diff options
author | Matt Thode <prometheanfire@gentoo.org> | 2015-07-02 05:43:36 +0000 |
---|---|---|
committer | Matt Thode <prometheanfire@gentoo.org> | 2015-07-02 05:43:36 +0000 |
commit | f93ab13eb574a20e8b277f76cd381b4c56e154bf (patch) | |
tree | 58c57f81c6e299b4c11772207288f22d80c94a80 /sys-cluster | |
parent | Version bump. (diff) | |
download | historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.gz historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.bz2 historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.zip |
fixing CVE-2015-3221 no badness remaining
Package-Manager: portage-2.2.18/cvs/Linux x86_64
Manifest-Sign-Key: 0x33ED3FD25AFC78BA
Diffstat (limited to 'sys-cluster')
-rw-r--r-- | sys-cluster/neutron/ChangeLog | 12 | ||||
-rw-r--r-- | sys-cluster/neutron/Manifest | 39 | ||||
-rw-r--r-- | sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild | 151 | ||||
-rw-r--r-- | sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch | 127 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2014.2.3-r1.ebuild (renamed from sys-cluster/neutron/neutron-2014.2.3.ebuild) | 3 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2015.1.0-r2.ebuild (renamed from sys-cluster/neutron/neutron-2015.1.0-r1.ebuild) | 3 |
6 files changed, 312 insertions, 23 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog index a06d9a4a01fc..a04b6b542d15 100644 --- a/sys-cluster/neutron/ChangeLog +++ b/sys-cluster/neutron/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-cluster/neutron # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.64 2015/05/17 23:25:00 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.65 2015/07/02 05:43:05 prometheanfire Exp $ + +*neutron-2014.2.3-r1 (02 Jul 2015) +*neutron-2015.1.0-r2 (02 Jul 2015) +*cve-2015-3221_2014.2.3 (02 Jul 2015) + + 02 Jul 2015; Matthew Thode <prometheanfire@gentoo.org> + +files/cve-2015-3221_2014.2.3.ebuild, +files/cve-2015-3221_2015.1.0.patch, + +neutron-2014.2.3-r1.ebuild, +neutron-2015.1.0-r2.ebuild, + -neutron-2014.2.3.ebuild, -neutron-2015.1.0-r1.ebuild: + fixing CVE-2015-3221 no badness remaining *neutron-2015.1.0-r1 (17 May 2015) diff --git a/sys-cluster/neutron/Manifest b/sys-cluster/neutron/Manifest index 4678216aef9c..f95f6c2af25d 100644 --- a/sys-cluster/neutron/Manifest +++ b/sys-cluster/neutron/Manifest @@ -1,9 +1,11 @@ -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 +Hash: SHA256 AUX 0001-Fixes-bug-in-interface-handling-of-ip_lib.py.patch 3346 SHA256 f9c382ff3a90653c0356c84847b53b677719ecb37ceb3ee60fd61e72a3c64dbe SHA512 5d99f94b003042d9ee676cad00d051335db72e351842a8ce876740cec556282ac1936ebf3c7355ca785907e745eb0de03bc00fa4b727106afd43632cc54bce0e WHIRLPOOL 28f086275d41d36699286a0e5f8295801cdae8acd37ac3b24c06137cc061f88b5c6cf5d166f1ddafd8b96d7eff51aea4a52fa819d582eb5d854edb5583c4e77a AUX 0002-moving-vxlan-module-check-to-sanity-checks-and-makin.patch 9421 SHA256 554ba93fedfd892191ee980f90832aef45d02f639422b6c08bed21e8eb6fdbe1 SHA512 57db212fa09d86e224568822d5f162143b3ac5cd5f27be199fd1c2f89fa25e856e24b09a90c566457ad14beabdc934b3282a3d20dc330377ea6464d45b056ab7 WHIRLPOOL 2a2daf0cbfb298fdf64e328883ef42110c9541de7087b087778fc3ca37c5090da1a25eb73b8fca24bfd78e2166704c5cc0442f92b58756e3b28008be0512a53f AUX 0003-fixes-error-logging-to-use-the-right-exception-paren.patch 954 SHA256 b7db04721a0a0322575623678cd33d3852f16fa3770af4aa12b8cecf7101291d SHA512 ea7e96bb22ac2636da7dbc5b5ead7954fa6d87a2e49998e66e1e0e126d30e3091dbecc8c6ac49b27e9da8edb3b4ca3556923911628f7affd53b9096f44f4da2d WHIRLPOOL 11c3b0a65620d31d652abc2736db2fa22181846191f1a7bf7ae8ed8db3553cb70177965c7689447e73bc0f1ede0724fae8e45eb204ee3d5f6ae9f141099ddaa8 +AUX cve-2015-3221_2014.2.3.ebuild 6463 SHA256 9e622fc01b8e2c0ea39d6d66080e244aa20d3a1a850985b33e13bf1a43f10bea SHA512 d6e7277c067c87bc25d757c5648f65ded3bd2bd532cb132e67fa64802d2a77276892d569f4d818a00d3fbac5ee6c2a3df4b084bd6a0a1fcd9c0af59c8dffddbe WHIRLPOOL 88062fc6cc8d1e6bca24d7b8c6e47410caaeef7736e79e287ffedbe25747a3d79afad290260a732bade9142a4ea80f5ae18e1cdc4b4b9fb4fea2143e9f87e4a7 +AUX cve-2015-3221_2015.1.0.patch 5245 SHA256 95e2ec047ed2f2b04a2c4d0730237804fd33149b1579877c17ad16d2e78526e4 SHA512 46a9f355ca37bbcbc5a424f4da7061de498863f6b6c5adc137bdbb312261f6d49fb8f425d050c41171d7d647206c80d99af046e37808c46c1251028dd2ff2964 WHIRLPOOL 612b78705b3d7edb5fb7824d24e8a37db25842c285878d4582f71b4b190df654590c95013a777effbd6af41ebae6974c93d1a542a5a10243eef954828561b0bb AUX neutron-dhcp-agent.confd 75 SHA256 e36fe3d370ad2b4c82ccf1f4caac60882334d93e3abd7e0e6e268d23cb069d71 SHA512 94cf300c9a9d0275e4fcab4ffdb7e29ca26b73c120d6ff683b48ea0e9c21e46123289522aedd295e4d5d28307133b50084541a90a48db456802d675eed6c2d3e WHIRLPOOL 9e77fe1ef65fa8ef46f8272ddea7213a46e71c6f2884eab20f09eaddc977f5cc202c8529c1a75347132c667e4e2d39d5bdd3ab2c94812c4b1f95f398af75c38c AUX neutron-l3-agent.confd 73 SHA256 560997f3e40d90ef885483e4bd02728bf88720378238fc5e6b3b2abb2ba9dd0e SHA512 4a902c5621abc124424bdad97de8959f63f7c846b4c7b9b3ccaab5522ff3e6938acf748df269980484228d4fc13d2f1e3e3670619207e3c88ea5dd5373699e0a WHIRLPOOL 653156dbbff34606fa0694bab622eb40c2ead171b1ad0a0c934285a50f15db4d8927e40ebff8d2ffe64078a8a079d48a2834e68b049c11a68417dc3945374cb8 AUX neutron-linuxbridge-agent.confd 140 SHA256 1eff0c9c6adb37abf3064a8d035a9d8042bc1151106ed790397d1cca1463c718 SHA512 f49db80c48488b86eb55077fae61202bbe29eaef0f2fa212c44c9b42f41c5f3cc31bdd48c9c405c0e0c51e7d7c3910169a6cc08e36a2be98f9d032b3a11a0a5a WHIRLPOOL 9b9f8932e7a72cdfd241d86b0063d660499c52de62ca6cda09ed6a74649587ef674fca72a0b80f82141e8d0db6fe3c3cf6c28739775230ae7bdf83afcd1fa694 @@ -15,28 +17,25 @@ AUX neutron.initd 792 SHA256 2170e60f05a3f41b47b80def27195fc3b67517adcdf8c6d5376 AUX neutron.sudoersd 117 SHA256 b40ea04a95deedbb66fe504df61b55905cbd746e5ba26321c01cd25b5cc9dcbe SHA512 143f8a1faa7650bc66b2566d0bd62f71eb743231b9efc4c7df265e53d664418b23182e3f271b86845ed76c537b7f60157e87af59413cf659379f367924d14366 WHIRLPOOL bb0e35d7b7471fab424f86f181601bc87d4bba98f4fbc282cc6302a05128992613097afe1fea159e9c718cd688a03c280b53d72bfe47fc91bd24967a4b4618da DIST neutron-2014.2.3.tar.gz 2077226 SHA256 1af8df2a2ef4294e76546325a16ccb8ede001eee0392b877b80cfd04a48862dc SHA512 51eb9e6319a5368b77ef187210d0bcb76fe587e41f4a55bbb677ba940eda084fd93b186de95813b38fcf0d101f10b62b4d558bb342ef42850a417bb611d04295 WHIRLPOOL c536a6937bd4b88e9a6ba84d52fdddcd481791d34982878eab51d95ac0bd78aa79f37751283ebc3613db91bb3b648b3190b93ad697281bc33baf88f365a6df9f DIST neutron-2015.1.0.tar.gz 2038600 SHA256 02672a5316e637d122bb13cd2e18ee4df0df279ddd70262fa7d4102943ec33b6 SHA512 205181228a34469b2f079135fd871adfc5156d9c046f59d1347798015403530131b6f790346be31349333acd6d3f00dd818876b1c7a73a675214387482d0715d WHIRLPOOL 558a16b3c84425ac9e14960895cc7d67f26f618f47e6b24e53592555e282d49fbd52feed3da616cb576942fabef36b54fb979273071605ecbd32ba980c28f5a3 -EBUILD neutron-2014.2.3.ebuild 7522 SHA256 597ba6828e67bcb479d1b1ebb6c3284a605caa80da0a58f30d0bc5b78295fedf SHA512 36363f11aba6a9099962752a66d69b42c65bbef7bc6805833ce84210889d2b775825c626b4b573a5554f86a54b15ad7c8336aadec8e6b54fc3448d512cb19421 WHIRLPOOL 777e3923cff07cc923c934f19a11d61fc3fa245406dfe7056e74b0e30440fd6b3ddd28015c3f739112b4e31e49b7351b829033a0d2c40551bceeb9e7c921b3b1 +EBUILD neutron-2014.2.3-r1.ebuild 7570 SHA256 516461098ffdafbfb4ae9accb3548629bcccecf32a62404e8b1d5cb199474dcf SHA512 3eea5574336b9adf5b8a5458c990b6d942ad6ca61413bbbb2c819cc02750d2e710b7d472cd9f22abd4de5d0fe279097a70f2662bf89580b2f802f367cfd9929b WHIRLPOOL 25b25992fd325c406fe16faa3a15d6c9bf99793e6fa18b0b69502007bc83f8c185191c40c5cafd2365d5c5cec32755599c8fd3d22b3f48f03ceee96e4400c2a8 EBUILD neutron-2014.2.9999.ebuild 7534 SHA256 a6bbe0d0c069645b7c31fd8e9913314e51f30ef4d9d344ca8d2f454fbb9a7272 SHA512 630c812b041f66052c6de41f682a42d67746d218e81ddde1d9b0f2b9dc1824d4bb80a7b4f7c011d39b15e2f3f468ebacdbf03c50d3b4bca1140e881b0b2b61b1 WHIRLPOOL 28d17074d7b3e0173827884a0b56fca04c1b53c410bbbf366cb9e69f03149d036d02933841d35ad289a55d9a66220ba24af8a60ca3e1f4f81a9a0148e1300802 -EBUILD neutron-2015.1.0-r1.ebuild 9160 SHA256 e663151f2a2eb3eb47fd737d33a746a8e3a46b385110e03e113665826204c951 SHA512 4f1b90a3ffb07bbd0539f5ffa4b855f92a6cd607bf78ea51d7d21da2999c13271b328b36096b7ad7cb846632338066fe27b540b7fd5e9cb8b653a430c71056e0 WHIRLPOOL 62f56705d7a5f626d9546f437fb27ee520e13098412a81e2ed237b966151798838c880d8ac63e700a8bcd578751584e983dc634a7bf721f370ea09eaccb143a3 +EBUILD neutron-2015.1.0-r2.ebuild 9205 SHA256 65a26fa0e86d5c5d1c756abc12adc2d3f4886cd8c8359a716090b7999562aab2 SHA512 84a41a94c8d5b1c5e2ae1b3ed97d38431b42278e9441a9e14189326c2de49ddb3d04cacc62a0ddd2fab99067c7af60df37e32be22cc7ce1d744eb792cbddf7bf WHIRLPOOL f4df2c8431345a0bbd84fc84317df42b57465336e286f8316fe6949c6e3038005e08a1d9576abbbc5fd88603d4156fc7501127538ef0713b3d9dccf462a69019 EBUILD neutron-2015.1.9999.ebuild 9168 SHA256 53b178d87ef7c2c6506d1a806cad8eeb21963210ba1861d8e97d4f7ff03205e6 SHA512 f8b9a6b856bfaa32dad67dfb59f30abfc6eaeb93378847ef8abaa2c371b3c0625bd4b605def025817bb859b80b1992c9982d665c8e22c1a6cdbb195a4590912d WHIRLPOOL 5dbab2ac82c0840a07f7b82f78d130c1f42665c19ca89be8cef6dc21a8d8a13859a4492772908fab8b493d79ea06ffd048299f34177e40a6b94fd19575ae4985 -MISC ChangeLog 17520 SHA256 7eaaac748241da4156acb1c926cbe97408832e9b0f05505a0f7d937523dfd44a SHA512 ba84d435df645e9e6f6b1bc46ede8532ebf97e8339ece0641907b70a9a8a9facd8560d4f25d22b923172b1f8ff70c323b22dcef384cd2ff94d1cba150a777e2d WHIRLPOOL 70c7b1ebb258892030df664f69c759014d1e2febe13d3ca32c2abf25d3beab11ff7c3259bb8819fa78ba6fb41df62f1763c7bfadab6ac18e65f769af812f7c52 +MISC ChangeLog 17925 SHA256 51ce827e9dc66b56b83686515d470b673706fbbc292b19d1482cf70dc456d80c SHA512 31ce0ce7d27096e23a29ff643be0266d85a4019816800a656ac1251e4c0a9ce5d538c99a69c12cb1cb443e16027086a6ba43ef6b9b7ef27abc229e8f4083ad8c WHIRLPOOL 8c2323c34eb28d16a0f37fa152b32c72d5e0aee5a1e08d977ceaf03163c015bcd8a70349ac1c39a0bcf46ef0ab2b414adc6090c55c1fe840f5589e43e6b25053 MISC metadata.xml 1456 SHA256 d106fe0b2c0065842dba18c09e7197e6929e3f828fc438b598ae43adfa93d97b SHA512 e52b4e877e4136940bb86c7097aa68943aff48a53ee87bf0e447f8219c5831bdcce503eaf5bfec01ac3cc637a3f1fcfe693130e077d24bc96c63a0456bd8e36a WHIRLPOOL 37a64b4b88e3d51bc0265c02a8e17c0831d3d32facb7b4308c8bf00d1d4d3413b43ea10e982af6b6d837c4f7afb89c92947e51dc2bf664f4422310765d9b45d2 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0 -iQJ8BAEBCgBmBQJVf8ACXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w -ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0QUU0N0I4NzFERUI0MTJFN0EyODE0NUFF -OTQwMkE3OUIwMzUyOUEyAAoJEOlAKnmwNSmiCVgQALW5Ii5aJUSpFl4aPINqsn6/ -KWfqgMwZAQEjJt/DWViJdz8VhK6/+jbxtAkuErSsH4W11opDywtRf1cXCXKp3LFT -AiZMoG8Ye9Z6k/4Pag/qZmvKtluk9E8/GcmarBpyAn4EI7KguFv6WjngmimoUwqe -Xld9hSYCdTebWnEOqYHnDRjgnNHeoO5uaqOlSeIqBP2serrNY273SdQ4TnlBIPJK -+aBHu//2JsxFfDyRlTYwd+j2tKoY7mGP+pnP8LvWMYXTDA0FrQsui1+1eKlLQLoM -ZmDeQ9fMSARAKL1N1I9Oz2epL9PIJVZUkI3wD6ADZbdEvELdehmvOQCS41Q6WF4N -QM82zie+7NZqxhZ+n7RMBIZQwrPeV4pCa23wQGs3REf8v4oGc75uISJb4IUQjRHm -VP6FQv727tYmVvSgJ5uibZcMyu+SqTGdExF8XaxLhOEg7/k5+QBJv64aE5ci0bgp -CIBuxSN6r7v7i6HqyHcbAM3KtSAK0N49AdLGjXoNJjC6mJXrTnNFLa4tuW/QTg8l -bPZahZswkeRV09o1p55uGuNte76DN46/OTiMj31hpiIiTEjo9hYdzFP9ddrZSsLw -0r3QxvVSuSRLHVe8FQkX1aPeDRHVFXDxyLTglB1Sk58ctIRxTyn1UKbV2zsZNYsY -DZXQTaRLMydVzmjK792T -=EPup +iQIcBAEBCAAGBQJVlM+cAAoJEGSje+quGaToFxEQAKwz6LAo5VNjguS7hRnBRkom +WsN/QZA08G+KA7E4MwdrT3NW/OyO6lmEpOnuJD+oHONbBh3OuoM7e9VvCNSr9c7W +79uQiiXoaEjt+2wxNx2rNgUviTNX/r0i7P1nV96F1f/0zJe0wArwtwCr8Fq94qvr +4DCf/+eZCQBwo6hlrVYnZ73FvhnRw44MPInn4IbNM+1WgHh4Hoqauh8PwbZ7MNbW +zciBbTZvLMEyZAQzTezik40EChfNP96SsGAiF+e/2LKLPqU0Lbajupq7JQ95me6i +xHEDom0k94Y9PCrWSyjO9e5rRtFCg2XWZxmx2gNCQMEzfyD+nBZmAhHW/5IY12lO +w7Omksg9T2/gTgsWiUIe0QB3AD4oz2LzbwXCblS5sZCmTYaeDpPzAoJb61D0xE+/ +Rxm5Avz7OFqh36QWwV52bhtvhb490lyG/NKcHugPavgmoij8IElLYjwbMf10Nk6U +PgqHb6P6JN/Owwh7JNXoJZxnZuodKQoC+KQZyX8iXdWwNfj6wf54aEZ23UFl1VZk +dW400u4G8J94uMql1RrT32Drv/8yWu7PpNdAICNOsqBDW3oTyIHx8gdm/jBtVX/0 +lltuXpOmOpcbUKI2iIynV1k547H1x8vCOBuYVN/vU98oNI7a2VnBmAhl+1N8N6xd +2XaIbsmEvfPcee/UVJMe +=Y/u+ -----END PGP SIGNATURE----- diff --git a/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild new file mode 100644 index 000000000000..18cf37d92d40 --- /dev/null +++ b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild @@ -0,0 +1,151 @@ +From ac8fb28a920c7a6284d41f7cce054ea1b2e73cb1 Mon Sep 17 00:00:00 2001 +From: Aaron Rosen <aaronorosen@gmail.com> +Date: Thu, 11 Jun 2015 13:58:16 -0700 +Subject: [PATCH] Disable allowed_address_pair ip 0.0.0.0/0 ::/0 for ipset + +Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if +these addresses were inputted as allowed address pairs. This causes +ipset to raise an error as it does not work with zero prefix sizes. +To solve this problem we use two ipset rules to represent this. + +This was correctly fixed in a backport to kilo though we did not have the +cycles to backport this exact fix to juno as in juno additional work needs to +be done because the iptable and ipset code are interleaved together. This +patch fixes this issue by disabling one from creating an address pair of +zero lenght. This patch also provides a small tool which one should run: +tools/fix_zero_length_ip_prefix.py which changes all zero length address_pair +rules into two address pair rules of: + +Ipv4: 0.0.0.0/1 and 128.0.0.1/1 +IPv6: ::/1' and '8000::/1 + +to avoid the problem. +After this patch is merged into juno it will be easier for us to apply +a better change to allow /0 addresses again in juno. + +Closes-bug: 1461054 +Co-Authored-by: Darragh O'Reilly <darragh.oreilly@hp.com> +--- + neutron/extensions/allowedaddresspairs.py | 9 +++- + .../unit/test_extension_allowedaddresspairs.py | 5 ++ + tools/fix_zero_length_ip_prefix.py | 59 ++++++++++++++++++++++ + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100755 tools/fix_zero_length_ip_prefix.py + +diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py +index 6588d5f..a773a17 100644 +--- a/neutron/extensions/allowedaddresspairs.py ++++ b/neutron/extensions/allowedaddresspairs.py +@@ -12,6 +12,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import netaddr + import webob.exc + + from neutron.api.v2 import attributes as attr +@@ -46,6 +47,10 @@ class AllowedAddressPairExhausted(nexception.BadRequest): + "exceeds the maximum %(quota)s.") + + ++class AllowedAddressPairsZeroPrefixNotAllowed(nexception.InvalidInput): ++ message = _("AllowedAddressPair CIDR cannot have prefix length zero") ++ ++ + def _validate_allowed_address_pairs(address_pairs, valid_values=None): + unique_check = {} + if len(address_pairs) > cfg.CONF.max_allowed_address_pair: +@@ -77,7 +82,9 @@ def _validate_allowed_address_pairs(address_pairs, valid_values=None): + set(['mac_address', 'ip_address']))) + raise webob.exc.HTTPBadRequest(msg) + +- if '/' in ip_address: ++ if (netaddr.IPNetwork(ip_address).prefixlen == 0): ++ raise AllowedAddressPairsZeroPrefixNotAllowed() ++ elif '/' in ip_address: + msg = attr._validate_subnet(ip_address) + else: + msg = attr._validate_ip_address(ip_address) +diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py +index bcaa11b..f15c402 100644 +--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py ++++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py +@@ -140,6 +140,11 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase): + self.deserialize(self.fmt, res) + self.assertEqual(res.status_int, 409) + ++ def test_create_port_zero_prefix_ip(self): ++ address_pairs = [{'mac_address': 'invalid_mac', ++ 'ip_address': '0.0.0.0/0'}] ++ self._create_port_with_address_pairs(address_pairs, 400) ++ + def test_create_port_bad_mac(self): + address_pairs = [{'mac_address': 'invalid_mac', + 'ip_address': '10.0.0.1'}] +diff --git a/tools/fix_zero_length_ip_prefix.py b/tools/fix_zero_length_ip_prefix.py +new file mode 100755 +index 0000000..dbbafb5 +--- /dev/null ++++ b/tools/fix_zero_length_ip_prefix.py +@@ -0,0 +1,59 @@ ++""" ++This script is needed to convert addresses that are zero prefix to be two ++address of one prefix to avoid a bug that exists in juno where the ipset ++manager isn't able to handle zero prefix lenght addresses. ++""" ++ ++import os ++import sys ++ ++import netaddr ++from neutronclient.v2_0 import client ++ ++ ++def main(): ++ try: ++ username = os.environ['OS_USERNAME'] ++ tenant_name = os.environ['OS_TENANT_NAME'] ++ password = os.environ['OS_PASSWORD'] ++ auth_url = os.environ['OS_AUTH_URL'] ++ except KeyError: ++ print("You need to source your openstack creds file first!") ++ sys.exit(1) ++ ++ neutron = client.Client(username=username, ++ tenant_name=tenant_name, ++ password=password, ++ auth_url=auth_url) ++ ++ ports = neutron.list_ports() ++ for port in ports['ports']: ++ new_address_pairs = [] ++ needs_update = False ++ allowed_address_pairs = port.get('allowed_address_pairs') ++ if allowed_address_pairs: ++ for address_pair in allowed_address_pairs: ++ ip = address_pair['ip_address'] ++ mac = address_pair['mac_address'] ++ if(netaddr.IPNetwork(ip).prefixlen == 0): ++ needs_update = True ++ if(netaddr.IPNetwork(ip).version == 4): ++ new_address_pairs.append({'ip_address': '0.0.0.0/1', ++ 'mac_address': mac}) ++ new_address_pairs.append({'ip_address': '128.0.0.0/1', ++ 'mac_address': mac}) ++ elif(netaddr.IPNetwork(ip).version == 6): ++ new_address_pairs.append({'ip_address': '::/1', ++ 'mac_address': mac}) ++ new_address_pairs.append({'ip_address': '8000::/1', ++ 'mac_address': mac}) ++ else: ++ new_address_pairs.append(address_pair) ++ if needs_update: ++ print ("Updating port %s with new address_pairs %s" % ++ (port['id'], new_address_pairs)) ++ neutron.update_port( ++ port['id'], ++ {'port': {'allowed_address_pairs': new_address_pairs}}) ++ ++main() +-- +1.9.1 diff --git a/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch new file mode 100644 index 000000000000..c6c2230c9bd3 --- /dev/null +++ b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch @@ -0,0 +1,127 @@ +From e0c8cbc5dd610b4c580935ea56436495a6d4eb26 Mon Sep 17 00:00:00 2001 +From: Aaron Rosen <aaronorosen@gmail.com> +Date: Wed, 3 Jun 2015 16:19:39 -0700 +Subject: [PATCH] Provide work around for 0.0.0.0/0 ::/0 for ipset + +Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if +these addresses were inputted as allowed address pairs. This causes +ipset to raise an error as it does not work with zero prefix sizes. +To solve this problem we use two ipset rules to represent this: + +Ipv4: 0.0.0.0/1 and 128.0.0.1/1 +IPv6: ::/1' and '8000::/1 + +All of this logic is handled via _sanitize_addresses() in the ipset_manager +which is called to convert the input. + +Closes-bug: 1461054 + +Conflicts: + neutron/agent/linux/ipset_manager.py + neutron/tests/unit/agent/linux/test_ipset_manager.py + +(cherry picked from commit 80a0fc3ba063e036b76e05e89b0cc54fc2d47c81) +--- + neutron/agent/linux/ipset_manager.py | 23 ++++++++++++++++++++++ + .../tests/unit/agent/linux/test_ipset_manager.py | 19 +++++++++++++++--- + 2 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py +index 0f76418..af59f1f 100644 +--- a/neutron/agent/linux/ipset_manager.py ++++ b/neutron/agent/linux/ipset_manager.py +@@ -11,6 +11,8 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + ++import netaddr ++ + from neutron.agent.linux import utils as linux_utils + from neutron.common import utils + +@@ -31,6 +33,26 @@ class IpsetManager(object): + self.namespace = namespace + self.ipset_sets = {} + ++ def _sanitize_addresses(self, addresses): ++ """This method converts any address to ipset format. ++ ++ If an address has a mask of /0 we need to cover to it to a mask of ++ /1 as ipset does not support /0 length addresses. Instead we use two ++ /1's to represent the /0. ++ """ ++ sanitized_addresses = [] ++ for ip in addresses: ++ if (netaddr.IPNetwork(ip).prefixlen == 0): ++ if(netaddr.IPNetwork(ip).version == 4): ++ sanitized_addresses.append('0.0.0.0/1') ++ sanitized_addresses.append('128.0.0.0/1') ++ elif (netaddr.IPNetwork(ip).version == 6): ++ sanitized_addresses.append('::/1') ++ sanitized_addresses.append('8000::/1') ++ else: ++ sanitized_addresses.append(ip) ++ return sanitized_addresses ++ + @staticmethod + def get_name(id, ethertype): + """Returns the given ipset name for an id+ethertype pair. +@@ -51,6 +73,7 @@ class IpsetManager(object): + add / remove new members, or swapped atomically if + that's faster. + """ ++ member_ips = self._sanitize_addresses(member_ips) + set_name = self.get_name(id, ethertype) + if not self.set_exists(id, ethertype): + # The initial creation is handled with create/refresh to +diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py +index 4484008..a1c6dc5 100644 +--- a/neutron/tests/unit/agent/linux/test_ipset_manager.py ++++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py +@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase): + def expect_set(self, addresses): + temp_input = ['create NETIPv4fake_sgid-new hash:net family inet'] + temp_input.extend('add NETIPv4fake_sgid-new %s' % ip +- for ip in addresses) ++ for ip in self.ipset._sanitize_addresses(addresses)) + input = '\n'.join(temp_input) + self.expected_calls.extend([ + mock.call(['ipset', 'restore', '-exist'], +@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase): + self.expected_calls.extend( + mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_del(self, addresses): ++ + self.expected_calls.extend( + mock.call(['ipset', 'del', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_create(self): + self.expected_calls.append( +@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest): + self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS) + self.verify_mock_calls() + ++ def test_set_members_adding_all_zero_ipv4(self): ++ self.expect_set(['0.0.0.0/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0']) ++ self.verify_mock_calls() ++ ++ def test_set_members_adding_all_zero_ipv6(self): ++ self.expect_set(['::/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0']) ++ self.verify_mock_calls() ++ + def test_destroy(self): + self.add_first_ip() + self.expect_destroy() +-- +1.9.1 diff --git a/sys-cluster/neutron/neutron-2014.2.3.ebuild b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild index ceceadae2b73..eeb68995909e 100644 --- a/sys-cluster/neutron/neutron-2014.2.3.ebuild +++ b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3.ebuild,v 1.1 2015/04/13 03:27:20 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -102,6 +102,7 @@ PATCHES=( "${FILESDIR}/0001-Fixes-bug-in-interface-handling-of-ip_lib.py.patch" "${FILESDIR}/0002-moving-vxlan-module-check-to-sanity-checks-and-makin.patch" "${FILESDIR}/0003-fixes-error-logging-to-use-the-right-exception-paren.patch" + "${FILESDIR}/cve-2015-3221_2014.2.3.ebuild" ) pkg_setup() { diff --git a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild index 0a7a4c2e2da8..18d1a9ee18e9 100644 --- a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild +++ b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild,v 1.1 2015/05/17 23:25:00 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -129,6 +129,7 @@ RDEPEND=" dhcp? ( net-dns/dnsmasq[dhcp-tools] )" PATCHES=( + "${FILESDIR}/cve-2015-3221_2015.1.0.patch" ) pkg_setup() { |