@ -99,7 +100,7 @@ class ConsoleAuthManager(manager.Manager): + def check_token(self, context, token): + token_valid = token in self.tokens + LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals()) +- if token_valid and self._validate_console(token): ++ if token_valid and self._validate_console(context, token): + return self.tokens[token] + + def delete_tokens_for_instance(self, context, instance_id): +diff --git a/nova/tests/test_compute.py b/nova/tests/test_compute.py +index 7bd6fcd..bff08a4 100644 +--- a/nova/tests/test_compute.py ++++ b/nova/tests/test_compute.py +@@ -767,7 +767,8 @@ class ComputeTestCase(BaseTestCase): + console_valid = self.compute_api.validate_vnc_console(self.context, + instance['uuid'], + 'myhost', +- '5900') ++ '5900', ++ 'novnc') + self.assertTrue(console_valid) + self.compute.terminate_instance(self.context, instance['uuid']) + +@@ -783,7 +784,8 @@ class ComputeTestCase(BaseTestCase): + console_valid = self.compute_api.validate_vnc_console(self.context, + instance['uuid'], + 'myhost', +- '5900') ++ '5900', ++ 'novnc') + self.assertFalse(console_valid) + self.compute.terminate_instance(self.context, instance['uuid']) + +@@ -793,7 +795,7 @@ class ComputeTestCase(BaseTestCase): + self.compute.run_instance(self.context, instance['uuid']) + self.assertRaises(exception.InstanceNotFound, + self.compute_api.validate_vnc_console, +- self.context, 5555, 'myhost', '5900') ++ self.context, 5555, 'myhost', '5900', 'novnc') + self.compute.terminate_instance(self.context, instance['uuid']) + + def test_xvpvnc_vnc_console(self): diff -Nru nova-2012.1.1/debian/patches/series nova-2012.1.1/debian/patches/series --- nova-2012.1.1/debian/patches/series 2013-03-14 21:09:18.000000000 +0000 +++ nova-2012.1.1/debian/patches/series 2013-04-01 14:49:11.000000000 +0000 @@ -11,3 +11,4 @@ CVE-2013-0335_VNC-proxy-can-connect-to-the-wrong-VM.patch CVE-2013-0335_VNC-unit-tests-fixes.patch CVE-2013-1838-Nova_DoS_by_allocating_all_Fixed_IPs_essex.patch +Fixed_broken_vncproxy_flush_tokens.patch