On 11/21/2014 05:18 PM, Thomas Goirand wrote: > Package: release.debian.org > Severity: important > User: release.debian....@packages.debian.org > Usertags: unblock > > Dear release team, > > Version 2014.1.3-6 of Neutron include a fix for CVE-2014-7821: DoS through > invalid DNS configuration. The fix is really minimal, it's basically a change > in the regexp that was taking too long to validate input. Debdiff attached. > > Please unblock neutron/2014.1.3-6. > > Cheers, > > Thomas Goirand (zigo)
Hi, I've added another patch to remove the use of PROTOCOL_SSLv3 in oslo incubator, included in Neutron, since that support is gone from Debian Sid. I'm not sure if Neutron uses that, but I just want to be safe here. I've attached the new debdiff. (note that all unit tests but one Cisco related one are passing, just like before...) Cheers, Thomas Goirand (zigo)
diff -Nru neutron-2014.1.3/debian/changelog neutron-2014.1.3/debian/changelog --- neutron-2014.1.3/debian/changelog 2014-10-25 08:09:28.000000000 +0000 +++ neutron-2014.1.3/debian/changelog 2014-11-21 10:37:54.000000000 +0000 @@ -1,3 +1,16 @@ +neutron (2014.1.3-7) unstable; urgency=high + + * Add a patch to not use PROTOCOL_SSLv3 which is gone from Python in Sid. + + -- Thomas Goirand <z...@debian.org> Fri, 21 Nov 2014 10:37:07 +0000 + +neutron (2014.1.3-6) unstable; urgency=high + + * CVE-2014-7821: DoS through invalid DNS configuration. Applied upstream + patch: Fix hostname regex pattern (Closes: #770431). + + -- Thomas Goirand <z...@debian.org> Fri, 21 Nov 2014 16:25:18 +0800 + neutron (2014.1.3-5) unstable; urgency=medium * Adds Danish debconf translations thanks to Joe Dalton <joedalt...@yahoo.dk> diff -Nru neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch --- neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2014.1.3/debian/patches/cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch 2014-11-21 10:37:54.000000000 +0000 @@ -0,0 +1,38 @@ +Description: CVE-2014-7821: Fix hostname regex pattern + Current hostname_pattern regex complexity grows exponentially when given a + string of just digits, which can be exploited to cause neutron-server to + freeze. +Author: John Perkins <john.perk...@rackspace.com> +Origin: upstream, https://review.openstack.org/#/c/135624/ +Date: Mon Oct 6 16:24:57 2014 -0500 +Bug-Debian: https://bugs.debian.org/770431 +Bug-Ubuntu: https://launchpad.net/bugs/1378450 +Last-Update: 2014-11-21 + +Index: neutron/neutron/api/v2/attributes.py +=================================================================== +--- neutron.orig/neutron/api/v2/attributes.py 2014-10-25 16:10:17.000000000 +0800 ++++ neutron/neutron/api/v2/attributes.py 2014-11-21 16:22:21.000000000 +0800 +@@ -537,8 +537,8 @@ + return [data] + + +-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]" +- "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)") ++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}" ++ "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)") + + HEX_ELEM = '[0-9A-Fa-f]' + UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}', +Index: neutron/neutron/tests/unit/test_attributes.py +=================================================================== +--- neutron.orig/neutron/tests/unit/test_attributes.py 2014-10-25 16:10:17.000000000 +0800 ++++ neutron/neutron/tests/unit/test_attributes.py 2014-11-21 16:22:21.000000000 +0800 +@@ -283,6 +283,7 @@ + ['www.hostname.com', 'www.hostname.com'], + ['77.hostname.com'], + ['1000.0.0.1'], ++ ['111111111111111111111111111111111111111111111111111111111111'], # noqa + None] + + for ns in ns_pools: diff -Nru neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch --- neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2014.1.3/debian/patches/do-not-use-PROTOCOL_SSLv3.patch 2014-11-21 10:37:54.000000000 +0000 @@ -0,0 +1,18 @@ +Description: PROTOCOL_SSLv3 is gone from Python in Sid + This patch removes its use. +Author: Thomas Goirand <z...@debian.org> +Forwarded: no +Last-Update: 2014-11-21 + +--- neutron-2014.1.3.orig/neutron/openstack/common/sslutils.py ++++ neutron-2014.1.3/neutron/openstack/common/sslutils.py +@@ -80,8 +80,7 @@ def wrap(sock): + + _SSL_PROTOCOLS = { + "tlsv1": ssl.PROTOCOL_TLSv1, +- "sslv23": ssl.PROTOCOL_SSLv23, +- "sslv3": ssl.PROTOCOL_SSLv3 ++ "sslv23": ssl.PROTOCOL_SSLv23 + } + + try: diff -Nru neutron-2014.1.3/debian/patches/series neutron-2014.1.3/debian/patches/series --- neutron-2014.1.3/debian/patches/series 2014-10-25 08:09:28.000000000 +0000 +++ neutron-2014.1.3/debian/patches/series 2014-11-21 10:37:54.000000000 +0000 @@ -5,3 +5,5 @@ Properly_apply_column_default_in_migration_pool_monitor_status.patch #sane-defaults-for-ml2_conf.ini.patch #sane-defaults-for-dhcp_agent.ini.patch +cve-2014-7821_DoS_through_invalid_DNS_configuration_icehouse.patch +do-not-use-PROTOCOL_SSLv3.patch