diff options
| author |   Matt Thode <prometheanfire@gentoo.org> | 2013-12-13 20:47:48 +0000 |
|---|---|---|
| committer | Matt Thode <prometheanfire@gentoo.org> | 2013-12-13 20:47:48 +0000 |
| commit | fa4ff6073a96f73a38241bdccb218706b62be237 (patch) | |
| tree | f7d784529533dacbfffb0191aa18acd22ed5f69e /sys-cluster/neutron | |
| parent | Require automake-1.12. Bug #493996 thanks to piruthiviraj natarajan <piruthiv... (diff) | |
| download | historical-fa4ff6073a96f73a38241bdccb218706b62be237.tar.gz historical-fa4ff6073a96f73a38241bdccb218706b62be237.tar.bz2 historical-fa4ff6073a96f73a38241bdccb218706b62be237.zip | |
neutron fix for CVE-2013-6419
Package-Manager: portage-2.2.7/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-cluster/neutron')
| -rw-r--r-- | sys-cluster/neutron/ChangeLog | 11 | ||||
| -rw-r--r-- | sys-cluster/neutron/Manifest | 26 | ||||
| -rw-r--r-- | sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch | 218 | ||||
| -rw-r--r-- | sys-cluster/neutron/files/CVE-2013-6419_2013.2.patch | 295 | ||||
| -rw-r--r-- | sys-cluster/neutron/neutron-2013.1.4-r1.ebuild (renamed from sys-cluster/neutron/neutron-2013.1.4.ebuild) | 4 | ||||
| -rw-r--r-- | sys-cluster/neutron/neutron-2013.2-r2.ebuild (renamed from sys-cluster/neutron/neutron-2013.2-r1.ebuild) | 9 |
6 files changed, 550 insertions, 13 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog index 65ff4ef10e75..229a40d5f22a 100644 --- a/sys-cluster/neutron/ChangeLog +++ b/sys-cluster/neutron/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for sys-cluster/neutron # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.18 2013/11/22 04:38:40 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.19 2013/12/13 20:47:39 prometheanfire Exp $ + +*neutron-2013.1.4-r1 (13 Dec 2013) +*neutron-2013.2-r2 (13 Dec 2013) + + 13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/CVE-2013-6419_2013.1.4.patch, +files/CVE-2013-6419_2013.2.patch, + +neutron-2013.1.4-r1.ebuild, +neutron-2013.2-r2.ebuild, + -neutron-2013.1.4.ebuild, -neutron-2013.2-r1.ebuild: + neutron fix for CVE-2013-6419 *neutron-2013.2-r1 (22 Nov 2013) diff --git a/sys-cluster/neutron/Manifest b/sys-cluster/neutron/Manifest index 296869b18bbc..36228242656b 100644 --- a/sys-cluster/neutron/Manifest +++ b/sys-cluster/neutron/Manifest @@ -1,6 +1,8 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX CVE-2013-6419_2013.1.4.patch 9432 SHA256 23d2d1f739a51b1d1826a5e74238d5d6876ef727687d534f7ec4e2a0ddacda2f SHA512 6e096037eac9c3b73ebeda7683db00a96336cff68db771409a9f8ffff6b772a35ccf16b078ac231662fdd3cc3c2b9ee35b17788a26272d23701fbcea3dbe57b5 WHIRLPOOL ae0868f4e068e030eb5922532c7508363ff83bde7e92693659e701fe285f4335a46386cdc2d9a4b38a33b6553b307e228d346c5bf678209a137e201954a30882 +AUX CVE-2013-6419_2013.2.patch 11822 SHA256 574680ad3e25cf9933325fee93fcd8ba8923445bb6b88d36f9ed7834dcc4cc09 SHA512 fc073aafc05d2a1f533610748409ea3fb7524c344e10b98f1c413416a34a0e4a52b81f133b214072009e1bebb09cdd4993b0a4366f1596c98c3a92ca185f74c8 WHIRLPOOL 78425a3230110ac353639a127f57f92650a0d56005a84aca0e8c8c707eed5bbc574a71c7146ebc073dbc7488193c461846eca68fc77f6b84b58e6ecbfa0e0b10 AUX neutron-2013.2-json-tests.patch 4178 SHA256 d4ffa978eccc09f8061432aacc9e64b72feb9b74ef19f1b5421b54ef2c1d03d8 SHA512 919d4deb82803e9426fbcc0f51933f93c6bdaa486fb9427986567360b6a86bc59f340fe3b797ba88bd916a89cdfc11e07da5ec48cd4ff9ab59dcd418fc179243 WHIRLPOOL 35cff6e57678e5162b1e3d8603d560569bc17b1298d8e204ceac8402bbc68d0539f0d38eba7656918450fe5fd013a337a1d287f50698f995c3f26a01c9efd494 AUX neutron-2013.2-nicira.patch 5757 SHA256 62484fa9d817feee1edc0a51ea1eeca068406f8f76e34c845b85ea51664e20d6 SHA512 f160a36f78d9a1186e19cdfb4f97b17e39e1a6f3e20bcaf84e76e71c632b0a6e8af89645d507f2c6f60a9f7d09a741302d476731c2fc798dfa999aaf38f1e273 WHIRLPOOL b7b5e0618caa8c6acc65f46c315d81b427810f3d6b1e89b48fc79567717c90a2e81e091d532ea192ac68ad432374fb9debe79d7b2c0a5a82d7d8cec8ca64f50e AUX neutron-2013.2-sphinx_mapping.patch 835 SHA256 f4745338474c9191ba386f81705cc8c9a6effb09116c65664654eb733d081252 SHA512 988236676ef0550ca96cc05e606d43280969e89b31971244ece89d63cdcbcbcfd3ac595adca03a6308996ef58ebc4f75b0dfd65a938ad7c3fb67fb785e09f8c9 WHIRLPOOL 6154ee51ecd63040d9a6c2058f369a7243c719cbda3f73484d55ea9425a5c9982d3921d91d152aa27c61c5635d74f2afa57ff1b5aaa10b1be1e7c1475ff74e5f @@ -11,18 +13,28 @@ AUX neutron-initd-2 1610 SHA256 f81c0269b6f602c3557d034ca94445da640bc7b2a59050db AUX neutron-sudoers 88 SHA256 bb631691e67d9ddc405fd1f6a23b066120ecebfbf3a48bca752e82aa8224922b SHA512 c6a87ad7047604caf1c5d66ff1f44e9f1a289cbaaf2031ffc6bf8c705fd439db2afaa8d5858746f8539beac84945886bbbc347be0ba85e7446ea7451bb81f027 WHIRLPOOL cbcb5da9b6c7629741a076767aadad9d849462005526dde7fad76fe93285724361839b64d28aa3f0ed7dafaa35b110765b759b3f6b525a52cad5abfe6679ef1c DIST neutron-2013.2.tar.gz 4385581 SHA256 3ebfa6e8a6790e8b55604712a5e467ded7d76b2b713bf9d830f958b399d78ecc SHA512 bb4122ecdce3703e2b19e813241cfa285fc86a7cd4cf1f65d9d797c1c4b04f1e153a4116ba43aa86909e98cfec82aab1f6b36be03fb29089e4815a5189a2b27a WHIRLPOOL fac6fed0e5313c80e548afa82bc64c9e6a989a0e9708ed32aef5172a10ad0545e4941dd8452279976ba674271fa67a32d66db9fdb89ee25acdcd40ed821036a9 DIST quantum-2013.1.4.tar.gz 1178442 SHA256 3bd26ae7dabe6093a3cbe701ac8d7022fbdbe1d8231ab1c6866de388684e272c SHA512 48ce3aa8467eefe4ef07b03dee293c7eae1800736abadd56d0bf7b559506044bea3fefba0dac6fb20783f808baada70c52ebc388137ae80b41271dcde824243d WHIRLPOOL a5456fe6fb48192a4f4d97c85b7b235093f549965b36971802302998de7d8ed76fd7f393a659371b8057aafcc4594ac246159663dfcdb5251c786eeede6d66fd -EBUILD neutron-2013.1.4.ebuild 4573 SHA256 1d9e681f2f074e12c28590912aeb312c91170274b6ea8f2454e379426dfbaf6e SHA512 599a16e39992a7256fcbc43cc50f39e7c78970a26b9df735e82d5fb4fb14ba89d8f9a53119ca3c5aee277dad501f84ba2c73df6a13f0d05934058f167b79c886 WHIRLPOOL 0d586adee734d9bcd2575d3e86a013e8e4888f35b32623b0f2ff569c88453088a460606a31bb4f42f43a2722c80a3d7af76b4fd7d9d00b3519ce6125fa028668 +EBUILD neutron-2013.1.4-r1.ebuild 4632 SHA256 6fb9be2223fb1456f4087393eb91b9be12c0dea998898d5f4069c3f60b278efc SHA512 8831b5aeecf0584468ce7e2ee58d6b9f13b143289063010dd64ab80aa16858f1a71be968235883fdf822040ea768a3d8cc77b6e5bc1cee706765b4eb3f165c8a WHIRLPOOL 2c00f954919409bf92acf2ec0834fd2c7c3891ff266202aeeb2a6f0a4d71fc01173427a87fe7e11fe30a41f12f9b014ca517fe6a32fb36ef55fe13a6a8e0d432 EBUILD neutron-2013.1.9999.ebuild 4477 SHA256 d6f042d111485e21b95d48663a70f3a92cf66560eeca98c46c03a50623276b00 SHA512 a2f757629575ae392cd622de5dc1cda7ba9cf5484ed89ce54819a0bdf863946f5c83a6cf9a1434465fa170f443b6b31ad881c06cfd07c9e201e6ce3ee7959915 WHIRLPOOL 308614fc319fa89c00ba902a3620a986f72be8fe13a4e17c36436ac792fac13430bc49e648a27cc8d0c2b0049bbc11507535a691d38ac3594a2ed0b895e86100 -EBUILD neutron-2013.2-r1.ebuild 5662 SHA256 1c9f91116858b8c5a5e6aa235979ff9b6c6edddaede65e670ba5a49d9af430b6 SHA512 c268978243fc52802e7826e8d56212f06b022b1f695667be8949be89124ec65b0c16226529ef95caab3a5fd697a5d89b013f3dfd63dfa6a9e4b104e411363cdd WHIRLPOOL a6c99a9fda654d3215448e27cd845a020b1dbd5759c3ca0878fdff4a7cfc22e503bb8a24e90bf7b0e6a91a18f17c7346ac25a6349da881fec86f9d37218bdcb4 +EBUILD neutron-2013.2-r2.ebuild 5708 SHA256 5cf06f68b32c25144dcae96cc857a4d9a21025e02427d197595c0e6ac66db0a6 SHA512 23183bfa1d7b45469d7fd0344eb1e85327e90c3e74d5c777e18c5b5ffde583fdcacaa642fdf99350c34aab8ba2d1b82d193ec28f8718b76e16d67134d513021c WHIRLPOOL 8d6574a717ecc474ff2d08729c94285b8646378e0842215355a37b4a61a63feaa7b2f4f929ebfbf10fb26f439f6115773f898ef2d52096f1aab4288c97947699 EBUILD neutron-2013.2.9999.ebuild 5359 SHA256 040a8b27c49a5cb2dfaedd2f6f195bf0ab48b18c6c9fdc1c102166e52f484f83 SHA512 e589b30521a48e6a576eee3f24143cf8e9650e7797734cfa53c68e9beb5c84d27fb525c5219228f6805cc84c5abd27e1ccd34ddad9f53dc0159d107eaa411a5e WHIRLPOOL 935ee2cbd09b60df7bcd3e89ef79f4f64c1ab182c29f3a1800a74961b08f1c4708e75cc59ecf8d7981e86441eceabba02945bd7b9a6ee8aeabaa60e6d2c59918 EBUILD neutron-2013.2.ebuild 4731 SHA256 01b3061bc4c7e010689bc6afe4eec2667ada9779366998079ff8ecf733c920e5 SHA512 0d722b0fd4a262bc616ab8cac10a555fbe6d57035055fb645e1d40d99b6b52cb51f16e0cb71e769cbd98d4a74b720fe63f6e6d9366ced5f4f61e34ba27cc87cd WHIRLPOOL 1f997cf307c90f54d02685f2601c63d5cd908b1d96b9bbc5710ed89bfabf883caea9b3686db71d55f375e90cf92cdc8e244730ea5251894e4ec30be046df2f7f EBUILD neutron-9999.ebuild 4405 SHA256 572e72f812240221e000c890bb4fb1c7d7f8d75b894f8fe92459cebc2bf535c5 SHA512 e4eb4b1b01de3faf6a503988888e653fc1410254de48a2ef8cf466488d555cc4b9f1af214cd9ac3dfd9e12bc15cf2a3d88025f950c7426e6cb4fcda88ad40152 WHIRLPOOL 92603532008dc57cfc4bdda69bb9b21f15cbd19c9c96232553f83eae3b12c56b6476f494ed1565e8e41d7c51c80e21a09cd07cdb5a5f11db8ef8c59cf75d1c56 -MISC ChangeLog 7964 SHA256 f0e53ac3522fd58697e25366fb8be841b72fba49cb1222c9556f5b208658a579 SHA512 4ddf93d9fd0d9d12e9ca3f1702a9310895c0fcc4a4ac9d4929d6dd44154d32930cb502f8f979cff395a18303aa99e56e1468ab41906a7ecc7b036c00bcd9ad73 WHIRLPOOL 18ab12fe18e83d0ac84361f0a2c295ef2c1e60c90cc39dd8296edb76adb528ba4f4785530ba88be986703ef7ffa3e43964e28a4b3bb4fcfc4507ed8b0581749c +MISC ChangeLog 8317 SHA256 85e0139f3dd7406fa4d98c15e55a23776fe80ffe21afb06efa0e95092471ca36 SHA512 bfeecf1dd2f2bd8d29182750fd7ce502f7072662665887f516377c8a61904775fae2054bac35c61cb5e5ff460fab14f88f7ef26b929cd9fccf398e5384d3f07c WHIRLPOOL 540308162f61af83ce56e419ebc5168c2ec88c630f3ba7fbbbbe07064a90e80f329f3aac22e14e50300530a162a85b8bdd55dddf32688cdcc6829f12797c1596 MISC metadata.xml 1175 SHA256 95ceaccefb744f80032d97a4cc13c43c13d7e4116d6810d5779df5be3ebe11ce SHA512 74a46511f82bef78397bfaef2901606c6f468f532bbd7112fc8196b69362a4666fafbda8023a281514ada958cd2b4ba567f11dfa071d0b76bc94e456d96ed287 WHIRLPOOL 783aa30c05484b68b2a8f1ebcfd39294a21731cfa9587c0e1cd07ff291416d10912066e23c0572ac63a125f9836374c73b91775858c863abb0779eb13356ca11 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.19 (GNU/Linux) +Version: GnuPG v2.0.22 (GNU/Linux) -iEYEAREIAAYFAlKO3+QACgkQso7CE7gHKw0O+QCcCbp2O6okxlrsxS62rQio3kJF -YmgAoME4dZCFGlHezklA+2YvHyirPzzF -=1k27 +iQIcBAEBCAAGBQJSq3J1AAoJECRx6z5ArFrDwRUP+QH38qKQIkZa7+ZVw8n60gS8 +LLUoMoBZM17SqXJ4+0TbdnOLBAyph2VRFoLRhOZwYmRoIKcZEycB6tJ5WoWGlnt8 +FwjLUJ3Xu7rPqPguqBYnbMkkgGsorqVQMn+axKIeWxBjC87rNr8tFOEMc6mFt0jq +N7YxZhxhhrOdlslxfDe0gvg+8SNeBCVYFg6DpVAaqhpgDCpsiKsUxgReyJcUvF7h +yIPg38GUuPuxF9mg0iQ5INzpYFkwJ4Oa2QRw+foOyDPhQBYmSQzVVwW6rWYXQuEw +ZR/AnKlMEwivCTQLbBlZ0JgCpSlM3jBOiI26397lAWjU3IJ/vzOkHk/nvRDvIJ+w +xGR8nzTox7Mh32zC6ZFpzVbGGz757M1Xfk2HBKGNzzvu4eaVxWmBAPyMnfoc7BxM +YRXiWxLcq9PL7TCVzh+1Lup9B6RPpfBrSFaSBRvIPhNeniYUSRP8HuD21xW9Owvn +5OoJWaF6ZQzTr7jXXfhnm3lXA8vHKz2Tm9gB4twOXzzxg+Rc0XUeI128Aa4H4rWC +bPq8hytdIf+F0yJuH34XMJSb3ulNl2sIrtqkDN4bOjgYXq66mCjB23wjidw004k6 +smlKbmEw8W1Dm8v38NKLHnPLT+XPI2w1Zqlf5J2h05PBFht7eQCGSHFwv/qBEwEL +ZRVXq8Xfth9KS06+5vjK +=6k5I -----END PGP SIGNATURE----- diff --git a/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch b/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch new file mode 100644 index 000000000000..abb8e5f83794 --- /dev/null +++ b/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch @@ -0,0 +1,218 @@ +commit 933a88e49428f0fbdeb78695279b0a4ce3715b12 +Author: Aaron Rosen <arosen@nicira.com> +Date: Mon Oct 7 15:34:38 2013 -0700 + + Add X-Tenant-ID to metadata request + + Previously, one could update a port's device_id to be that of another tenant's + instance_id and then be able to retrieve that instance's metadata. In order + to prevent this X-Tenant-ID is now passed in the metadata request to nova and + nova then checks that X-Tenant-ID also matches the tenant_id for the instance + against it's database to ensure it's not being spoofed. + + DocImpact - When upgrading OpenStack nova and neturon, neutron should be + updated first (and neutron-metadata-agent restarted before nova is + upgraded) in order to minimize downtime. This is because there is + also a patch to nova which has checks X-Tenant-ID against it's + database therefore neutron-metadata-agent needs to pass that + before nova is upgraded for metadata to work. + + Fixes bug: 1235450 + + Conflicts: + + quantum/agent/metadata/agent.py + +diff --git a/quantum/agent/metadata/agent.py b/quantum/agent/metadata/agent.py +index 7bdfae8..e1abe93 100644 +--- a/quantum/agent/metadata/agent.py ++++ b/quantum/agent/metadata/agent.py +@@ -83,9 +83,9 @@ class MetadataProxyHandler(object): + try: + LOG.debug(_("Request: %s"), req) + +- instance_id = self._get_instance_id(req) ++ instance_id, tenant_id = self._get_instance_and_tenant_id(req) + if instance_id: +- return self._proxy_request(instance_id, req) ++ return self._proxy_request(instance_id, tenant_id, req) + else: + return webob.exc.HTTPNotFound() + +@@ -95,7 +95,7 @@ class MetadataProxyHandler(object): + 'Please try your request again.') + return webob.exc.HTTPInternalServerError(explanation=unicode(msg)) + +- def _get_instance_id(self, req): ++ def _get_instance_and_tenant_id(self, req): + qclient = self._get_quantum_client() + + remote_address = req.headers.get('X-Forwarded-For') +@@ -116,12 +116,14 @@ class MetadataProxyHandler(object): + fixed_ips=['ip_address=%s' % remote_address])['ports'] + + if len(ports) == 1: +- return ports[0]['device_id'] ++ return ports[0]['device_id'], ports[0]['tenant_id'] ++ return None, None + +- def _proxy_request(self, instance_id, req): ++ def _proxy_request(self, instance_id, tenant_id, req): + headers = { + 'X-Forwarded-For': req.headers.get('X-Forwarded-For'), + 'X-Instance-ID': instance_id, ++ 'X-Tenant-ID': tenant_id, + 'X-Instance-ID-Signature': self._sign_instance_id(instance_id) + } + +diff --git a/quantum/tests/unit/test_metadata_agent.py b/quantum/tests/unit/test_metadata_agent.py +index c81a237..0e74bcb 100644 +--- a/quantum/tests/unit/test_metadata_agent.py ++++ b/quantum/tests/unit/test_metadata_agent.py +@@ -54,8 +54,9 @@ class TestMetadataProxyHandler(base.BaseTestCase): + + def test_call(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.return_value = 'id' ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.return_value = ('instance_id', 'tenant_id') + with mock.patch.object(self.handler, '_proxy_request') as proxy: + proxy.return_value = 'value' + +@@ -64,21 +65,23 @@ class TestMetadataProxyHandler(base.BaseTestCase): + + def test_call_no_instance_match(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.return_value = None ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.return_value = None, None + retval = self.handler(req) + self.assertIsInstance(retval, webob.exc.HTTPNotFound) + + def test_call_internal_server_error(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.side_effect = Exception ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.side_effect = Exception + retval = self.handler(req) + self.assertIsInstance(retval, webob.exc.HTTPInternalServerError) + self.assertEqual(len(self.log.mock_calls), 2) + +- def _get_instance_id_helper(self, headers, list_ports_retval, +- networks=None, router_id=None): ++ def _get_instance_and_tenant_id_helper(self, headers, list_ports_retval, ++ networks=None, router_id=None): + headers['X-Forwarded-For'] = '192.168.1.1' + req = mock.Mock(headers=headers) + +@@ -86,8 +89,7 @@ class TestMetadataProxyHandler(base.BaseTestCase): + return {'ports': list_ports_retval.pop(0)} + + self.qclient.return_value.list_ports.side_effect = mock_list_ports +- retval = self.handler._get_instance_id(req) +- ++ instance_id, tenant_id = self.handler._get_instance_and_tenant_id(req) + expected = [ + mock.call( + username=FakeConf.admin_user, +@@ -114,7 +116,7 @@ class TestMetadataProxyHandler(base.BaseTestCase): + + self.qclient.assert_has_calls(expected) + +- return retval ++ return (instance_id, tenant_id) + + def test_get_instance_id_router_id(self): + router_id = 'the_id' +@@ -125,13 +127,14 @@ class TestMetadataProxyHandler(base.BaseTestCase): + networks = ['net1', 'net2'] + ports = [ + [{'network_id': 'net1'}, {'network_id': 'net2'}], +- [{'device_id': 'device_id'}] ++ [{'device_id': 'device_id', 'tenant_id': 'tenant_id'}] + ] + + self.assertEqual( +- self._get_instance_id_helper(headers, ports, networks=networks, +- router_id=router_id), +- 'device_id' ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=networks, ++ router_id=router_id), ++ ('device_id', 'tenant_id') + ) + + def test_get_instance_id_router_id_no_match(self): +@@ -145,10 +148,11 @@ class TestMetadataProxyHandler(base.BaseTestCase): + [{'network_id': 'net1'}, {'network_id': 'net2'}], + [] + ] +- +- self.assertIsNone( +- self._get_instance_id_helper(headers, ports, networks=networks, +- router_id=router_id), ++ self.assertEqual( ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=networks, ++ router_id=router_id), ++ (None, None) + ) + + def test_get_instance_id_network_id(self): +@@ -158,12 +162,14 @@ class TestMetadataProxyHandler(base.BaseTestCase): + } + + ports = [ +- [{'device_id': 'device_id'}] ++ [{'device_id': 'device_id', ++ 'tenant_id': 'tenant_id'}] + ] + + self.assertEqual( +- self._get_instance_id_helper(headers, ports, networks=['the_id']), +- 'device_id' ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=['the_id']), ++ ('device_id', 'tenant_id') + ) + + def test_get_instance_id_network_id_no_match(self): +@@ -174,8 +180,10 @@ class TestMetadataProxyHandler(base.BaseTestCase): + + ports = [[]] + +- self.assertIsNone( +- self._get_instance_id_helper(headers, ports, networks=['the_id']) ++ self.assertEqual( ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=['the_id']), ++ (None, None) + ) + + def _proxy_request_test_helper(self, response_code=200, method='GET'): +@@ -190,7 +198,8 @@ class TestMetadataProxyHandler(base.BaseTestCase): + with mock.patch('httplib2.Http') as mock_http: + mock_http.return_value.request.return_value = (resp, 'content') + +- retval = self.handler._proxy_request('the_id', req) ++ retval = self.handler._proxy_request('the_id', 'tenant_id', ++ req) + mock_http.assert_has_calls([ + mock.call().request( + 'http://9.9.9.9:8775/the_path', +@@ -198,7 +207,8 @@ class TestMetadataProxyHandler(base.BaseTestCase): + headers={ + 'X-Forwarded-For': '8.8.8.8', + 'X-Instance-ID-Signature': 'signed', +- 'X-Instance-ID': 'the_id' ++ 'X-Instance-ID': 'the_id', ++ 'X-Tenant-ID': 'tenant_id' + }, + body=body + )] diff --git a/sys-cluster/neutron/files/CVE-2013-6419_2013.2.patch b/sys-cluster/neutron/files/CVE-2013-6419_2013.2.patch new file mode 100644 index 000000000000..6530915b470b --- /dev/null +++ b/sys-cluster/neutron/files/CVE-2013-6419_2013.2.patch @@ -0,0 +1,295 @@ +commit 78f47f96437deefa0388f2dd63651fea0165eaf1 +Author: Aaron Rosen <arosen@nicira.com> +Date: Mon Oct 7 15:34:38 2013 -0700 + + Add X-Tenant-ID to metadata request + + Previously, one could update a port's device_id to be that of another tenant's + instance_id and then be able to retrieve that instance's metadata. In order + to prevent this X-Tenant-ID is now passed in the metadata request to nova and + nova then checks that X-Tenant-ID also matches the tenant_id for the instance + against it's database to ensure it's not being spoofed. + + DocImpact - When upgrading OpenStack nova and neturon, neutron should be + updated first (and neutron-metadata-agent restarted before nova is + upgraded) in order to minimize downtime. This is because there is + also a patch to nova which has checks X-Tenant-ID against it's + database therefore neutron-metadata-agent needs to pass that + before nova is upgraded for metadata to work. + + Fixes bug: 1235450 + +diff --git a/neutron/agent/metadata/agent.py b/neutron/agent/metadata/agent.py +index dcb0e00..e0042f4 100644 +--- a/neutron/agent/metadata/agent.py ++++ b/neutron/agent/metadata/agent.py +@@ -84,61 +84,62 @@ class MetadataProxyHandler(object): + endpoint_url=self.auth_info.get('endpoint_url'), + endpoint_type=self.conf.endpoint_type + ) + return qclient + + @webob.dec.wsgify(RequestClass=webob.Request) + def __call__(self, req): + try: + LOG.debug(_("Request: %s"), req) + +- instance_id = self._get_instance_id(req) ++ instance_id, tenant_id = self._get_instance_and_tenant_id(req) + if instance_id: +- return self._proxy_request(instance_id, req) ++ return self._proxy_request(instance_id, tenant_id, req) + else: + return webob.exc.HTTPNotFound() + + except Exception: + LOG.exception(_("Unexpected error.")) + msg = _('An unknown error has occurred. ' + 'Please try your request again.') + return webob.exc.HTTPInternalServerError(explanation=unicode(msg)) + +- def _get_instance_id(self, req): ++ def _get_instance_and_tenant_id(self, req): + qclient = self._get_neutron_client() + + remote_address = req.headers.get('X-Forwarded-For') + network_id = req.headers.get('X-Neutron-Network-ID') + router_id = req.headers.get('X-Neutron-Router-ID') + + if network_id: + networks = [network_id] + else: + internal_ports = qclient.list_ports( + device_id=router_id, + device_owner=DEVICE_OWNER_ROUTER_INTF)['ports'] + + networks = [p['network_id'] for p in internal_ports] + + ports = qclient.list_ports( + network_id=networks, + fixed_ips=['ip_address=%s' % remote_address])['ports'] + + self.auth_info = qclient.get_auth_info() +- + if len(ports) == 1: +- return ports[0]['device_id'] ++ return ports[0]['device_id'], ports[0]['tenant_id'] ++ return None, None + +- def _proxy_request(self, instance_id, req): ++ def _proxy_request(self, instance_id, tenant_id, req): + headers = { + 'X-Forwarded-For': req.headers.get('X-Forwarded-For'), + 'X-Instance-ID': instance_id, ++ 'X-Tenant-ID': tenant_id, + 'X-Instance-ID-Signature': self._sign_instance_id(instance_id) + } + + url = urlparse.urlunsplit(( + 'http', + '%s:%s' % (self.conf.nova_metadata_ip, + self.conf.nova_metadata_port), + req.path_info, + req.query_string, + '')) +diff --git a/neutron/tests/unit/test_metadata_agent.py b/neutron/tests/unit/test_metadata_agent.py +index 36b6f84..aa1cc84 100644 +--- a/neutron/tests/unit/test_metadata_agent.py ++++ b/neutron/tests/unit/test_metadata_agent.py +@@ -48,54 +48,56 @@ class TestMetadataProxyHandler(base.BaseTestCase): + self.addCleanup(self.qclient_p.stop) + + self.log_p = mock.patch.object(agent, 'LOG') + self.log = self.log_p.start() + self.addCleanup(self.log_p.stop) + + self.handler = agent.MetadataProxyHandler(FakeConf) + + def test_call(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.return_value = 'id' ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.return_value = ('instance_id', 'tenant_id') + with mock.patch.object(self.handler, '_proxy_request') as proxy: + proxy.return_value = 'value' + + retval = self.handler(req) + self.assertEqual(retval, 'value') + + def test_call_no_instance_match(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.return_value = None ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.return_value = None, None + retval = self.handler(req) + self.assertIsInstance(retval, webob.exc.HTTPNotFound) + + def test_call_internal_server_error(self): + req = mock.Mock() +- with mock.patch.object(self.handler, '_get_instance_id') as get_id: +- get_id.side_effect = Exception ++ with mock.patch.object(self.handler, ++ '_get_instance_and_tenant_id') as get_ids: ++ get_ids.side_effect = Exception + retval = self.handler(req) + self.assertIsInstance(retval, webob.exc.HTTPInternalServerError) + self.assertEqual(len(self.log.mock_calls), 2) + +- def _get_instance_id_helper(self, headers, list_ports_retval, +- networks=None, router_id=None): ++ def _get_instance_and_tenant_id_helper(self, headers, list_ports_retval, ++ networks=None, router_id=None): + headers['X-Forwarded-For'] = '192.168.1.1' + req = mock.Mock(headers=headers) + + def mock_list_ports(*args, **kwargs): + return {'ports': list_ports_retval.pop(0)} + + self.qclient.return_value.list_ports.side_effect = mock_list_ports +- retval = self.handler._get_instance_id(req) +- ++ instance_id, tenant_id = self.handler._get_instance_and_tenant_id(req) + expected = [ + mock.call( + username=FakeConf.admin_user, + tenant_name=FakeConf.admin_tenant_name, + region_name=FakeConf.auth_region, + auth_url=FakeConf.auth_url, + password=FakeConf.admin_password, + auth_strategy=FakeConf.auth_strategy, + auth_token=None, + endpoint_url=None, +@@ -111,105 +113,113 @@ class TestMetadataProxyHandler(base.BaseTestCase): + ) + + expected.append( + mock.call().list_ports( + network_id=networks or [], + fixed_ips=['ip_address=192.168.1.1']) + ) + + self.qclient.assert_has_calls(expected) + +- return retval ++ return (instance_id, tenant_id) + + def test_get_instance_id_router_id(self): + router_id = 'the_id' + headers = { + 'X-Neutron-Router-ID': router_id + } + + networks = ['net1', 'net2'] + ports = [ + [{'network_id': 'net1'}, {'network_id': 'net2'}], +- [{'device_id': 'device_id'}] ++ [{'device_id': 'device_id', 'tenant_id': 'tenant_id'}] + ] + + self.assertEqual( +- self._get_instance_id_helper(headers, ports, networks=networks, +- router_id=router_id), +- 'device_id' ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=networks, ++ router_id=router_id), ++ ('device_id', 'tenant_id') + ) + + def test_get_instance_id_router_id_no_match(self): + router_id = 'the_id' + headers = { + 'X-Neutron-Router-ID': router_id + } + + networks = ['net1', 'net2'] + ports = [ + [{'network_id': 'net1'}, {'network_id': 'net2'}], + [] + ] +- +- self.assertIsNone( +- self._get_instance_id_helper(headers, ports, networks=networks, +- router_id=router_id), ++ self.assertEqual( ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=networks, ++ router_id=router_id), ++ (None, None) + ) + + def test_get_instance_id_network_id(self): + network_id = 'the_id' + headers = { + 'X-Neutron-Network-ID': network_id + } + + ports = [ +- [{'device_id': 'device_id'}] ++ [{'device_id': 'device_id', ++ 'tenant_id': 'tenant_id'}] + ] + + self.assertEqual( +- self._get_instance_id_helper(headers, ports, networks=['the_id']), +- 'device_id' ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=['the_id']), ++ ('device_id', 'tenant_id') + ) + + def test_get_instance_id_network_id_no_match(self): + network_id = 'the_id' + headers = { + 'X-Neutron-Network-ID': network_id + } + + ports = [[]] + +- self.assertIsNone( +- self._get_instance_id_helper(headers, ports, networks=['the_id']) ++ self.assertEqual( ++ self._get_instance_and_tenant_id_helper(headers, ports, ++ networks=['the_id']), ++ (None, None) + ) + + def _proxy_request_test_helper(self, response_code=200, method='GET'): + hdrs = {'X-Forwarded-For': '8.8.8.8'} + body = 'body' + + req = mock.Mock(path_info='/the_path', query_string='', headers=hdrs, + method=method, body=body) + resp = mock.Mock(status=response_code) + with mock.patch.object(self.handler, '_sign_instance_id') as sign: + sign.return_value = 'signed' + with mock.patch('httplib2.Http') as mock_http: + mock_http.return_value.request.return_value = (resp, 'content') + +- retval = self.handler._proxy_request('the_id', req) ++ retval = self.handler._proxy_request('the_id', 'tenant_id', ++ req) + mock_http.assert_has_calls([ + mock.call().request( + 'http://9.9.9.9:8775/the_path', + method=method, + headers={ + 'X-Forwarded-For': '8.8.8.8', + 'X-Instance-ID-Signature': 'signed', +- 'X-Instance-ID': 'the_id' ++ 'X-Instance-ID': 'the_id', ++ 'X-Tenant-ID': 'tenant_id' + }, + body=body + )] + ) + + return retval + + def test_proxy_request_post(self): + self.assertEqual('content', + self._proxy_request_test_helper(method='POST')) diff --git a/sys-cluster/neutron/neutron-2013.1.4.ebuild b/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild index 948492a569dd..09156259a879 100644 --- a/sys-cluster/neutron/neutron-2013.1.4.ebuild +++ b/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.1.4.ebuild,v 1.2 2013/11/10 23:04:52 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild,v 1.1 2013/12/13 20:47:39 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -67,6 +67,8 @@ RDEPEND=">=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}] openvswitch? ( net-misc/openvswitch ) dhcp? ( net-dns/dnsmasq[dhcp-tools] )" +PATCHES=( "${FILESDIR}/CVE-2013-6419_2013.1.4.patch" ) + pkg_setup() { enewgroup neutron enewuser neutron -1 -1 /var/lib/neutron neutron diff --git a/sys-cluster/neutron/neutron-2013.2-r1.ebuild b/sys-cluster/neutron/neutron-2013.2-r2.ebuild index 9a8e7365ac0d..d0e3df5073ac 100644 --- a/sys-cluster/neutron/neutron-2013.2-r1.ebuild +++ b/sys-cluster/neutron/neutron-2013.2-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.2-r1.ebuild,v 1.1 2013/11/22 04:38:40 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.2-r2.ebuild,v 1.1 2013/12/13 20:47:39 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -75,9 +75,10 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}] net-misc/openvswitch dhcp? ( net-dns/dnsmasq[dhcp-tools] )" -PATCHES=( "${FILESDIR}"/${P}-sphinx_mapping.patch \ - "${FILESDIR}"/${P}-json-tests.patch \ - "${FILESDIR}"/${P}-nicira.patch ) +PATCHES=( "${FILESDIR}/${P}-sphinx_mapping.patch" + "${FILESDIR}/${P}-json-tests.patch" + "${FILESDIR}/${P}-nicira.patch" + "${FILESDIR}/CVE-2013-6419_2013.2.patch" ) pkg_setup() { enewgroup neutron |