fixes for CVE-2013-6419

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2013-12-13 21:10:36 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2013-12-13 21:10:36 +0000
commit: f82c5005d54e892e971e07ec44923dc3f31cd94c (patch)
tree: d70b1710a8f689085ff98a5d958bd2b1a3b7932e /sys-cluster
parent: version bump (diff)
download: gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.tar.gz
gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.tar.bz2
gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.zip
6 files changed, 331 insertions, 130 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 0c335ad2f862..af13d2e11ea1 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.43 2013/12/03 20:14:39 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.44 2013/12/13 21:10:35 prometheanfire Exp $
+
+*nova-2013.2-r3 (13 Dec 2013)
+*nova-2013.1.4-r2 (13 Dec 2013)
+
+  13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2013-6419_2013.1.4.patch, +files/CVE-2013-6419_2013.2.patch,
+  +nova-2013.1.4-r2.ebuild, +nova-2013.2-r3.ebuild, -nova-2013.1.4-r1.ebuild,
+  -nova-2013.2-r1.ebuild, -nova-2013.2-r2.ebuild:
+  fixes for CVE-2013-6419
 
   03 Dec 2013; Matthew Thode <prometheanfire@gentoo.org> -nova-2013.2.ebuild,
   nova-2013.2-r1.ebuild, nova-2013.2.9999.ebuild:
diff --git a/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch b/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch
new file mode 100644
index 000000000000..541b794899d0
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch
@@ -0,0 +1,129 @@
+commit d4155b806f52f2168742ceb37988fc7f405b44cd
+Author: Aaron Rosen <arosen@nicira.com>
+Date:   Mon Oct 7 13:33:31 2013 -0700
+
+    Prevent spoofing instance_id from neturon to nova
+    
+    Previously, one could update a port's device_id in neutron to be that
+    of another tenant's instance_id and then be able to retrieve that instance's
+    metadata. This patch prevents this from occuring by checking that X-Tenant-ID
+    received from the metadata request matches the tenant_id in the nova database.
+    
+    DocImpact - This patch is dependent on another patch in neutron which adds
+                X-Tenant-ID to the request. Therefore to minimize downtime one
+                should upgrade Neutron first (then restart neutron-metadata-agent)
+                and lastly update nova.
+    
+    Fixes bug: 1235450
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index bbaeba5..2b7f659 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -144,6 +144,7 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+     def _handle_instance_id_request(self, req):
+         instance_id = req.headers.get('X-Instance-ID')
++        tenant_id = req.headers.get('X-Tenant-ID')
+         signature = req.headers.get('X-Instance-ID-Signature')
+         remote_address = req.headers.get('X-Forwarded-For')
+ 
+@@ -151,8 +152,12 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+         if instance_id is None:
+             msg = _('X-Instance-ID header is missing from request.')
++        elif tenant_id is None:
++            msg = _('X-Tenant-ID header is missing from request.')
+         elif not isinstance(instance_id, basestring):
+             msg = _('Multiple X-Instance-ID headers found within request.')
++        elif not isinstance(tenant_id, basestring):
++            msg = _('Multiple X-Tenant-ID headers found within request.')
+         else:
+             msg = None
+ 
+@@ -188,4 +193,12 @@ class MetadataRequestHandler(wsgi.Application):
+             LOG.error(_('Failed to get metadata for instance id: %s'),
+                       instance_id)
+ 
++        if meta_data.instance['project_id'] != tenant_id:
++            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
++                          "of instance %(instance_id)s."),
++                        {'tenant_id': tenant_id,
++                         'instance_id': instance_id})
++            # causes a 404 to be raised
++            meta_data = None
++
+         return meta_data
+diff --git a/nova/tests/test_metadata.py b/nova/tests/test_metadata.py
+index 01f274f..51b6f72 100644
+--- a/nova/tests/test_metadata.py
++++ b/nova/tests/test_metadata.py
+@@ -510,6 +510,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 200)
+ 
+@@ -522,6 +523,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 200)
+@@ -536,10 +538,36 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': ''})
+ 
+         self.assertEqual(response.status_int, 403)
+ 
++        # missing X-Tenant-ID from request
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 400)
++
++        # mismatched X-Tenant-ID
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'FAKE',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 404)
++
+         # without X-Forwarded-For
+         response = fake_request(
+             self.stubs, self.mdinst,
+@@ -547,6 +575,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 500)
+@@ -564,6 +593,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'z-z-z-z',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 500)
+ 
diff --git a/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch b/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch
new file mode 100644
index 000000000000..1dcfe1b9b68f
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch
@@ -0,0 +1,186 @@
+commit 2a95eee992b66cd65e401e31785c080f811476cf
+Author: Aaron Rosen <arosen@nicira.com>
+Date:   Mon Oct 7 13:33:31 2013 -0700
+
+    Prevent spoofing instance_id from neturon to nova
+    
+    Previously, one could update a port's device_id in neutron to be that
+    of another tenant's instance_id and then be able to retrieve that instance's
+    metadata. This patch prevents this from occuring by checking that X-Tenant-ID
+    received from the metadata request matches the tenant_id in the nova database.
+    
+    DocImpact - This patch is dependent on another patch in neutron which adds
+                X-Tenant-ID to the request. Therefore to minimize downtime one
+                should upgrade Neutron first (then restart neutron-metadata-agent)
+                and lastly update nova.
+    
+    Fixes bug: 1235450
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index 27f4d4e..7ac9023 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -140,29 +140,34 @@ class MetadataRequestHandler(wsgi.Application):
+                     'Please try your request again.')
+             raise webob.exc.HTTPInternalServerError(explanation=unicode(msg))
+ 
+         if meta_data is None:
+             LOG.error(_('Failed to get metadata for ip: %s'), remote_address)
+ 
+         return meta_data
+ 
+     def _handle_instance_id_request(self, req):
+         instance_id = req.headers.get('X-Instance-ID')
++        tenant_id = req.headers.get('X-Tenant-ID')
+         signature = req.headers.get('X-Instance-ID-Signature')
+         remote_address = req.headers.get('X-Forwarded-For')
+ 
+         # Ensure that only one header was passed
+ 
+         if instance_id is None:
+             msg = _('X-Instance-ID header is missing from request.')
++        elif tenant_id is None:
++            msg = _('X-Tenant-ID header is missing from request.')
+         elif not isinstance(instance_id, basestring):
+             msg = _('Multiple X-Instance-ID headers found within request.')
++        elif not isinstance(tenant_id, basestring):
++            msg = _('Multiple X-Tenant-ID headers found within request.')
+         else:
+             msg = None
+ 
+         if msg:
+             raise webob.exc.HTTPBadRequest(explanation=msg)
+ 
+         expected_signature = hmac.new(
+             CONF.neutron_metadata_proxy_shared_secret,
+             instance_id,
+             hashlib.sha256).hexdigest()
+@@ -188,11 +193,19 @@ class MetadataRequestHandler(wsgi.Application):
+             LOG.exception(_('Failed to get metadata for instance id: %s'),
+                           instance_id)
+             msg = _('An unknown error has occurred. '
+                     'Please try your request again.')
+             raise webob.exc.HTTPInternalServerError(explanation=unicode(msg))
+ 
+         if meta_data is None:
+             LOG.error(_('Failed to get metadata for instance id: %s'),
+                       instance_id)
+ 
++        if meta_data.instance['project_id'] != tenant_id:
++            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
++                          "of instance %(instance_id)s."),
++                        {'tenant_id': tenant_id,
++                         'instance_id': instance_id})
++            # causes a 404 to be raised
++            meta_data = None
++
+         return meta_data
+diff --git a/nova/tests/test_metadata.py b/nova/tests/test_metadata.py
+index 50f0d07..e75b51f 100644
+--- a/nova/tests/test_metadata.py
++++ b/nova/tests/test_metadata.py
+@@ -594,74 +594,104 @@ class MetadataHandlerTestCase(test.TestCase):
+             CONF.neutron_metadata_proxy_shared_secret,
+             expected_instance_id,
+             hashlib.sha256).hexdigest()
+ 
+         # try a request with service disabled
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 200)
+ 
+         # now enable the service
+         self.flags(service_neutron_metadata_proxy=True)
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 200)
+         self.assertEqual(response.body,
+                          base64.b64decode(self.instance['user_data']))
+ 
+         # mismatched signature
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': ''})
+ 
+         self.assertEqual(response.status_int, 403)
+ 
++        # missing X-Tenant-ID from request
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 400)
++
++        # mismatched X-Tenant-ID
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'FAKE',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 404)
++
+         # without X-Forwarded-For
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 500)
+ 
+         # unexpected Instance-ID
+         signed = hmac.new(
+             CONF.neutron_metadata_proxy_shared_secret,
+            'z-z-z-z',
+            hashlib.sha256).hexdigest()
+ 
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'z-z-z-z',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 500)
+ 
+ 
+ class MetadataPasswordTestCase(test.TestCase):
+     def setUp(self):
+         super(MetadataPasswordTestCase, self).setUp()
+         fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs)
+         self.instance = copy.copy(INSTANCES[0])
+         self.instance['system_metadata'] = get_default_sys_meta()
diff --git a/sys-cluster/nova/nova-2013.1.4-r1.ebuild b/sys-cluster/nova/nova-2013.1.4-r2.ebuild
index e2a1d44941e4..f9b1429d40ae 100644
--- a/sys-cluster/nova/nova-2013.1.4-r1.ebuild
+++ b/sys-cluster/nova/nova-2013.1.4-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r1.ebuild,v 1.1 2013/11/17 22:35:55 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r2.ebuild,v 1.1 2013/12/13 21:10:35 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -73,6 +73,7 @@ PATCHES=(
 	"${FILESDIR}/CVE-2013-4463_4469-grizzly.patch"
 	"${FILESDIR}/CVE-2013-4497-grizzly-1.patch"
 	"${FILESDIR}/CVE-2013-4497-grizzly-2.patch"
+	"${FILESDIR}/CVE-2013-6419_2013.1.4.patch"
 )
 
 pkg_setup() {
@@ -82,6 +83,7 @@ pkg_setup() {
 
 src_prepare() {
 	sed -i 's/setuptools_git>=0.4//g' "${S}/setup.py"
+	distutils-r1_src_prepare
 }
 
 #python_test() {
diff --git a/sys-cluster/nova/nova-2013.2-r1.ebuild b/sys-cluster/nova/nova-2013.2-r1.ebuild
deleted file mode 100644
index 7e5ed6f3a653..000000000000
--- a/sys-cluster/nova/nova-2013.2-r1.ebuild
+++ /dev/null
@@ -1,126 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r1.ebuild,v 1.5 2013/12/03 20:14:39 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils multilib
-
-DESCRIPTION="Nova is a cloud computing fabric controller (main part of an
-IaaS system). It is written in Python."
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+api +cert +compute +conductor +consoleauth +kvm +network +novncproxy +scheduler +spicehtml5proxy +xvpvncproxy sqlite mysql postgres xen"
-REQUIRED_USE="|| ( mysql postgres sqlite )
-			  || ( kvm xen )"
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-		>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-		app-admin/sudo"
-RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
-	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
-		mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
-			<dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
-		postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
-			<dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
-		>=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}]
-		>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
-		virtual/python-argparse[${PYTHON_USEDEP}]
-		>=dev-python/boto-2.4.0[${PYTHON_USEDEP}]
-		!~dev-python/boto-2.13.0[${PYTHON_USEDEP}]
-		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
-		dev-python/jinja[${PYTHON_USEDEP}]
-		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
-		>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-		>=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
-		>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-		<dev-python/webob-1.3[${PYTHON_USEDEP}]
-		>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-		dev-python/paste[${PYTHON_USEDEP}]
-		>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
-		dev-python/netaddr[${PYTHON_USEDEP}]
-		>=dev-python/suds-0.4[${PYTHON_USEDEP}]
-		>=dev-python/paramiko-1.8.0[${PYTHON_USEDEP}]
-		dev-python/pyasn1[${PYTHON_USEDEP}]
-		>=dev-python/Babel-0.9.6[${PYTHON_USEDEP}]
-		>=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
-		>=dev-python/python-cinderclient-1.0.5[${PYTHON_USEDEP}]
-		>=dev-python/python-neutronclient-2.3.0[${PYTHON_USEDEP}]
-		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
-		>=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}]
-		>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/stevedore-0.10[${PYTHON_USEDEP}]
-		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
-		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
-		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		dev-python/libvirt-python[${PYTHON_USEDEP}]
-		novncproxy? ( www-apps/novnc )
-		sys-apps/iproute2
-		net-misc/openvswitch
-		sys-fs/sysfsutils
-		sys-fs/multipath-tools
-		kvm? ( app-emulation/qemu )
-		xen? ( app-emulation/xen
-			   app-emulation/xen-tools )"
-
-PATCHES=(
-)
-
-pkg_setup() {
-	enewgroup nova
-	enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_install() {
-	distutils-r1_python_install
-	newconfd "${FILESDIR}/nova-confd" "nova"
-	newinitd "${FILESDIR}/nova-initd" "nova"
-	use api && dosym /etc/init.d/nova /etc/init.d/nova-api
-	use cert && dosym /etc/init.d/nova /etc/init.d/nova-cert
-	use compute && dosym /etc/init.d/nova /etc/init.d/nova-compute
-	use conductor && dosym /etc/init.d/nova /etc/init.d/nova-conductor
-	use consoleauth && dosym /etc/init.d/nova /etc/init.d/nova-consoleauth
-	use network &&  dosym /etc/init.d/nova /etc/init.d/nova-network
-	use novncproxy &&dosym /etc/init.d/nova /etc/init.d/nova-novncproxy
-	use scheduler && dosym /etc/init.d/nova /etc/init.d/nova-scheduler
-	use spicehtml5proxy && dosym /etc/init.d/nova /etc/init.d/nova-spicehtml5proxy
-	use xvpvncproxy && dosym /etc/init.d/nova /etc/init.d/nova-xvpncproxy
-
-	diropts -m 0750
-	dodir /var/run/nova /var/log/nova /var/lock/nova
-	fowners nova:nova /var/log/nova /var/lock/nova /var/run/nova
-
-	diropts -m 0755
-	dodir /var/lib/nova/instances
-	fowners nova:nova /var/lib/nova/instances
-
-	keepdir /etc/nova
-	insinto /etc/nova
-	newins "etc/nova/nova.conf.sample" "nova.conf"
-	doins "etc/nova/api-paste.ini"
-	doins "etc/nova/logging_sample.conf"
-	doins "etc/nova/policy.json"
-	doins "etc/nova/rootwrap.conf"
-	insinto /etc/nova/rootwrap.d
-	doins "etc/nova/rootwrap.d/api-metadata.filters"
-	doins "etc/nova/rootwrap.d/compute.filters"
-	doins "etc/nova/rootwrap.d/network.filters"
-
-	#copy migration conf file (not coppied on install via setup.py script)
-	insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
-	doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
-
-	#copy the CA cert dir (not coppied on install via setup.py script)
-	cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "isntalling CA files failed"
-
-	#add sudoers definitions for user nova
-	insinto /etc/sudoers.d/
-	doins "${FILESDIR}/nova-sudoers"
-}
diff --git a/sys-cluster/nova/nova-2013.2-r2.ebuild b/sys-cluster/nova/nova-2013.2-r3.ebuild
index 88bab45e4644..fe1912f5f7ce 100644
--- a/sys-cluster/nova/nova-2013.2-r2.ebuild
+++ b/sys-cluster/nova/nova-2013.2-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r2.ebuild,v 1.2 2013/11/30 12:46:49 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r3.ebuild,v 1.1 2013/12/13 21:10:35 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -60,7 +60,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
 		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
 		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		app-emulation/libvirt[${PYTHON_USEDEP}]
+		dev-python/libvirt-python[${PYTHON_USEDEP}]
 		novncproxy? ( www-apps/novnc )
 		sys-apps/iproute2
 		net-misc/openvswitch
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/CVE-2013-4463_4469-havana.patch"
+	"${FILESDIR}/CVE-2013-6419_2013.2.patch"
 )
 
 pkg_setup() {
author	Matthew Thode <prometheanfire@gentoo.org>	2013-12-13 21:10:36 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2013-12-13 21:10:36 +0000
commit	f82c5005d54e892e971e07ec44923dc3f31cd94c (patch)
tree	d70b1710a8f689085ff98a5d958bd2b1a3b7932e /sys-cluster
parent	version bump (diff)
download	gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.tar.gz gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.tar.bz2 gentoo-2-f82c5005d54e892e971e07ec44923dc3f31cd94c.zip