fixing a CVE and failed patch

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

7 files changed, 530 insertions, 161 deletions

diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog
index b17454f0725b..0d98d5322d30 100644
--- a/sys-cluster/neutron/ChangeLog
+++ b/sys-cluster/neutron/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-cluster/neutron
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.30 2014/05/11 13:03:16 vadimk Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.31 2014/05/14 06:01:28 prometheanfire Exp $
+
+*neutron-2014.1-r2 (14 May 2014)
+*neutron-2013.2.3-r1 (14 May 2014)
+
+  14 May 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2013.2.3-CVE-2014-0187.patch, +files/2014.1-CVE-2014-0187.patch,
+  +neutron-2013.2.3-r1.ebuild, +neutron-2014.1-r2.ebuild,
+  -neutron-2013.2.3.ebuild, -neutron-2014.1-r1.ebuild, -neutron-2014.1.ebuild,
+  neutron-2014.1.9999.ebuild:
+  fixing a CVE and failed patch
 
 *neutron-2014.1-r1 (11 May 2014)
 
diff --git a/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch b/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch
new file mode 100644
index 000000000000..182b709e1e1b
--- /dev/null
+++ b/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch
@@ -0,0 +1,257 @@
+From 03eed8cd34cd4fb043c11fc99f6bb0b4fbd5728d Mon Sep 17 00:00:00 2001
+From: marios <marios@redhat.com>
+Date: Fri, 29 Nov 2013 18:23:54 +0200
+Subject: [PATCH] Validate CIDR given as ip-prefix in
+ security-group-rule-create
+
+There was no validation for the provided ip prefix. This just adds
+a simple parse using netaddr and explodes with appropriate message.
+Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).
+
+Validation occurs at the attribute level (API model) as well as at
+the db level, where the ethertype is validated against the ip_prefix
+address type.
+
+Unit test cases added - bad prefix, unmasked prefix and incorrect
+ethertype. Also adds attribute test cases for the added
+convert_ip_prefix_to_cidr method
+
+Closes-Bug: 1255338
+
+Conflicts:
+	neutron/tests/unit/test_security_groups_rpc.py
+	neutron/tests/unit/test_extension_security_group.py
+
+Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
+(cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607)
+---
+ neutron/common/exceptions.py                       |  4 +
+ neutron/db/securitygroups_db.py                    | 20 +++++
+ neutron/extensions/securitygroup.py                | 18 ++++-
+ .../tests/unit/test_extension_security_group.py    | 86 ++++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 1 deletion(-)
+
+diff --git a/neutron/common/exceptions.py b/neutron/common/exceptions.py
+index 88fa6e4..80a75d1 100644
+--- a/neutron/common/exceptions.py
++++ b/neutron/common/exceptions.py
+@@ -306,3 +306,7 @@ class NetworkVxlanPortRangeError(object):
+ class DeviceIDNotOwnedByTenant(Conflict):
+     message = _("The following device_id %(device_id)s is not owned by your "
+                 "tenant or matches another tenants router.")
++
++
++class InvalidCIDR(BadRequest):
++    message = _("Invalid CIDR %(input)s given as IP prefix")
+diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
+index 2a7d2ef..8868546 100644
+--- a/neutron/db/securitygroups_db.py
++++ b/neutron/db/securitygroups_db.py
+@@ -16,6 +16,7 @@
+ #
+ # @author: Aaron Rosen, Nicira, Inc
+ 
++import netaddr
+ import sqlalchemy as sa
+ from sqlalchemy import orm
+ from sqlalchemy.orm import exc
+@@ -331,6 +332,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
+             new_rules.add(rule['security_group_id'])
+ 
+             self._validate_port_range(rule)
++            self._validate_ip_prefix(rule)
+ 
+             if rule['remote_ip_prefix'] and rule['remote_group_id']:
+                 raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix()
+@@ -411,6 +413,24 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
+                 if (i['security_group_rule'] == db_rule):
+                     raise ext_sg.SecurityGroupRuleExists(id=id)
+ 
++    def _validate_ip_prefix(self, rule):
++        """Check that a valid cidr was specified as remote_ip_prefix
++
++        No need to check that it is in fact an IP address as this is already
++        validated by attribute validators.
++        Check that rule ethertype is consistent with remote_ip_prefix ip type.
++        Add mask to ip_prefix if absent (192.168.1.10 -> 192.168.1.10/32).
++        """
++        input_prefix = rule['remote_ip_prefix']
++        if input_prefix:
++            addr = netaddr.IPNetwork(input_prefix)
++            # set input_prefix to always include the netmask:
++            rule['remote_ip_prefix'] = str(addr)
++            # check consistency of ethertype with addr version
++            if rule['ethertype'] != "IPv%d" % (addr.version):
++                raise ext_sg.SecurityGroupRuleParameterConflict(
++                    ethertype=rule['ethertype'], cidr=input_prefix)
++
+     def get_security_group_rules(self, context, filters=None, fields=None,
+                                  sorts=None, limit=None, marker=None,
+                                  page_reverse=False):
+diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py
+index 85d499a..3d10b5a 100644
+--- a/neutron/extensions/securitygroup.py
++++ b/neutron/extensions/securitygroup.py
+@@ -17,6 +17,7 @@
+ 
+ from abc import ABCMeta
+ from abc import abstractmethod
++import netaddr
+ 
+ from oslo.config import cfg
+ 
+@@ -102,6 +103,10 @@ class SecurityGroupRuleExists(qexception.InUse):
+     message = _("Security group rule already exists. Group id is %(id)s.")
+ 
+ 
++class SecurityGroupRuleParameterConflict(qexception.InvalidInput):
++    message = _("Conflicting value ethertype %(ethertype)s for CIDR %(cidr)s")
++
++
+ def convert_protocol(value):
+     if value is None:
+         return
+@@ -152,6 +157,16 @@ def convert_to_uuid_list_or_none(value_list):
+     return value_list
+ 
+ 
++def convert_ip_prefix_to_cidr(ip_prefix):
++    if not ip_prefix:
++        return
++    try:
++        cidr = netaddr.IPNetwork(ip_prefix)
++        return str(cidr)
++    except (TypeError, netaddr.AddrFormatError):
++        raise qexception.InvalidCIDR(input=ip_prefix)
++
++
+ def _validate_name_not_default(data, valid_values=None):
+     if data == "default":
+         raise SecurityGroupDefaultAlreadyExists()
+@@ -207,7 +222,8 @@ RESOURCE_ATTRIBUTE_MAP = {
+                       'convert_to': convert_ethertype_to_case_insensitive,
+                       'validate': {'type:values': sg_supported_ethertypes}},
+         'remote_ip_prefix': {'allow_post': True, 'allow_put': False,
+-                             'default': None, 'is_visible': True},
++                             'default': None, 'is_visible': True,
++                             'convert_to': convert_ip_prefix_to_cidr},
+         'tenant_id': {'allow_post': True, 'allow_put': False,
+                       'required_by_policy': True,
+                       'is_visible': True},
+diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py
+index d53e140..f0b1636 100644
+--- a/neutron/tests/unit/test_extension_security_group.py
++++ b/neutron/tests/unit/test_extension_security_group.py
+@@ -21,11 +21,13 @@ import webob.exc
+ 
+ from neutron.api.v2 import attributes as attr
+ from neutron.common import constants as const
++from neutron.common import exceptions as n_exc
+ from neutron.common.test_lib import test_config
+ from neutron import context
+ from neutron.db import db_base_plugin_v2
+ from neutron.db import securitygroups_db
+ from neutron.extensions import securitygroup as ext_sg
++from neutron.tests import base
+ from neutron.tests.unit import test_db_plugin
+ 
+ DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_security_group.'
+@@ -413,6 +415,70 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
+             self.deserialize(self.fmt, res)
+             self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
+ 
++    def test_create_security_group_rule_invalid_ip_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        for bad_prefix in ['bad_ip', 256, "2001:db8:a::123/129", '172.30./24']:
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                remote_ip_prefix = bad_prefix
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
++
++    def test_create_security_group_rule_invalid_ethertype_for_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        test_addr = {'192.168.1.1/24': 'ipv4', '192.168.1.1/24': 'IPv6',
++                     '2001:db8:1234::/48': 'ipv6',
++                     '2001:db8:1234::/48': 'IPv4'}
++        for prefix, ether in test_addr.iteritems():
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                ethertype = ether
++                remote_ip_prefix = prefix
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix,
++                    None,
++                    None,
++                    ethertype)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
++
++    def test_create_security_group_rule_with_unmasked_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        addr = {'10.1.2.3': {'mask': '32', 'ethertype': 'IPv4'},
++                'fe80::2677:3ff:fe7d:4c': {'mask': '128', 'ethertype': 'IPv6'}}
++        for ip in addr:
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                ethertype = addr[ip]['ethertype']
++                remote_ip_prefix = ip
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix,
++                    None,
++                    None,
++                    ethertype)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, 201)
++                res_sg = self.deserialize(self.fmt, res)
++                prefix = res_sg['security_group_rule']['remote_ip_prefix']
++                self.assertEqual(prefix, '%s/%s' % (ip, addr[ip]['mask']))
++
+     def test_create_security_group_rule_tcp_protocol_as_number(self):
+         name = 'webservers'
+         description = 'my webservers'
+@@ -1348,5 +1414,25 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
+                 self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
+ 
+ 
++class TestConvertIPPrefixToCIDR(base.BaseTestCase):
++
++    def test_convert_bad_ip_prefix_to_cidr(self):
++        for val in ['bad_ip', 256, "2001:db8:a::123/129"]:
++            self.assertRaises(n_exc.InvalidCIDR,
++                              ext_sg.convert_ip_prefix_to_cidr, val)
++        self.assertIsNone(ext_sg.convert_ip_prefix_to_cidr(None))
++
++    def test_convert_ip_prefix_no_netmask_to_cidr(self):
++        addr = {'10.1.2.3': '32', 'fe80::2677:3ff:fe7d:4c': '128'}
++        for k, v in addr.iteritems():
++            self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(k),
++                             '%s/%s' % (k, v))
++
++    def test_convert_ip_prefix_with_netmask_to_cidr(self):
++        addresses = ['10.1.0.0/16', '10.1.2.3/32', '2001:db8:1234::/48']
++        for addr in addresses:
++            self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(addr), addr)
++
++
+ class TestSecurityGroupsXML(TestSecurityGroups):
+     fmt = 'xml'
+-- 
+1.8.5.5
\ No newline at end of file
diff --git a/sys-cluster/neutron/files/2014.1-CVE-2014-0187.patch b/sys-cluster/neutron/files/2014.1-CVE-2014-0187.patch
new file mode 100644
index 000000000000..8a723aebc645
--- /dev/null
+++ b/sys-cluster/neutron/files/2014.1-CVE-2014-0187.patch
@@ -0,0 +1,255 @@
+From 68a24e5f908412b83ca7c3f2d2d2014678e79570 Mon Sep 17 00:00:00 2001
+From: marios <marios@redhat.com>
+Date: Fri, 29 Nov 2013 18:23:54 +0200
+Subject: [PATCH] Validate CIDR given as ip-prefix in
+ security-group-rule-create
+
+There was no validation for the provided ip prefix. This just adds
+a simple parse using netaddr and explodes with appropriate message.
+Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).
+
+Validation occurs at the attribute level (API model) as well as at
+the db level, where the ethertype is validated against the ip_prefix
+address type.
+
+Unit test cases added - bad prefix, unmasked prefix and incorrect
+ethertype. Also adds attribute test cases for the added
+convert_ip_prefix_to_cidr method
+
+Closes-Bug: 1255338
+
+Conflicts:
+	neutron/tests/unit/test_security_groups_rpc.py
+
+Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
+(cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607)
+---
+ neutron/common/exceptions.py                       |  4 +
+ neutron/db/securitygroups_db.py                    | 20 +++++
+ neutron/extensions/securitygroup.py                | 18 ++++-
+ .../tests/unit/test_extension_security_group.py    | 86 ++++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 1 deletion(-)
+
+diff --git a/neutron/common/exceptions.py b/neutron/common/exceptions.py
+index bfd267e..e81b4af 100644
+--- a/neutron/common/exceptions.py
++++ b/neutron/common/exceptions.py
+@@ -319,3 +319,7 @@ class DuplicatedExtension(NeutronException):
+ class DeviceIDNotOwnedByTenant(Conflict):
+     message = _("The following device_id %(device_id)s is not owned by your "
+                 "tenant or matches another tenants router.")
++
++
++class InvalidCIDR(BadRequest):
++    message = _("Invalid CIDR %(input)s given as IP prefix")
+diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
+index 882a43d..de464d6 100644
+--- a/neutron/db/securitygroups_db.py
++++ b/neutron/db/securitygroups_db.py
+@@ -12,6 +12,7 @@
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
+ 
++import netaddr
+ import sqlalchemy as sa
+ from sqlalchemy import orm
+ from sqlalchemy.orm import exc
+@@ -327,6 +328,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
+             new_rules.add(rule['security_group_id'])
+ 
+             self._validate_port_range(rule)
++            self._validate_ip_prefix(rule)
+ 
+             if rule['remote_ip_prefix'] and rule['remote_group_id']:
+                 raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix()
+@@ -407,6 +409,24 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
+                 if (i['security_group_rule'] == db_rule):
+                     raise ext_sg.SecurityGroupRuleExists(id=id)
+ 
++    def _validate_ip_prefix(self, rule):
++        """Check that a valid cidr was specified as remote_ip_prefix
++
++        No need to check that it is in fact an IP address as this is already
++        validated by attribute validators.
++        Check that rule ethertype is consistent with remote_ip_prefix ip type.
++        Add mask to ip_prefix if absent (192.168.1.10 -> 192.168.1.10/32).
++        """
++        input_prefix = rule['remote_ip_prefix']
++        if input_prefix:
++            addr = netaddr.IPNetwork(input_prefix)
++            # set input_prefix to always include the netmask:
++            rule['remote_ip_prefix'] = str(addr)
++            # check consistency of ethertype with addr version
++            if rule['ethertype'] != "IPv%d" % (addr.version):
++                raise ext_sg.SecurityGroupRuleParameterConflict(
++                    ethertype=rule['ethertype'], cidr=input_prefix)
++
+     def get_security_group_rules(self, context, filters=None, fields=None,
+                                  sorts=None, limit=None, marker=None,
+                                  page_reverse=False):
+diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py
+index ad2960f..637dbe3 100644
+--- a/neutron/extensions/securitygroup.py
++++ b/neutron/extensions/securitygroup.py
+@@ -17,6 +17,7 @@
+ 
+ from abc import ABCMeta
+ from abc import abstractmethod
++import netaddr
+ 
+ from oslo.config import cfg
+ import six
+@@ -103,6 +104,10 @@ class SecurityGroupRuleExists(qexception.InUse):
+     message = _("Security group rule already exists. Group id is %(id)s.")
+ 
+ 
++class SecurityGroupRuleParameterConflict(qexception.InvalidInput):
++    message = _("Conflicting value ethertype %(ethertype)s for CIDR %(cidr)s")
++
++
+ def convert_protocol(value):
+     if value is None:
+         return
+@@ -153,6 +158,16 @@ def convert_to_uuid_list_or_none(value_list):
+     return value_list
+ 
+ 
++def convert_ip_prefix_to_cidr(ip_prefix):
++    if not ip_prefix:
++        return
++    try:
++        cidr = netaddr.IPNetwork(ip_prefix)
++        return str(cidr)
++    except (TypeError, netaddr.AddrFormatError):
++        raise qexception.InvalidCIDR(input=ip_prefix)
++
++
+ def _validate_name_not_default(data, valid_values=None):
+     if data == "default":
+         raise SecurityGroupDefaultAlreadyExists()
+@@ -208,7 +223,8 @@ RESOURCE_ATTRIBUTE_MAP = {
+                       'convert_to': convert_ethertype_to_case_insensitive,
+                       'validate': {'type:values': sg_supported_ethertypes}},
+         'remote_ip_prefix': {'allow_post': True, 'allow_put': False,
+-                             'default': None, 'is_visible': True},
++                             'default': None, 'is_visible': True,
++                             'convert_to': convert_ip_prefix_to_cidr},
+         'tenant_id': {'allow_post': True, 'allow_put': False,
+                       'required_by_policy': True,
+                       'is_visible': True},
+diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py
+index 1881d8c..6de9e2a 100644
+--- a/neutron/tests/unit/test_extension_security_group.py
++++ b/neutron/tests/unit/test_extension_security_group.py
+@@ -21,10 +21,12 @@ import webob.exc
+ 
+ from neutron.api.v2 import attributes as attr
+ from neutron.common import constants as const
++from neutron.common import exceptions as n_exc
+ from neutron import context
+ from neutron.db import db_base_plugin_v2
+ from neutron.db import securitygroups_db
+ from neutron.extensions import securitygroup as ext_sg
++from neutron.tests import base
+ from neutron.tests.unit import test_db_plugin
+ 
+ DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_security_group.'
+@@ -404,6 +406,70 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
+             self.deserialize(self.fmt, res)
+             self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
+ 
++    def test_create_security_group_rule_invalid_ip_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        for bad_prefix in ['bad_ip', 256, "2001:db8:a::123/129", '172.30./24']:
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                remote_ip_prefix = bad_prefix
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
++
++    def test_create_security_group_rule_invalid_ethertype_for_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        test_addr = {'192.168.1.1/24': 'ipv4', '192.168.1.1/24': 'IPv6',
++                     '2001:db8:1234::/48': 'ipv6',
++                     '2001:db8:1234::/48': 'IPv4'}
++        for prefix, ether in test_addr.iteritems():
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                ethertype = ether
++                remote_ip_prefix = prefix
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix,
++                    None,
++                    None,
++                    ethertype)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
++
++    def test_create_security_group_rule_with_unmasked_prefix(self):
++        name = 'webservers'
++        description = 'my webservers'
++        addr = {'10.1.2.3': {'mask': '32', 'ethertype': 'IPv4'},
++                'fe80::2677:3ff:fe7d:4c': {'mask': '128', 'ethertype': 'IPv6'}}
++        for ip in addr:
++            with self.security_group(name, description) as sg:
++                sg_id = sg['security_group']['id']
++                ethertype = addr[ip]['ethertype']
++                remote_ip_prefix = ip
++                rule = self._build_security_group_rule(
++                    sg_id,
++                    'ingress',
++                    const.PROTO_NAME_TCP,
++                    '22', '22',
++                    remote_ip_prefix,
++                    None,
++                    None,
++                    ethertype)
++                res = self._create_security_group_rule(self.fmt, rule)
++                self.assertEqual(res.status_int, 201)
++                res_sg = self.deserialize(self.fmt, res)
++                prefix = res_sg['security_group_rule']['remote_ip_prefix']
++                self.assertEqual(prefix, '%s/%s' % (ip, addr[ip]['mask']))
++
+     def test_create_security_group_rule_tcp_protocol_as_number(self):
+         name = 'webservers'
+         description = 'my webservers'
+@@ -1335,5 +1401,25 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
+                 self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
+ 
+ 
++class TestConvertIPPrefixToCIDR(base.BaseTestCase):
++
++    def test_convert_bad_ip_prefix_to_cidr(self):
++        for val in ['bad_ip', 256, "2001:db8:a::123/129"]:
++            self.assertRaises(n_exc.InvalidCIDR,
++                              ext_sg.convert_ip_prefix_to_cidr, val)
++        self.assertIsNone(ext_sg.convert_ip_prefix_to_cidr(None))
++
++    def test_convert_ip_prefix_no_netmask_to_cidr(self):
++        addr = {'10.1.2.3': '32', 'fe80::2677:3ff:fe7d:4c': '128'}
++        for k, v in addr.iteritems():
++            self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(k),
++                             '%s/%s' % (k, v))
++
++    def test_convert_ip_prefix_with_netmask_to_cidr(self):
++        addresses = ['10.1.0.0/16', '10.1.2.3/32', '2001:db8:1234::/48']
++        for addr in addresses:
++            self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(addr), addr)
++
++
+ class TestSecurityGroupsXML(TestSecurityGroups):
+     fmt = 'xml'
+-- 
+1.8.5.5
\ No newline at end of file
diff --git a/sys-cluster/neutron/neutron-2013.2.3.ebuild b/sys-cluster/neutron/neutron-2013.2.3-r1.ebuild
index 35ac4ee31c4f..663ff9cbf2f9 100644
--- a/sys-cluster/neutron/neutron-2013.2.3.ebuild
+++ b/sys-cluster/neutron/neutron-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.2.3.ebuild,v 1.1 2014/04/06 06:22:16 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.2.3-r1.ebuild,v 1.1 2014/05/14 06:01:28 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -76,7 +76,8 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
 		dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
 
 PATCHES=( "${FILESDIR}/sphinx_mapping.patch"
-		"${FILESDIR}/nicira.patch" )
+		"${FILESDIR}/nicira.patch"
+		"${FILESDIR}/2013.2.3-CVE-2014-0187.patch" )
 
 pkg_setup() {
 	enewgroup neutron
diff --git a/sys-cluster/neutron/neutron-2014.1-r1.ebuild b/sys-cluster/neutron/neutron-2014.1-r2.ebuild
index e402a1778d3c..6173f1663058 100644
--- a/sys-cluster/neutron/neutron-2014.1-r1.ebuild
+++ b/sys-cluster/neutron/neutron-2014.1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1-r1.ebuild,v 1.1 2014/05/11 13:03:16 vadimk Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1-r2.ebuild,v 1.1 2014/05/14 06:01:28 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -74,6 +74,7 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/sphinx_mapping.patch"
+	"${FILESDIR}/2014.1-CVE-2014-0187.patch"
 )
 
 pkg_setup() {
diff --git a/sys-cluster/neutron/neutron-2014.1.9999.ebuild b/sys-cluster/neutron/neutron-2014.1.9999.ebuild
index 2f19bc976d19..534730d3d0eb 100644
--- a/sys-cluster/neutron/neutron-2014.1.9999.ebuild
+++ b/sys-cluster/neutron/neutron-2014.1.9999.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.9999.ebuild,v 1.1 2014/04/28 02:59:13 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.9999.ebuild,v 1.2 2014/05/14 06:01:28 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -74,8 +74,7 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
 		openvswitch? ( net-misc/openvswitch )
 		dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
 
-PATCHES=( "${FILESDIR}/sphinx_mapping.patch"
-		"${FILESDIR}/nicira.patch" )
+PATCHES=( "${FILESDIR}/sphinx_mapping.patch" )
 
 pkg_setup() {
 	enewgroup neutron
diff --git a/sys-cluster/neutron/neutron-2014.1.ebuild b/sys-cluster/neutron/neutron-2014.1.ebuild
deleted file mode 100644
index 05d3e25d2020..000000000000
--- a/sys-cluster/neutron/neutron-2014.1.ebuild
+++ /dev/null
@@ -1,154 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.ebuild,v 1.1 2014/04/28 02:59:13 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 user
-
-DESCRIPTION="A virtual network service for Openstack."
-HOMEPAGE="https://launchpad.net/neutron"
-SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+dhcp doc +l3 +metadata +openvswitch +server test sqlite mysql postgres"
-REQUIRED_USE="|| ( mysql postgres sqlite )"
-
-#the cliff dep is as below because it depends on pyparsing, which only has 2.7 OR 3.2, not both
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-		>=dev-python/pbr-0.6[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-		app-admin/sudo
-		test? ( >=dev-python/hacking-0.8.0[${PYTHON_USEDEP}]
-				<dev-python/hacking-0.9[${PYTHON_USEDEP}]
-				>=dev-python/cliff-1.4.3[${PYTHON_USEDEP}]
-				>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
-				>=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
-				>=dev-python/mock-1.0[${PYTHON_USEDEP}]
-				>=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
-				>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
-				<dev-python/sphinx-1.2[${PYTHON_USEDEP}]
-				>=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
-				>=dev-python/testtools-0.9.34[${PYTHON_USEDEP}]
-				>=dev-python/webtest-2.0[${PYTHON_USEDEP}]
-				dev-python/configobj[${PYTHON_USEDEP}] )"
-
-RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
-		>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-		>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
-		>=dev-python/amqplib-0.6.1-r1[${PYTHON_USEDEP}]
-		>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
-		virtual/python-argparse[${PYTHON_USEDEP}]
-		>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
-		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
-		>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
-		>=dev-python/requests-1.1[${PYTHON_USEDEP}]
-		>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
-		dev-python/jsonrpclib[${PYTHON_USEDEP}]
-		dev-python/jinja[${PYTHON_USEDEP}]
-		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
-		>=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}]
-		>=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}]
-		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
-		sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
-	          <dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}] )
-		mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
-	         <dev-python/sqlalchemy-0.9.99[mysql,${PYTHON_USEDEP}] )
-		postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
-	            <dev-python/sqlalchemy-0.9.99[postgres,${PYTHON_USEDEP}] )
-		>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-		>=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}]
-		>=dev-python/alembic-0.4.1[${PYTHON_USEDEP}]
-		>=dev-python/six-1.5.2[${PYTHON_USEDEP}]
-		>=dev-python/stevedore-0.14[${PYTHON_USEDEP}]
-		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		dev-python/oslo-rootwrap[${PYTHON_USEDEP}]
-		>=dev-python/python-novaclient-2.17.0[${PYTHON_USEDEP}]
-		dev-python/pyudev[${PYTHON_USEDEP}]
-		sys-apps/iproute2
-		openvswitch? ( net-misc/openvswitch )
-		dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
-
-PATCHES=( "${FILESDIR}/sphinx_mapping.patch"
-		"${FILESDIR}/nicira.patch" )
-
-pkg_setup() {
-	enewgroup neutron
-	enewuser neutron -1 -1 /var/lib/neutron neutron
-}
-
-pkg_config() {
-	fperms 0700 /var/log/neutron
-	fowners neutron:neutron /var/log neutron
-}
-
-src_prepare() {
-	#it's /bin/ip not /sbin/ip
-	sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/*
-	distutils-r1_src_prepare
-}
-
-python_compile_all() {
-	use doc && make -C doc html
-}
-
-python_test() {
-	# https://bugs.launchpad.net/neutron/+bug/1234857
-	# https://bugs.launchpad.net/swift/+bug/1249727
-	# https://bugs.launchpad.net/neutron/+bug/1251657
-	# turn multiprocessing off, testr will use it --parallel
-	local DISTUTILS_NO_PARALLEL_BUILD=1
-	# Move tests out that attempt net connection, have failures
-	mv $(find . -name test_ovs_tunnel.py) . || die
-	sed -e 's:test_app_using_ipv6_and_ssl:_&:' \
-		-e 's:test_start_random_port_with_ipv6:_&:' \
-		-i neutron/tests/unit/test_wsgi.py || die
-	testr init
-	testr run --parallel || die "failed testsuite under python2.7"
-}
-
-python_install() {
-	distutils-r1_python_install
-	newconfd "${FILESDIR}/neutron-confd" "neutron"
-	newinitd "${FILESDIR}/neutron-initd" "neutron"
-
-	use server && dosym /etc/init.d/neutron /etc/init.d/neutron-server
-	use dhcp && dosym /etc/init.d/neutron /etc/init.d/neutron-dhcp-agent
-	use l3 && dosym /etc/init.d/neutron /etc/init.d/neutron-l3-agent
-	use metadata && dosym /etc/init.d/neutron /etc/init.d/neutron-metadata-agent
-	use openvswitch && dosym /etc/init.d/neutron /etc/init.d/neutron-openvswitch-agent
-
-	diropts -m 750
-	dodir /var/log/neutron /var/log/neutron
-	fowners neutron:neutron /var/log/neutron
-	keepdir /etc/neutron
-	insinto /etc/neutron
-
-	doins "etc/api-paste.ini"
-	doins "etc/dhcp_agent.ini"
-	doins "etc/l3_agent.ini"
-	doins "etc/policy.json"
-	doins "etc/neutron.conf"
-	doins "etc/rootwrap.conf"
-	insinto /etc
-	doins -r "etc/neutron/"
-
-	#remove the etc stuff from usr...
-	rm -R "${D}/usr/etc/"
-
-	insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/"
-	doins -r "neutron/db/migration/alembic_migrations/versions"
-
-	#add sudoers definitions for user neutron
-	insinto /etc/sudoers.d/
-	doins "${FILESDIR}/neutron-sudoers"
-}
-
-python_install_all() {
-	use doc && local HTML_DOCS=( doc/build/html/. )
-	distutils-r1_python_install_all
-}