The debdiff
Bastien
diff -Nru fence-agents-4.0.7.1/debian/changelog fence-agents-4.0.7.1/debian/changelog --- fence-agents-4.0.7.1/debian/changelog 2014-09-23 20:58:24.000000000 +0200 +++ fence-agents-4.0.7.1/debian/changelog 2014-11-16 14:51:30.000000000 +0100 @@ -1,3 +1,13 @@ +fence-agents (4.0.7.1-2.2) unstable; urgency=high + + * Non-maintainer upload. + * Security Bug fix (CVE-2014-0104): "fence-agents: + no verification of remote SSL certificates", + thanks to Moritz Muehlenhoff (Closes: #764801). + Need to build-dep on python-requests. + + -- Bastien Roucariès <roucaries.bastien+deb...@gmail.com> Sun, 16 Nov 2014 14:39:37 +0100 + fence-agents (4.0.7.1-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru fence-agents-4.0.7.1/debian/control fence-agents-4.0.7.1/debian/control --- fence-agents-4.0.7.1/debian/control 2014-09-23 21:00:37.000000000 +0200 +++ fence-agents-4.0.7.1/debian/control 2014-11-16 14:50:41.000000000 +0100 @@ -15,6 +15,7 @@ python, python-pexpect, python-pycurl, + python-requests, python-suds, xsltproc, libxml2-utils, diff -Nru fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff --- fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff 1970-01-01 01:00:00.000000000 +0100 +++ fence-agents-4.0.7.1/debian/patches/0001-verify-ssl-certificate.diff 2014-11-16 14:37:22.000000000 +0100 @@ -0,0 +1,224 @@ +From e51df7a73141c4d378d12e4a3ade12776e48ebff Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac <mg...@redhat.com> +Date: Wed, 5 Mar 2014 12:49:17 +0100 +Subject: [PATCH] fencing: Add new options --ssl-secure and --ssl-insecure + +These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device +was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide +if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified. + +This patch fix CVE-2014-0104. + +bug-fedora: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0104 +bug-debian: https://bugs.debian.org/764801 +--- + fence/agents/cisco_ucs/fence_cisco_ucs.py | 10 ++++++- + fence/agents/lib/fencing.py.py | 29 ++++++++++++++++++--- + fence/agents/rhevm/fence_rhevm.py | 11 ++++++-- + fence/agents/vmware_soap/fence_vmware_soap.py | 34 +++++++++++++++++++++--- + 4 files changed, 70 insertions(+), 14 deletions(-) + +diff a/fence/agents/cisco_ucs/fence_cisco_ucs.py b/fence/agents/cisco_ucs/fence_cisco_ucs.py +index 71782cb..1e9d983 100644 +Index: fence-agents-4.0.7.1/fence/agents/cisco_ucs/fence_cisco_ucs.py +=================================================================== +--- fence-agents-4.0.7.1.orig/fence/agents/cisco_ucs/fence_cisco_ucs.py ++++ fence-agents-4.0.7.1/fence/agents/cisco_ucs/fence_cisco_ucs.py +@@ -85,8 +85,14 @@ def send_command(opt, command, timeout): + c.setopt(pycurl.POSTFIELDS, command) + c.setopt(pycurl.WRITEFUNCTION, b.write) + c.setopt(pycurl.TIMEOUT, timeout) +- c.setopt(pycurl.SSL_VERIFYPEER, 0) +- c.setopt(pycurl.SSL_VERIFYHOST, 0) ++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): ++ c.setopt(pycurl.SSL_VERIFYPEER, 1) ++ c.setopt(pycurl.SSL_VERIFYHOST, 2) ++ ++ if opt.has_key("--ssl-insecure"): ++ c.setopt(pycurl.SSL_VERIFYPEER, 0) ++ c.setopt(pycurl.SSL_VERIFYHOST, 0) ++ + c.perform() + result = b.getvalue() + +Index: fence-agents-4.0.7.1/fence/agents/lib/fencing.py.py +=================================================================== +--- fence-agents-4.0.7.1.orig/fence/agents/lib/fencing.py.py ++++ fence-agents-4.0.7.1/fence/agents/lib/fencing.py.py +@@ -170,6 +170,23 @@ all_opt = { + "required" : "0", + "shortdesc" : "SSL connection", + "order" : 1 }, ++ "ssl_insecure" : { ++ "getopt" : "9", ++ "longopt" : "ssl-insecure", ++ "help" : "--ssl-insecure Use ssl connection without verifying certificate", ++ "required" : "0", ++ "shortdesc" : "SSL connection without verifying fence device's certificate", ++ "order" : 1 }, ++ "ssl_secure" : { ++ "getopt" : "9", ++ "longopt" : "ssl-secure", ++ "help" : "--ssl-secure Use ssl connection with verifying certificate", ++ "required" : "0", ++ "shortdesc" : "SSL connection with verifying fence device's certificate", ++ "order" : 1 }, ++ "notls" : { ++ "getopt" : "t", ++ "longopt" : "notls"}, + "port" : { + "getopt" : "n:", + "longopt" : "plug", +@@ -362,6 +379,7 @@ DEPENDENCY_OPT = { + "secure" : [ "identity_file", "ssh_options" ], + "ipaddr" : [ "ipport", "inet4_only", "inet6_only" ], + "port" : [ "separator" ], ++ "ssl" : [ "ssl_secure", "ssl_insecure" ], + "community" : [ "snmp_auth_prot", "snmp_sec_level", "snmp_priv_prot", \ + "snmp_priv_passwd", "snmp_priv_passwd_script" ] + } +@@ -637,7 +655,7 @@ def check_input(device_opt, opt): + elif options.has_key("--ssh"): + all_opt["ipport"]["default"] = 22 + all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 22)" +- elif options.has_key("--ssl"): ++ elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"): + all_opt["ipport"]["default"] = 443 + all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 443)" + elif device_opt.count("web"): +@@ -730,7 +748,7 @@ def check_input(device_opt, opt): + if options.has_key("--ipport") == False: + if options.has_key("--ssh"): + options["--ipport"] = 22 +- elif options.has_key("--ssl"): ++ elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"): + options["--ipport"] = 443 + elif device_opt.count("web"): + options["--ipport"] = 80 +@@ -960,7 +978,17 @@ def fence_login(options, re_login_string + re_pass = re.compile("(password)|(pass phrase)", re.IGNORECASE) + + if options.has_key("--ssl"): +- command = '%s --insecure --crlf -p %s %s' % (SSL_PATH, options["--ipport"], options["--ip"]) ++ gnutls_opts = "" ++ ssl_opts = "" ++ ++ if options.has_key("--notls"): ++ gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\"" ++ ++ # --ssl is same as the --ssl-secure ++ if options.has_key("--ssl-insecure"): ++ ssl_opts = "--insecure" ++ ++ command = '%s %s %s --crlf -p %s %s' % (SSL_PATH, gnutls_opts, ssl_opts, options["--ipport"], options["--ip"]) + try: + conn = fspawn(options, command) + except pexpect.ExceptionPexpect, ex: +Index: fence-agents-4.0.7.1/fence/agents/rhevm/fence_rhevm.py +=================================================================== +--- fence-agents-4.0.7.1.orig/fence/agents/rhevm/fence_rhevm.py ++++ fence-agents-4.0.7.1/fence/agents/rhevm/fence_rhevm.py +@@ -84,8 +84,13 @@ def send_command(opt, command, method = + c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC) + c.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"]) + c.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"])) +- c.setopt(pycurl.SSL_VERIFYPEER, 0) +- c.setopt(pycurl.SSL_VERIFYHOST, 0) ++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): ++ c.setopt(pycurl.SSL_VERIFYPEER, 1) ++ c.setopt(pycurl.SSL_VERIFYHOST, 2) ++ ++ if opt.has_key("--ssl-insecure"): ++ c.setopt(pycurl.SSL_VERIFYPEER, 0) ++ c.setopt(pycurl.SSL_VERIFYHOST, 0) + + if (method == "POST"): + c.setopt(pycurl.POSTFIELDS, "<action />") +Index: fence-agents-4.0.7.1/fence/agents/vmware_soap/fence_vmware_soap.py +=================================================================== +--- fence-agents-4.0.7.1.orig/fence/agents/vmware_soap/fence_vmware_soap.py ++++ fence-agents-4.0.7.1/fence/agents/vmware_soap/fence_vmware_soap.py +@@ -2,10 +2,14 @@ + + import sys, exceptions, time + import shutil, tempfile, suds ++import logging, requests, cookielib ++ + sys.path.append("@FENCEAGENTSLIBDIR@") + + from suds.client import Client + from suds.sudsobject import Property ++from suds.transport.http import HttpAuthenticated ++from suds.transport import Reply, TransportError + from fencing import * + + #BEGIN_VERSION_GENERATION +@@ -14,13 +18,32 @@ REDHAT_COPYRIGHT="" + BUILD_DATE="April, 2011" + #END_VERSION_GENERATION + ++class RequestsTransport(HttpAuthenticated): ++ def __init__(self, **kwargs): ++ self.cert = kwargs.pop('cert', None) ++ self.verify = kwargs.pop('verify', True) ++ self.cookiejar = cookielib.CookieJar() ++ # super won't work because not using new style class ++ HttpAuthenticated.__init__(self, **kwargs) ++ ++ def send(self, request): ++ self.addcredentials(request) ++ resp = requests.post(request.url, data = request.message, headers = request.headers, cert = self.cert, verify = self.verify, cookies = self.cookiejar) ++ result = Reply(resp.status_code, resp.headers, resp.content) ++ return result ++ + def soap_login(options): + if options["-o"] in ["off", "reboot"]: + time.sleep(int(options["--delay"])) + +- if options.has_key("--ssl"): ++ if options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"): ++ if options.has_key("--ssl-insecure"): ++ verify = False ++ else: ++ verify = True + url = "https://" + else: ++ verify = False + url = "http://" + + url += options["--ip"] + ":" + str(options["--ipport"]) + "/sdk" +@@ -28,10 +51,10 @@ def soap_login(options): + tmp_dir = tempfile.mkdtemp() + tempfile.tempdir = tmp_dir + atexit.register(remove_tmp_dir, tmp_dir) +- ++ + try: +- conn = Client(url + "/vimService.wsdl") +- conn.set_options(location = url) ++ headers = {"Content-Type" : "text/xml;charset=UTF-8", "SOAPAction" : ""} ++ conn = Client(url + "/vimService.wsdl", location = url, transport = RequestsTransport(verify = verify), headers = headers) + + mo_ServiceInstance = Property('ServiceInstance') + mo_ServiceInstance._type = 'ServiceInstance' +@@ -40,6 +63,8 @@ def soap_login(options): + mo_SessionManager._type = 'SessionManager' + + SessionManager = conn.service.Login(mo_SessionManager, options["--username"], options["--password"]) ++ except requests.exceptions.SSLError, ex: ++ fail_usage("Server side certificate verification failed") + except Exception, ex: + fail(EC_LOGIN_DENIED) + +@@ -199,6 +224,11 @@ Alternatively you can always use UUID to + docs["vendorurl"] = "http://www.vmware.com" + show_docs(options, docs) + ++ ++ logging.basicConfig(level=logging.INFO) ++ logging.getLogger('suds.client').setLevel(logging.CRITICAL) ++ logging.getLogger("requests").setLevel(logging.CRITICAL) ++ + ## + ## Operate the fencing device + #### diff -Nru fence-agents-4.0.7.1/debian/patches/series fence-agents-4.0.7.1/debian/patches/series --- fence-agents-4.0.7.1/debian/patches/series 2013-03-21 09:28:38.000000000 +0100 +++ fence-agents-4.0.7.1/debian/patches/series 2014-11-16 14:27:59.000000000 +0100 @@ -0,0 +1 @@ +0001-verify-ssl-certificate.diff diff -Nru fence-agents-4.0.7.1/debian/.pc/.quilt_patches fence-agents-4.0.7.1/debian/.pc/.quilt_patches --- fence-agents-4.0.7.1/debian/.pc/.quilt_patches 1970-01-01 01:00:00.000000000 +0100 +++ fence-agents-4.0.7.1/debian/.pc/.quilt_patches 2014-11-16 14:28:14.000000000 +0100 @@ -0,0 +1 @@ +patches diff -Nru fence-agents-4.0.7.1/debian/.pc/.quilt_series fence-agents-4.0.7.1/debian/.pc/.quilt_series --- fence-agents-4.0.7.1/debian/.pc/.quilt_series 1970-01-01 01:00:00.000000000 +0100 +++ fence-agents-4.0.7.1/debian/.pc/.quilt_series 2014-11-16 14:28:14.000000000 +0100 @@ -0,0 +1 @@ +series diff -Nru fence-agents-4.0.7.1/debian/.pc/.version fence-agents-4.0.7.1/debian/.pc/.version --- fence-agents-4.0.7.1/debian/.pc/.version 1970-01-01 01:00:00.000000000 +0100 +++ fence-agents-4.0.7.1/debian/.pc/.version 2014-11-16 14:28:14.000000000 +0100 @@ -0,0 +1 @@ +2