diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2014-07-17 09:17:53 +0000 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2014-07-17 09:17:53 +0000 |
commit | 92eef243ee8a8e6fbb08505599a04bb187f55d0e (patch) | |
tree | 46b852851824a32ffab9decd3497b180a810f9fb /sys-cluster/neutron | |
parent | Stable for amd64 wrt bug #507408 (diff) | |
download | gentoo-2-92eef243ee8a8e6fbb08505599a04bb187f55d0e.tar.gz gentoo-2-92eef243ee8a8e6fbb08505599a04bb187f55d0e.tar.bz2 gentoo-2-92eef243ee8a8e6fbb08505599a04bb187f55d0e.zip |
fix for CVE-2014-3555
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-cluster/neutron')
-rw-r--r-- | sys-cluster/neutron/ChangeLog | 6 | ||||
-rw-r--r-- | sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch | 92 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2014.1.1.ebuild | 7 |
3 files changed, 101 insertions, 4 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog index 1bde83eca61b..9d27e155a193 100644 --- a/sys-cluster/neutron/ChangeLog +++ b/sys-cluster/neutron/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for sys-cluster/neutron # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.35 2014/07/13 03:40:50 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.36 2014/07/17 09:17:53 prometheanfire Exp $ + + 17 Jul 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/neutron-2014.1.1-CVE-2014-3555.patch, neutron-2014.1.1.ebuild: + fix for CVE-2014-3555 13 Jul 2014; Ian Delaney <idella4@gentoo.org> neutron-2014.1.1.ebuild, neutron-2014.1.9999.ebuild, neutron-9999.ebuild: diff --git a/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch b/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch new file mode 100644 index 000000000000..14f05f5af75a --- /dev/null +++ b/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch @@ -0,0 +1,92 @@ +diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py +index 96512f3..1283da4 100644 +--- a/neutron/extensions/allowedaddresspairs.py ++++ b/neutron/extensions/allowedaddresspairs.py +@@ -16,6 +16,15 @@ import webob.exc + + from neutron.api.v2 import attributes as attr + from neutron.common import exceptions as nexception ++from oslo.config import cfg ++ ++allowed_address_pair_opts = [ ++ #TODO(limao): use quota framework when it support quota for attributes ++ cfg.IntOpt('max_allowed_address_pair', default=10, ++ help=_("Maximum number of allowed address pairs")), ++] ++ ++cfg.CONF.register_opts(allowed_address_pair_opts) + + + class AllowedAddressPairsMissingIP(nexception.InvalidInput): +@@ -36,8 +45,17 @@ class AddressPairMatchesPortFixedIPAndMac(nexception.InvalidInput): + message = _("Port's Fixed IP and Mac Address match an address pair entry.") + + ++class AllowedAddressPairExhausted(nexception.BadRequest): ++ message = _("The number of allowed address pair " ++ "exceeds the maximum %(quota)s.") ++ ++ + def _validate_allowed_address_pairs(address_pairs, valid_values=None): + unique_check = {} ++ if len(address_pairs) > cfg.CONF.max_allowed_address_pair: ++ raise AllowedAddressPairExhausted( ++ quota=cfg.CONF.max_allowed_address_pair) ++ + for address_pair in address_pairs: + # mac_address is optional, if not set we use the mac on the port + if 'mac_address' in address_pair: +diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py +index 826768f..70eb1e3 100644 +--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py ++++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py +@@ -22,6 +22,7 @@ from neutron.extensions import allowedaddresspairs as addr_pair + from neutron.extensions import portsecurity as psec + from neutron.manager import NeutronManager + from neutron.tests.unit import test_db_plugin ++from oslo.config import cfg + + DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_allowedaddresspairs.' + 'AllowedAddressPairTestPlugin') +@@ -163,6 +164,28 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase): + 'ip_address': '10.0.0.1'}] + self._create_port_with_address_pairs(address_pairs, 400) + ++ def test_more_than_max_allowed_address_pair(self): ++ cfg.CONF.set_default('max_allowed_address_pair', 3) ++ address_pairs = [{'mac_address': '00:00:00:00:00:01', ++ 'ip_address': '10.0.0.1'}, ++ {'mac_address': '00:00:00:00:00:02', ++ 'ip_address': '10.0.0.2'}, ++ {'mac_address': '00:00:00:00:00:03', ++ 'ip_address': '10.0.0.3'}, ++ {'mac_address': '00:00:00:00:00:04', ++ 'ip_address': '10.0.0.4'}] ++ self._create_port_with_address_pairs(address_pairs, 400) ++ ++ def test_equal_to_max_allowed_address_pair(self): ++ cfg.CONF.set_default('max_allowed_address_pair', 3) ++ address_pairs = [{'mac_address': '00:00:00:00:00:01', ++ 'ip_address': '10.0.0.1'}, ++ {'mac_address': '00:00:00:00:00:02', ++ 'ip_address': '10.0.0.2'}, ++ {'mac_address': '00:00:00:00:00:03', ++ 'ip_address': '10.0.0.3'}] ++ self._create_port_with_address_pairs(address_pairs, 201) ++ + def test_create_port_extra_args(self): + address_pairs = [{'mac_address': '00:00:00:00:00:01', + 'ip_address': '10.0.0.1', +@@ -174,8 +197,10 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase): + res = self._create_port(self.fmt, net['network']['id'], + arg_list=(addr_pair.ADDRESS_PAIRS,), + allowed_address_pairs=address_pairs) +- self.deserialize(self.fmt, res) ++ port = self.deserialize(self.fmt, res) + self.assertEqual(res.status_int, ret_code) ++ if ret_code == 201: ++ self._delete('ports', port['port']['id']) + + def test_update_add_address_pairs(self): + with self.network() as net: + diff --git a/sys-cluster/neutron/neutron-2014.1.1.ebuild b/sys-cluster/neutron/neutron-2014.1.1.ebuild index e95f06f9a702..79284d28d3d5 100644 --- a/sys-cluster/neutron/neutron-2014.1.1.ebuild +++ b/sys-cluster/neutron/neutron-2014.1.1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild,v 1.3 2014/07/13 03:40:50 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild,v 1.4 2014/07/17 09:17:53 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -54,7 +54,8 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}] >=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}] <=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}] >=dev-python/sqlalchemy-0.7.8[${PYTHON_USEDEP}] - <=dev-python/sqlalchemy-0.7.99[${PYTHON_USEDEP}] + !~dev-python/sqlalchemy-0.9.5[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] mysql? ( dev-python/mysql-python[${PYTHON_USEDEP}] ) postgres? ( >=dev-python/psycopg-2[${PYTHON_USEDEP}] ) sqlite? ( dev-db/sqlite ) @@ -73,7 +74,7 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}] PATCHES=( "${FILESDIR}/sphinx_mapping.patch" - "${FILESDIR}/"2014.1-CVE-2014-4167.patch + "${FILESDIR}/neutron-2014.1.1-CVE-2014-3555.patch" ) pkg_setup() { |