Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi,
The security fix Nova DoS by allocating all Fixed IPs broke the
vncproxy feature of Nova. Version 2012.1.1-16 correct this.
Also, there was a typo in the nova-common postinst, which this
upload corrects:
if [ $RET = false ]; then
(see the added space, which makes the statement always false...)
Last, Julien Cristau reported (as a Nova user, not as a release
team member) that postgresql:// works, but not pgsql://, so I
fixed the nova-common.postinst for that.
Debdiff is attached. Please unblock nova/2012.1.1-16.
Thomas Goirand (zigo)
diff -Nru nova-2012.1.1/debian/changelog nova-2012.1.1/debian/changelog
--- nova-2012.1.1/debian/changelog 2013-03-14 21:09:18.0 +
+++ nova-2012.1.1/debian/changelog 2013-04-01 14:49:11.0 +
@@ -1,3 +1,12 @@
+nova (2012.1.1-16) unstable; urgency=low
+
+ * Fixes console auth after security fix (Closes: #703242).
+ * Fixes a typo in debian/nova-common.postinst when activating NOVA_ENABLE.
+ * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and not
+qgsql://.
+
+ -- Thomas Goirand z...@debian.org Mon, 18 Mar 2013 13:32:52 +0800
+
nova (2012.1.1-15) unstable; urgency=low
* CVE-2013-1838: Nova DoS by allocating all Fixed IPs (Closes: #703064).
diff -Nru nova-2012.1.1/debian/nova-common.postinst nova-2012.1.1/debian/nova-common.postinst
--- nova-2012.1.1/debian/nova-common.postinst 2013-03-14 21:09:18.0 +
+++ nova-2012.1.1/debian/nova-common.postinst 2013-04-01 14:49:11.0 +
@@ -55,7 +55,7 @@
;;
pgsql)
[ -n $dbc_dbport ] dbport=:$dbc_dbport
-SQL_CONNECTION=pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+SQL_CONNECTION=postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
;;
*)
SQL_CONNECTION=sqlite:///$dbc_basepath/$dbc_dbname
@@ -71,7 +71,7 @@
fi
fi
db_get nova-common/start_services
-if [ $RET = false ]; then
+if [ $RET = false ]; then
sed -e s,^NOVA_ENABLE=.\+,NOVA_ENABLE=false, -i /etc/default/nova
fi
fi
diff -Nru nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
--- nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 1970-01-01 00:00:00.0 +
+++ nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch 2013-04-01 14:49:11.0 +
@@ -0,0 +1,98 @@
+Description: Fixed broken vncproxy flush tokens patch
+ This review (https://review.openstack.org/22872) attempted to
+ resolve a critical security issue but ended up completely breaking
+ the vncproxy. The wrong dict keys were being used for Essex and the
+ API calls were incomplete. This patch makes the proxy work again.
+Author: Rafi Khardalian r...@metacloud.com
+Origin: upstream, https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=48e81f1554ce41c3d4f7445421d19f4a8128e98d
+Bug-Debian: http://bugs.debian.org/703242
+Bug-Ubuntu: https://launchpad.net/bugs/1125378
+Date: Thu, 7 Mar 2013 00:19:08 + (+)
+
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index a317c44..8309fbb 100644
+--- a/nova/compute/api.py
b/nova/compute/api.py
+@@ -1561,12 +1561,14 @@ class API(BaseAPI):
+ return {'url': connect_info['access_url']}
+
+ @wrap_check_policy
+-def validate_vnc_console(self, context, instance_id, host, port):
++def validate_vnc_console(self, context, instance_id, host, port,
++ console_type):
+ Validate VNC Console for an instance.
+ instance = self.get(context, instance_id)
+ output = self._call_compute_message('get_vnc_console',
+-context,
+-instance)
++context,
++instance,
++params={console_type: console_type})
+ return (port == output['port'] and host == output['host'])
+
+ @wrap_check_policy
+diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py
+index 5690ef3..507bdc5 100644
+--- a/nova/consoleauth/manager.py
b/nova/consoleauth/manager.py
+@@ -84,14 +84,15 @@ class ConsoleAuthManager(manager.Manager):
+
+ LOG.audit(_(Received Token: %(token)s, %(token_dict)s)), locals())
+
+-def _validate_console(self, token):
++def _validate_console(self, context, token):
+ console_valid = False
+ token_dict = self.tokens[token]
+ try:
+ console_valid = self.compute_api.validate_vnc_console(context,
+-token_dict['instance_uuid'],
++