Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, Version 2014.1.3-6 of Neutron include a fix for CVE-2014-7821: DoS through invalid DNS configuration. The fix is really minimal, it's basically a change in the regexp that was taking too long to validate input. Debdiff attached. Please unblock neutron/2014.1.3-6. Cheers, Thomas Goirand (zigo)
diff -Nru neutron-2014.1.3/debian/changelog neutron-2014.1.3/debian/changelog --- neutron-2014.1.3/debian/changelog 2014-10-25 08:09:28.000000000 +0000 +++ neutron-2014.1.3/debian/changelog 2014-11-21 08:26:09.000000000 +0000 @@ -1,3 +1,10 @@ +neutron (2014.1.3-6) unstable; urgency=high + + * CVE-2014-7821: DoS through invalid DNS configuration. Applied upstream + patch: Fix hostname regex pattern (Closes: #770431). + + -- Thomas Goirand <z...@debian.org> Fri, 21 Nov 2014 16:25:18 +0800 + neutron (2014.1.3-5) unstable; urgency=medium * Adds Danish debconf translations thanks to Joe Dalton <joedalt...@yahoo.dk> diff -Nru neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch --- neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch 2014-11-21 08:26:09.000000000 +0000 @@ -0,0 +1,38 @@ +Description: CVE-2014-7821: Fix hostname regex pattern + Current hostname_pattern regex complexity grows exponentially when given a + string of just digits, which can be exploited to cause neutron-server to + freeze. +Author: John Perkins <john.perk...@rackspace.com> +Origin: upstream, https://review.openstack.org/#/c/135624/ +Date: Mon Oct 6 16:24:57 2014 -0500 +Bug-Debian: https://bugs.debian.org/770431 +Bug-Ubuntu: https://launchpad.net/bugs/1378450 +Last-Update: 2014-11-21 + +Index: neutron/neutron/api/v2/attributes.py +=================================================================== +--- neutron.orig/neutron/api/v2/attributes.py 2014-10-25 16:10:17.000000000 +0800 ++++ neutron/neutron/api/v2/attributes.py 2014-11-21 16:22:21.000000000 +0800 +@@ -537,8 +537,8 @@ + return [data] + + +-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]" +- "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)") ++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}" ++ "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)") + + HEX_ELEM = '[0-9A-Fa-f]' + UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}', +Index: neutron/neutron/tests/unit/test_attributes.py +=================================================================== +--- neutron.orig/neutron/tests/unit/test_attributes.py 2014-10-25 16:10:17.000000000 +0800 ++++ neutron/neutron/tests/unit/test_attributes.py 2014-11-21 16:22:21.000000000 +0800 +@@ -283,6 +283,7 @@ + ['www.hostname.com', 'www.hostname.com'], + ['77.hostname.com'], + ['1000.0.0.1'], ++ ['111111111111111111111111111111111111111111111111111111111111'], # noqa + None] + + for ns in ns_pools: diff -Nru neutron-2014.1.3/debian/patches/series neutron-2014.1.3/debian/patches/series --- neutron-2014.1.3/debian/patches/series 2014-10-25 08:09:28.000000000 +0000 +++ neutron-2014.1.3/debian/patches/series 2014-11-21 08:26:09.000000000 +0000 @@ -5,3 +5,4 @@ Properly_apply_column_default_in_migration_pool_monitor_status.patch #sane-defaults-for-ml2_conf.ini.patch #sane-defaults-for-dhcp_agent.ini.patch +cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch