Bug#704468: unblock: nova/2012.1.1-16 (upstream fix for vncproxy after the last security fix broke it)

2013-04-01 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

The security fix Nova DoS by allocating all Fixed IPs broke the
vncproxy feature of Nova. Version 2012.1.1-16 correct this.

Also, there was a typo in the nova-common postinst, which this
upload corrects:

if [  $RET = false ]; then

(see the added space, which makes the statement always false...)

Last, Julien Cristau reported (as a Nova user, not as a release
team member) that postgresql:// works, but not pgsql://, so I
fixed the nova-common.postinst for that.

Debdiff is attached. Please unblock nova/2012.1.1-16.

Thomas Goirand (zigo)
diff -Nru nova-2012.1.1/debian/changelog nova-2012.1.1/debian/changelog
--- nova-2012.1.1/debian/changelog	2013-03-14 21:09:18.0 +
+++ nova-2012.1.1/debian/changelog	2013-04-01 14:49:11.0 +
@@ -1,3 +1,12 @@
+nova (2012.1.1-16) unstable; urgency=low
+
+  * Fixes console auth after security fix (Closes: #703242).
+  * Fixes a typo in debian/nova-common.postinst when activating NOVA_ENABLE.
+  * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and not
+qgsql://.
+
+ -- Thomas Goirand z...@debian.org  Mon, 18 Mar 2013 13:32:52 +0800
+
 nova (2012.1.1-15) unstable; urgency=low
 
   * CVE-2013-1838: Nova DoS by allocating all Fixed IPs (Closes: #703064).
diff -Nru nova-2012.1.1/debian/nova-common.postinst nova-2012.1.1/debian/nova-common.postinst
--- nova-2012.1.1/debian/nova-common.postinst	2013-03-14 21:09:18.0 +
+++ nova-2012.1.1/debian/nova-common.postinst	2013-04-01 14:49:11.0 +
@@ -55,7 +55,7 @@
 ;;
 pgsql)
 [ -n $dbc_dbport ]  dbport=:$dbc_dbport
-SQL_CONNECTION=pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+SQL_CONNECTION=postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
 ;;
 *)
 SQL_CONNECTION=sqlite:///$dbc_basepath/$dbc_dbname
@@ -71,7 +71,7 @@
 fi
 fi
 db_get nova-common/start_services
-if [  $RET = false ]; then
+if [ $RET = false ]; then
 sed -e s,^NOVA_ENABLE=.\+,NOVA_ENABLE=false, -i /etc/default/nova
 fi
 fi
diff -Nru nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
--- nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch	1970-01-01 00:00:00.0 +
+++ nova-2012.1.1/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch	2013-04-01 14:49:11.0 +
@@ -0,0 +1,98 @@
+Description: Fixed broken vncproxy flush tokens patch
+ This review (https://review.openstack.org/22872) attempted to
+ resolve a critical security issue but ended up completely breaking
+ the vncproxy. The wrong dict keys were being used for Essex and the
+ API calls were incomplete. This patch makes the proxy work again.
+Author: Rafi Khardalian r...@metacloud.com
+Origin: upstream, https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=48e81f1554ce41c3d4f7445421d19f4a8128e98d
+Bug-Debian: http://bugs.debian.org/703242
+Bug-Ubuntu: https://launchpad.net/bugs/1125378
+Date: Thu, 7 Mar 2013 00:19:08 + (+)
+
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index a317c44..8309fbb 100644
+--- a/nova/compute/api.py
 b/nova/compute/api.py
+@@ -1561,12 +1561,14 @@ class API(BaseAPI):
+ return {'url': connect_info['access_url']}
+ 
+ @wrap_check_policy
+-def validate_vnc_console(self, context, instance_id, host, port):
++def validate_vnc_console(self, context, instance_id, host, port,
++ console_type):
+ Validate VNC Console for an instance.
+ instance = self.get(context, instance_id)
+ output = self._call_compute_message('get_vnc_console',
+-context,
+-instance)
++context,
++instance,
++params={console_type: console_type})
+ return (port == output['port'] and host == output['host'])
+ 
+ @wrap_check_policy
+diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py
+index 5690ef3..507bdc5 100644
+--- a/nova/consoleauth/manager.py
 b/nova/consoleauth/manager.py
+@@ -84,14 +84,15 @@ class ConsoleAuthManager(manager.Manager):
+ 
+ LOG.audit(_(Received Token: %(token)s, %(token_dict)s)), locals())
+ 
+-def _validate_console(self, token):
++def _validate_console(self, context, token):
+ console_valid = False
+ token_dict = self.tokens[token]
+ try:
+ console_valid = self.compute_api.validate_vnc_console(context,
+-token_dict['instance_uuid'],
++

Bug#704468: unblock: nova/2012.1.1-16 (upstream fix for vncproxy after the last security fix broke it)

2013-04-01 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Mon, 2013-04-01 at 23:08 +0800, Thomas Goirand wrote:
 The security fix Nova DoS by allocating all Fixed IPs broke the
 vncproxy feature of Nova. Version 2012.1.1-16 correct this.

You downgraded the relevant bug (#703242) from grave to only important
a few days ago. Could you clarify what you consider the severity of this
issue to be?

 Also, there was a typo in the nova-common postinst, which this
 upload corrects:
 
 if [  $RET = false ]; then
 
 (see the added space, which makes the statement always false...)
 
 Last, Julien Cristau reported (as a Nova user, not as a release
 team member) that postgresql:// works, but not pgsql://, so I
 fixed the nova-common.postinst for that.

fwiw:

+  * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and not
+qgsql://.

s/qg/pg/

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#704468: unblock: nova/2012.1.1-16 (upstream fix for vncproxy after the last security fix broke it)

2013-04-01 Thread Thomas Goirand 
On 04/01/2013 11:24 PM, Adam D. Barratt wrote:
 Control: tags -1 + moreinfo
 
 On Mon, 2013-04-01 at 23:08 +0800, Thomas Goirand wrote:
 The security fix Nova DoS by allocating all Fixed IPs broke the
 vncproxy feature of Nova. Version 2012.1.1-16 correct this.
 
 You downgraded the relevant bug (#703242) from grave to only important
 a few days ago. Could you clarify what you consider the severity of this
 issue to be?

I'm not really sure. The bug for the vnc proxy package itself really is:

grave: makes the package in question unusable by most or all users

(since the daemon crashes because of this bug).

Though this really is only a problem with this particular binary
package, not for the whole of Nova itself, which continues to be usable.
If we consider Nova as a whole, then it would be:

important: a bug which has a major effect on the usability of a
package, without rendering it completely unusable to everyone.

So depending if the bug severity applies to the binary package
nova-xvpvncproxy, or to all of Nova, it could be considered either Grave
or Important.

I downgraded this bug because I thought it didn't deserve a huge
highlight at this point of the release, and I thought it was a bad idea
to have it as RC at this point in time. In other words: I didn't #704468
was a reason good enough to delay Wheezy, and have others focus on it
when I knew that upstream was working on validating the patch, even
though a fix would have been nice.

I hope you will find my reasoning correct.

 fwiw:
 
 +  * Fixes the DNS in the case of PGSQL: now it really is postgresql:// and 
 not
 +qgsql://.
 
 s/qg/pg/

Right. And also: s/DNS/DSN/. Sorry for these. I have fixed this
changelog entry in the Git repository on Alioth, so it will be fixed
if/when there is the need for a QA upload on this package.

Cheers,

Thomas


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org