fix for nova folsom for CVE-2013-2030

(Portage version: 2.1.11.55/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

1 files changed, 36 insertions, 0 deletions

diff --git a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch
new file mode 100644
index 000000000000..a862cb8e477d
--- /dev/null
+++ b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch
@@ -0,0 +1,36 @@
+From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001
+From: Russell Bryant <rbryant@redhat.com>
+Date: Wed, 1 May 2013 09:41:57 -0400
+Subject: [PATCH] Remove insecure default for signing_dir option.
+
+The sample api-paste.ini file included an insecure value for the
+signing_dir option for the keystone authtoken middleware.  Comment out
+the option so that we just rely on the default behavior by default.
+
+Fix bug 1174608.
+
+Conflicts:
+	etc/nova/api-paste.ini
+
+Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403
+(cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce)
+---
+ etc/nova/api-paste.ini | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
+index 3970974..95307b2 100644
+--- a/etc/nova/api-paste.ini
++++ b/etc/nova/api-paste.ini
+@@ -124,4 +124,7 @@ auth_protocol = http
+ admin_tenant_name = %SERVICE_TENANT_NAME%
+ admin_user = %SERVICE_USER%
+ admin_password = %SERVICE_PASSWORD%
+-signing_dir = /tmp/keystone-signing-nova
++# signing_dir is configurable, but the default behavior of the authtoken
++# middleware should be sufficient.  It will create a temporary directory
++# in the home directory for the user the nova process is running as.
++#signing_dir = /var/lib/nova/keystone-signing
+-- 
+1.8.1.5
+