Bug#770439: unblock: neutron/2014.1.3-7 (CVE-2014-7821 fix: DoS through invalid DNS configuration)

Thomas Goirand Fri, 21 Nov 2014 03:13:10 -0800

On 11/21/2014 05:18 PM, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: important
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Dear release team,
> 
> Version 2014.1.3-6 of Neutron include a fix for CVE-2014-7821: DoS through
> invalid DNS configuration. The fix is really minimal, it's basically a change
> in the regexp that was taking too long to validate input. Debdiff attached.
> 
> Please unblock neutron/2014.1.3-6.
> 
> Cheers,
> 
> Thomas Goirand (zigo)


Hi,

I've added another patch to remove the use of PROTOCOL_SSLv3 in oslo
incubator, included in Neutron, since that support is gone from Debian
Sid. I'm not sure if Neutron uses that, but I just want to be safe here.
I've attached the new debdiff. (note that all unit tests but one Cisco
related one are passing, just like before...)

Cheers,

Thomas Goirand (zigo)

diff -Nru neutron-2014.1.3/debian/changelog neutron-2014.1.3/debian/changelog
--- neutron-2014.1.3/debian/changelog   2014-10-25 08:09:28.000000000 +0000
+++ neutron-2014.1.3/debian/changelog   2014-11-21 10:37:54.000000000 +0000
@@ -1,3 +1,16 @@
+neutron (2014.1.3-7) unstable; urgency=high
+
+  * Add a patch to not use PROTOCOL_SSLv3 which is gone from Python in Sid.
+
+ -- Thomas Goirand <z...@debian.org>  Fri, 21 Nov 2014 10:37:07 +0000
+
+neutron (2014.1.3-6) unstable; urgency=high
+
+  * CVE-2014-7821: DoS through invalid DNS configuration. Applied upstream
+    patch: Fix hostname regex pattern (Closes: #770431).
+
+ -- Thomas Goirand <z...@debian.org>  Fri, 21 Nov 2014 16:25:18 +0800
+
 neutron (2014.1.3-5) unstable; urgency=medium
 
   * Adds Danish debconf translations thanks to Joe Dalton <joedalt...@yahoo.dk>
diff -Nru 
neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
 
neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
--- 
neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
  1970-01-01 00:00:00.000000000 +0000
+++ 
neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
  2014-11-21 10:37:54.000000000 +0000
@@ -0,0 +1,38 @@
+Description: CVE-2014-7821: Fix hostname regex pattern
+ Current hostname_pattern regex complexity grows exponentially when given a
+ string of just digits, which can be exploited to cause neutron-server to
+ freeze.
+Author: John Perkins <john.perk...@rackspace.com>
+Origin: upstream, https://review.openstack.org/#/c/135624/
+Date:   Mon Oct 6 16:24:57 2014 -0500
+Bug-Debian: https://bugs.debian.org/770431
+Bug-Ubuntu: https://launchpad.net/bugs/1378450
+Last-Update: 2014-11-21
+
+Index: neutron/neutron/api/v2/attributes.py
+===================================================================
+--- neutron.orig/neutron/api/v2/attributes.py  2014-10-25 16:10:17.000000000 
+0800
++++ neutron/neutron/api/v2/attributes.py       2014-11-21 16:22:21.000000000 
+0800
+@@ -537,8 +537,8 @@
+         return [data]
+ 
+ 
+-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]"
+-                    "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)")
++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}"
++                    "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)")
+ 
+ HEX_ELEM = '[0-9A-Fa-f]'
+ UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
+Index: neutron/neutron/tests/unit/test_attributes.py
+===================================================================
+--- neutron.orig/neutron/tests/unit/test_attributes.py 2014-10-25 
16:10:17.000000000 +0800
++++ neutron/neutron/tests/unit/test_attributes.py      2014-11-21 
16:22:21.000000000 +0800
+@@ -283,6 +283,7 @@
+                     ['www.hostname.com', 'www.hostname.com'],
+                     ['77.hostname.com'],
+                     ['1000.0.0.1'],
++                    
['111111111111111111111111111111111111111111111111111111111111'],  # noqa
+                     None]
+ 
+         for ns in ns_pools:
diff -Nru neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch 
neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch
--- neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch     
1970-01-01 00:00:00.000000000 +0000
+++ neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch     
2014-11-21 10:37:54.000000000 +0000
@@ -0,0 +1,18 @@
+Description: PROTOCOL_SSLv3 is gone from Python in Sid
+ This patch removes its use.
+Author: Thomas Goirand <z...@debian.org>
+Forwarded: no
+Last-Update: 2014-11-21
+
+--- neutron-2014.1.3.orig/neutron/openstack/common/sslutils.py
++++ neutron-2014.1.3/neutron/openstack/common/sslutils.py
+@@ -80,8 +80,7 @@ def wrap(sock):
+ 
+ _SSL_PROTOCOLS = {
+     "tlsv1": ssl.PROTOCOL_TLSv1,
+-    "sslv23": ssl.PROTOCOL_SSLv23,
+-    "sslv3": ssl.PROTOCOL_SSLv3
++    "sslv23": ssl.PROTOCOL_SSLv23
+ }
+ 
+ try:
diff -Nru neutron-2014.1.3/debian/patches/series 
neutron-2014.1.3/debian/patches/series
--- neutron-2014.1.3/debian/patches/series      2014-10-25 08:09:28.000000000 
+0000
+++ neutron-2014.1.3/debian/patches/series      2014-11-21 10:37:54.000000000 
+0000
@@ -5,3 +5,5 @@
 Properly_apply_column_default_in_migration_pool_monitor_status.patch
 #sane-defaults-for-ml2_conf.ini.patch
 #sane-defaults-for-dhcp_agent.ini.patch
+cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch
+do-not-use-PROTOCOL_SSLv3.patch

Bug#770439: unblock: neutron/2014.1.3-7 (CVE-2014-7821 fix: DoS through invalid DNS configuration)

Reply via email to