diff options
-rw-r--r-- | sys-cluster/nova/ChangeLog | 9 | ||||
-rw-r--r-- | sys-cluster/nova/Manifest | 32 | ||||
-rw-r--r-- | sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch | 327 | ||||
-rw-r--r-- | sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch | 101 | ||||
-rw-r--r-- | sys-cluster/nova/nova-2012.2.4-r4.ebuild (renamed from sys-cluster/nova/nova-2012.2.4-r3.ebuild) | 4 |
5 files changed, 456 insertions, 17 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog index af2594654b12..6b62259baea0 100644 --- a/sys-cluster/nova/ChangeLog +++ b/sys-cluster/nova/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-cluster/nova # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.18 2013/08/11 01:24:31 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.19 2013/08/11 03:48:28 prometheanfire Exp $ + +*nova-2012.2.4-r4 (11 Aug 2013) + + 11 Aug 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/2012.2.4-CVE-2013-2256.patch, +files/2012.2.4-CVE-2013-4185.patch, + +nova-2012.2.4-r4.ebuild, -nova-2012.2.4-r3.ebuild: + nova-folsom fixes for bug 480048 *nova-2013.1.3 (11 Aug 2013) diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest index 858d5d5c6b3c..ee3a0bdb9f7b 100644 --- a/sys-cluster/nova/Manifest +++ b/sys-cluster/nova/Manifest @@ -1,31 +1,33 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX 2012.2.4-CVE-2013-2256.patch 14502 SHA256 752d430cfda003c42877c16638b8eefbfd1632ca9845e229d40aa0811e203d6f SHA512 51091d2cb4d352ed6f996ee7b261361d6eac51bc9a69c33f9e0c03810fb2da607173331275494517e8bb12c9ba14aaad448b80826ea8f7be0db880e9b1f9d4ec WHIRLPOOL 287ab4cddc376101b0d70c789de635efa18da847e104a7953ff0cafd4bf5f12394abdac457d376d3d0cd7f7ba8d06e2435151d17869db27381f0940f1e5ae937 +AUX 2012.2.4-CVE-2013-4185.patch 4519 SHA256 f2665d38ffc294a53a41f2ca4a83768ed406da5679212919a311648dc1b53b1e SHA512 8a4fd266524a1d297079637e35cacf219b03533bdea5d3279152b898dc473d75c6be91311d21a27f58179246b6337a61de79477655d29ce2319556bf52fbbbc2 WHIRLPOOL ad97c81fe752edcf205b41db1dbb1173b66cc81583134da5a56a7966dcb48dfbe450a869d953946a5be979f915e8ca288b890df0176a3e393ff8ad0fd55147c0 AUX nova-folsom-4-CVE-2013-2030.patch 1303 SHA256 55ee950de12d27420762b99514a56075bcaf866eb4352dfc038a56eaa2f458f9 SHA512 1dade2e76f559fed97be0259ab1bf16404ee86fcd2039f1e4df78ecf0ddc9cd2ccd8cbb557f4194bc949bc2d9634abef4939f1fbd564ee73def997ce759f6dc3 WHIRLPOOL 45cef89069302b3d73da205600201620115364a5e4d9dc7c850073aed03baff3a731126308ab2ba75d16677d7e32cd17d780640aa8571a753bf797ae664924d1 AUX nova-folsom-4-CVE-2013-2096.patch 4545 SHA256 b7203f3d380b3d545259060872933e38d40a53b1e9081ab8b93f623fb2a30115 SHA512 f97c4330f4cd8433b150390f22194e86fccf50ecd9300f1b3692e07e3a8b53ee4ec844f191ea28a75298535c66f11aed77c6cb8fb8624b382a793d05e683bc68 WHIRLPOOL 4460bf65d8bffe03f8a4518a99f81f86f6c2f11ce8c6d1ce6ff03ce836da247dc6c8bed73e875a3b47427970291a10d6f34be5b056c4c7fef505ca2bab0b18ed AUX nova-grizzly-1-CVE-2013-2096.patch 4019 SHA256 d20b89067fb63f4d37ebc5c258841c3d18bd9e4e59c455f247f8df1a25973be6 SHA512 e4b80eaf8260765534d1a69c1c3883c794e611ac17acf299443b519c09503f0f063bc2ea1b090e1519e30ef3afa84253ce0e2603a764001556e52c6b09bfc814 WHIRLPOOL 44215c9e48d06976ba372421b5de29083a72172f1f02a84649eecd1dff675ecbdde9be69851ca10fe194346ad750e900c1dafa0ea4be8799c4bf055126bd18e7 DIST nova-2012.2.4.tar.gz 6286004 SHA256 883a44282514b484a1187c07875834b9c4648555bf20002aceb1d6731ebd0252 SHA512 c05705c7802035232921e7ca9cdcea05571f4771dae573f9364b740553e470d8e4b4e832bf04120c089bad48a75b8493921eefeb28383f70620495a935ad6ec3 WHIRLPOOL 9e8c56b1a66f15f5f6218413e1cd518a0e73f371baea774023a11ad38abccae3e172ec0894fd77f59848685d1993451499916b94c62289d16f57470005e7c123 DIST nova-2013.1.3.tar.gz 5780115 SHA256 f7c25186920daccb16867c5fd272318beb8cc076e5a55f79b5906618ef2724f4 SHA512 3de29f1cf0789285c7600796588058f056d4196138584bb5ec13a0ea034bbc0569d116a668db67022e302b29995af5960093af1103996269d73dccd62a5dd238 WHIRLPOOL ebb06733a710764004f99da2a69d5479cdd50e35da6d0992233ab9ca0a7a5854a678c5d184d40f97a66fa3abd052b1e6de4629963dd58292f677707997e56239 -EBUILD nova-2012.2.4-r3.ebuild 2674 SHA256 f6bcba48b87962a3d690062fb4b11f5d65bc2ebcd2fec0da184603874c171508 SHA512 25c827a591ec3631278e1479f49373e3f4b086b3eb6c09eda595d364f938ff12e4141898ad0078ac4c56415d3e62a106a0651a9bcd95c858f10c8f6a20566a32 WHIRLPOOL e5149bb51ed417d78a09a2cff7bf7adba6bb7bbd1b9a8ca2c91de10ed42c3feffaebf145872786991429cf4e017ae8d93ccde7fdc8348d5ee08905b8878dc4e5 +EBUILD nova-2012.2.4-r4.ebuild 2762 SHA256 f578262367bc70a2983584a6830bba01a9eed520cbc01725941fa6a47a1ab074 SHA512 be1f5a55ddfb50354b9b7457ca14bd984e20202355b159ba2fcee18b53c79c37afdaf7a89bfb9f564441d61acb2ce6c9bde780500d3ffcaac14b31c82a39413d WHIRLPOOL 4253d166cb8d1fb2c848f42c20f33bf8074da6e927fc826b4729a73e81362268db379bd4806317215fb14320ace441fb59d6a181dc5f8726f15e880a9a682cb2 EBUILD nova-2013.1.3.ebuild 2973 SHA256 93b6e95df61e8e314c86b20407dc88e5e8b9cbb2775adeb1b81c830172384099 SHA512 2f559ce1c4f9807592667bf9a580751661dc6dd106b9c49943157f74ef0164ded0fc055a914c30d67c833d719f4db0fe9c5cc0a288fb06c73ff44fc2339a8c1b WHIRLPOOL e08b44371408e5ad63e8ee1ccf447c24259c2133ed1882e5a82ddee2ded50d8e8853ea563d76c4802721b42da263a01a08de876ea03ce0acb5fa28b5a88beaf1 EBUILD nova-2013.1.9999.ebuild 3051 SHA256 0ed811ea3b5e30e584ad87c3f008eaad7ede6631e638f0ff8f62af3d537f026d SHA512 db6bdde3a992ff771f1c66c610b103fe1a9d9217379e28858185be2fb446d71149876d02582074d66f0731c61c31ac71b8732b8c0f8d4d71cce476b0d89876b1 WHIRLPOOL f284f7493e755eb12f4d99568097e120d19a4fd6c87f962095a203819d5e0d5bc65af3eaf16d5af48416aa7d71e44bf0334e475c7a95d160fbadb79d8ae35d2c EBUILD nova-9999.ebuild 3025 SHA256 e0702a7f45a0c37359aa3eaec1ad824dc4f11cb951a79f2d01ee2e3bf37dafd5 SHA512 cf1720edd1b2d0e1a2406b912a029d27110d0148ffcff179762678341dfc05be4eea79ac3e6a86dfe1c40c48821b4f6edc8553c2ff0a04f05296f5941ee25f4a WHIRLPOOL cf3bdf79241d5d32301bb6deae1fe91f604ee2186b79dab1715f8a75e235e8bab3834eda2c57cd2e06961becc14c3dcedbe2aae0db1ce96a97ca1adefd5dfcd4 -MISC ChangeLog 4155 SHA256 758fbf9f8935f539233553fbaad7a2ceccbcc3bbe9b8dad0b09584df964a4568 SHA512 9637929c9c11518bda7df0edbc3de4e6c94752af2e59e52946c87aeddcecf5ddf586709ca87b357292454de1dc0f9c8f9873e12014c1c0331580fdb007147acb WHIRLPOOL 84db03dcf42256a0ffe5665b8a6a5551bf21f3d5e786e3caf9e562ffd4536b511b470dad692bde8c6b6f7c28078aaf7c4a850625283e9beaca9db00a9766fc02 +MISC ChangeLog 4411 SHA256 3e17411a198263af3de14f3d209687907967e7f9ac07444c1d3e5476803baed5 SHA512 f48414d7ed8c69c99ecadbb7760ed05127d96c30ac531dcf1b425f2db5c7677e25baf6950c31a219654e138f3e197ae9d6b1861584aa9f7260468a324e7e0547 WHIRLPOOL 4aa63af1c43827bf987958b60820178c8927e3627361f00b5469c68d853616de321d3f0d55d22b3ddfebc8f3526ecdee081853d032dc0770714cec41f237b27e MISC metadata.xml 407 SHA256 87ac581ad3af018ee16b2c5a8dbc98553ad93fc48bf5cfd62a6f929353049e77 SHA512 4ae00a6fc5411c1795249864317143787b31cb068fb1508f8a1455fd6194254961cca80256e0b437dc131560126cdf5a59d98a5a5064ac49c6e43c1651718a4a WHIRLPOOL 52b178c072593baea26fa3d7e9c06aac003d1a828ffa98de712306f60eeddba92271bc6061d7224a76ac35fa3c1da33213983e998160acf92a6d7027b284bcc0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) -iQIcBAEBCAAGBQJSBugKAAoJECRx6z5ArFrDYc8P/RRIKC+3fzEVrKThXls3s5vN -j8FTRfIcTEQuziA50k/sfHu0IcQymzOIUqi/wE0lmXDaFqr+G23d06rmAvXqA2Lu -efRhMxT9og7fdGtCzqEq+aIPXCUo9hx2OggEjDjXb6Khwvvf+BFwM5XiSo+L6+4z -9dc1FN219QP+LbOKgeYB7R2BSvVkyLEOYdh0H2bynb6A0TAIyzU6YWXrA/M8s9An -mDShKNH/aC7ejXGaUPBHP92NpYprEUpR+2nmOKO7xUFwWghbH/pqTiT43IQI0bPA -T/1tLiVg+U7rEKXtgBgyZBmnh4GTTWWOpzKW0FWU0Vpk12+4dt8aJl6K/nKkck55 -s73NZua/C55Yfs+Vcq5+98S8WtEJULcIQ8F5+PJp5MXZwEcvhumvGbnwnYp0PjxG -KQu6256kJSasO0s8tuEwn7GyHVDar02gC87FMpc4pQiK+GF21lc3jJcmVucPThAp -OMEOHAIwBDD2VX/fKUL/p6RTVfr6lNRhfh8ms5+/oJAWFZEgwz850M5pma4yVbKv -PAm6A6eS3VhhmlnNJyJJ4WFPctnQwQlx9FhTz0azL2oZ+ZnDcx/XB/jYZfc8Rhov -VwJ4am4JLU6O6t3iIs3bZI8MIc2Ngf2lGNYPnDuhYtcEBhcnySKWaLlnZlvlUSpp -Gew7c/TJuF2CxQjnzQ8F -=akAU +iQIcBAEBCAAGBQJSBwnHAAoJECRx6z5ArFrDVk8P/0yBUNuQzroUZbtioLjifKGb +WusrTx3lQ7xtujGPXuC5BgbtaOsQ0uyv4zZOxv7ki9MC4kSvHoDILrndJNK5uTtq +JsiCk56k6I8oi/vdcT/wo0lcfp45/V9+Pe3gZ8dmql/yJwqxD8gv1KtXAKy3tqM/ +htTDZJrjxFdYrK0i5yxsxk3KL6pDkZXO1Vc1N4QpVMDBzFoUZcZjZauCNabtFW2V +NhmKsMXpnqYYdExy/3y1J+nHxVzWrAdQLVKdG9Vr2UpIfaJ+OkK8cnIr4VWdo81c +CEQ9KXwB7+lDH0gIw5+fi0QVXdvEihhp1m9hVxW5kpXMtDHyhSA0tbPi2uGUCZwZ +JqvfaAVjjCD0TiU2lHG1x2GRV266oAx4bKQh49CYsCoZpKIYLLhpMULsQDJfHb9F +YX4ZGx+gdcc6GWMg1YwTTyTkRPUuS5igp85GK7IXmKNXgH3PSB+6vnZkBjjlxuCB +T/N0/AynLUo390eyDdl/7v711TjRLY8EuRc1H8W+4F0/avp0RGap9O8hOoPFWuqQ +nQ0vpwlc1iKpqyWvLDqArxSBN3r5sGeGvo9lYpLxbxY0mL7Dini7pZyaz8g45hoP +B36+vS9jSRRSR+5SY05UQPBr8fu/YcpxsfmjFcjlLO5Wfm/RlLKxpQMn+lqdJR9n +/2rneLwm/ograeoQW8M6 +=4X4W -----END PGP SIGNATURE----- diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch new file mode 100644 index 000000000000..7b2f90663a8c --- /dev/null +++ b/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch @@ -0,0 +1,327 @@ +From f7aaf1fa04331522aee2158e372940df92f45cb0 Mon Sep 17 00:00:00 2001 +From: Russell Bryant <rbryant@redhat.com> +Date: Thu, 27 Jun 2013 21:00:05 +0000 +Subject: [PATCH] Make flavors is_public option actually work + +When you create a flavor, you can set an is_public flag to be True or +False. It is True by default. When False, the intention is that the +flavor is only accessible by an admin, unless you use the flavor_access +API extension to grant access to specific tenants. + +Unfortunately, the only place in the code where this was being enforced +was when listing flavors through the API. It would filter out the +non-public ones for a non-admin. Otherwise, the flavor was accessible. +You could get the details, and you could boot an instance with it, if +you figured out a valid flavor ID. + +This patch adds enforcement down in the db layer. It also fixes one +place in the API where the context wasn't passed down to enable the +enforcement to happen. + +Fix bug 1194093. + +master -> grizzly +(cherry picked from commit b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de) + +Conflicts: + nova/api/openstack/compute/contrib/flavor_access.py + nova/api/openstack/compute/contrib/flavormanage.py + nova/api/openstack/compute/flavors.py + nova/compute/api.py + nova/db/sqlalchemy/api.py + nova/tests/api/openstack/compute/contrib/test_flavor_access.py + nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py + nova/tests/api/openstack/compute/contrib/test_flavor_manage.py + nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py + nova/tests/api/openstack/compute/contrib/test_flavor_swap.py + nova/tests/api/openstack/compute/contrib/test_flavorextradata.py + nova/tests/api/openstack/compute/test_flavors.py + nova/tests/db/test_db_api.py + +grizzly -> folsom +(cherry picked from commit 6df1b7a2a1413a98bffc8b8e0b947f3c90e3bbf5) + +Conflicts: + nova/db/sqlalchemy/api.py + nova/tests/api/openstack/compute/test_flavors.py + +Change-Id: I5b37fa0bb19683fe1642fd81222547d4a317054e +--- + .../api/openstack/compute/contrib/flavor_access.py | 3 ++- + nova/api/openstack/compute/contrib/flavormanage.py | 2 +- + nova/api/openstack/compute/flavors.py | 4 +++- + nova/compute/api.py | 2 +- + nova/compute/instance_types.py | 2 +- + nova/db/api.py | 4 ++-- + nova/db/sqlalchemy/api.py | 26 +++++++++++++++------- + .../compute/contrib/test_flavor_access.py | 2 +- + .../compute/contrib/test_flavor_disabled.py | 2 +- + .../compute/contrib/test_flavor_manage.py | 3 ++- + .../openstack/compute/contrib/test_flavor_rxtx.py | 2 +- + .../openstack/compute/contrib/test_flavor_swap.py | 2 +- + .../compute/contrib/test_flavorextradata.py | 2 +- + nova/tests/api/openstack/compute/test_flavors.py | 4 ++-- + 14 files changed, 37 insertions(+), 23 deletions(-) + +diff --git a/nova/api/openstack/compute/contrib/flavor_access.py b/nova/api/openstack/compute/contrib/flavor_access.py +index 9991408..26cd77f 100644 +--- a/nova/api/openstack/compute/contrib/flavor_access.py ++++ b/nova/api/openstack/compute/contrib/flavor_access.py +@@ -99,7 +99,8 @@ class FlavorAccessController(object): + authorize(context) + + try: +- flavor = instance_types.get_instance_type_by_flavor_id(flavor_id) ++ flavor = instance_types.get_instance_type_by_flavor_id(flavor_id, ++ ctxt=context) + except exception.FlavorNotFound: + explanation = _("Flavor not found.") + raise webob.exc.HTTPNotFound(explanation=explanation) +diff --git a/nova/api/openstack/compute/contrib/flavormanage.py b/nova/api/openstack/compute/contrib/flavormanage.py +index e7731cc..79551b1 100644 +--- a/nova/api/openstack/compute/contrib/flavormanage.py ++++ b/nova/api/openstack/compute/contrib/flavormanage.py +@@ -43,7 +43,7 @@ class FlavorManageController(wsgi.Controller): + + try: + flavor = instance_types.get_instance_type_by_flavor_id( +- id, read_deleted="no") ++ id, ctxt=context, read_deleted="no") + except exception.NotFound, e: + raise webob.exc.HTTPNotFound(explanation=e.format_message()) + +diff --git a/nova/api/openstack/compute/flavors.py b/nova/api/openstack/compute/flavors.py +index 8aa57a2..d51b48a 100644 +--- a/nova/api/openstack/compute/flavors.py ++++ b/nova/api/openstack/compute/flavors.py +@@ -84,7 +84,9 @@ class Controller(wsgi.Controller): + def show(self, req, id): + """Return data about the given flavor id.""" + try: +- flavor = instance_types.get_instance_type_by_flavor_id(id) ++ context = req.environ['nova.context'] ++ flavor = instance_types.get_instance_type_by_flavor_id(id, ++ ctxt=context) + req.cache_db_flavor(flavor) + except exception.NotFound: + raise webob.exc.HTTPNotFound() +diff --git a/nova/compute/api.py b/nova/compute/api.py +index 5319d04..ca78830 100644 +--- a/nova/compute/api.py ++++ b/nova/compute/api.py +@@ -1080,7 +1080,7 @@ class API(base.Base): + #NOTE(bcwaldon): this doesn't really belong in this class + def get_instance_type(self, context, instance_type_id): + """Get an instance type by instance type id.""" +- return instance_types.get_instance_type(instance_type_id) ++ return instance_types.get_instance_type(instance_type_id, ctxt=context) + + def get(self, context, instance_id): + """Get a single instance with the given instance_id.""" +diff --git a/nova/compute/instance_types.py b/nova/compute/instance_types.py +index 6869672..5be97c1 100644 +--- a/nova/compute/instance_types.py ++++ b/nova/compute/instance_types.py +@@ -163,7 +163,7 @@ def get_instance_type_by_flavor_id(flavorid, ctxt=None, read_deleted="yes"): + if ctxt is None: + ctxt = context.get_admin_context(read_deleted=read_deleted) + +- return db.instance_type_get_by_flavor_id(ctxt, flavorid) ++ return db.instance_type_get_by_flavor_id(ctxt, flavorid, read_deleted) + + + def get_instance_type_access_by_flavor_id(flavorid, ctxt=None): +diff --git a/nova/db/api.py b/nova/db/api.py +index 9f2ff73..40db686 100644 +--- a/nova/db/api.py ++++ b/nova/db/api.py +@@ -1460,9 +1460,9 @@ def instance_type_get_by_name(context, name): + return IMPL.instance_type_get_by_name(context, name) + + +-def instance_type_get_by_flavor_id(context, id): ++def instance_type_get_by_flavor_id(context, id, read_deleted=None): + """Get instance type by flavor id.""" +- return IMPL.instance_type_get_by_flavor_id(context, id) ++ return IMPL.instance_type_get_by_flavor_id(context, id, read_deleted) + + + def instance_type_destroy(context, name): +diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py +index 7fcc4f8..ea32168 100644 +--- a/nova/db/sqlalchemy/api.py ++++ b/nova/db/sqlalchemy/api.py +@@ -3910,7 +3910,7 @@ def instance_type_create(context, values): + pass + try: + instance_type_get_by_flavor_id(context, values['flavorid'], +- session) ++ read_deleted='no', session=session) + raise exception.InstanceTypeExists(name=values['name']) + except exception.FlavorNotFound: + pass +@@ -3952,9 +3952,16 @@ def _dict_with_extra_specs(inst_type_query): + + + def _instance_type_get_query(context, session=None, read_deleted=None): +- return model_query(context, models.InstanceTypes, session=session, ++ query = model_query(context, models.InstanceTypes, session=session, + read_deleted=read_deleted).\ +- options(joinedload('extra_specs')) ++ options(joinedload('extra_specs')) ++ if not context.is_admin: ++ the_filter = [models.InstanceTypes.is_public == True] ++ the_filter.extend([ ++ models.InstanceTypes.projects.any(project_id=context.project_id) ++ ]) ++ query = query.filter(or_(*the_filter)) ++ return query + + + @require_context +@@ -4029,9 +4036,11 @@ def instance_type_get_by_name(context, name, session=None): + + + @require_context +-def instance_type_get_by_flavor_id(context, flavor_id, session=None): ++def instance_type_get_by_flavor_id(context, flavor_id, read_deleted, ++ session=None): + """Returns a dict describing specific flavor_id""" +- result = _instance_type_get_query(context, session=session).\ ++ result = _instance_type_get_query(context, read_deleted=read_deleted, ++ session=session).\ + filter_by(flavorid=flavor_id).\ + first() + +@@ -4083,7 +4092,7 @@ def instance_type_access_add(context, flavor_id, project_id): + session = get_session() + with session.begin(): + instance_type_ref = instance_type_get_by_flavor_id(context, flavor_id, +- session=session) ++ read_deleted='no', session=session) + instance_type_id = instance_type_ref['id'] + access_ref = _instance_type_access_query(context, session=session).\ + filter_by(instance_type_id=instance_type_id).\ +@@ -4111,7 +4120,7 @@ def instance_type_access_remove(context, flavor_id, project_id): + session = get_session() + with session.begin(): + instance_type_ref = instance_type_get_by_flavor_id(context, flavor_id, +- session=session) ++ read_deleted='no', session=session) + instance_type_id = instance_type_ref['id'] + access_ref = _instance_type_access_query(context, session=session).\ + filter_by(instance_type_id=instance_type_id).\ +@@ -4447,7 +4456,8 @@ def instance_type_extra_specs_update_or_create(context, flavor_id, + specs): + session = get_session() + spec_ref = None +- instance_type = instance_type_get_by_flavor_id(context, flavor_id) ++ instance_type = instance_type_get_by_flavor_id(context, flavor_id, ++ read_deleted='no') + for key, value in specs.iteritems(): + try: + spec_ref = instance_type_extra_specs_get_item( +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_access.py b/nova/tests/api/openstack/compute/contrib/test_flavor_access.py +index 0bf1f1b..075810b 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavor_access.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavor_access.py +@@ -68,7 +68,7 @@ def fake_get_instance_type_access_by_flavor_id(flavorid): + return res + + +-def fake_get_instance_type_by_flavor_id(flavorid): ++def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None): + return INSTANCE_TYPES[flavorid] + + +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py b/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py +index 1225b56..933178a 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py +@@ -44,7 +44,7 @@ FAKE_FLAVORS = { + } + + +-def fake_instance_type_get_by_flavor_id(flavorid): ++def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): + return FAKE_FLAVORS['flavor %s' % flavorid] + + +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py +index 70fd5e4..7174ed2 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py +@@ -25,7 +25,8 @@ from nova import test + from nova.tests.api.openstack import fakes + + +-def fake_get_instance_type_by_flavor_id(flavorid, read_deleted='yes'): ++def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None, ++ read_deleted='yes'): + if flavorid == 'failtest': + raise exception.NotFound("Not found sucka!") + elif not str(flavorid) == '1234': +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py b/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py +index 52163c7..afa2259 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py +@@ -43,7 +43,7 @@ FAKE_FLAVORS = { + } + + +-def fake_instance_type_get_by_flavor_id(flavorid): ++def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): + return FAKE_FLAVORS['flavor %s' % flavorid] + + +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py b/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py +index 75e9cd7..3fd1ae9 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py +@@ -43,7 +43,7 @@ FAKE_FLAVORS = { + } + + +-def fake_instance_type_get_by_flavor_id(flavorid): ++def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): + return FAKE_FLAVORS['flavor %s' % flavorid] + + +diff --git a/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py b/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py +index 8f5301a..9654605 100644 +--- a/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py ++++ b/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py +@@ -23,7 +23,7 @@ from nova import test + from nova.tests.api.openstack import fakes + + +-def fake_get_instance_type_by_flavor_id(flavorid): ++def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None): + return { + 'id': flavorid, + 'flavorid': str(flavorid), +diff --git a/nova/tests/api/openstack/compute/test_flavors.py b/nova/tests/api/openstack/compute/test_flavors.py +index 77d40df..cfa3429 100644 +--- a/nova/tests/api/openstack/compute/test_flavors.py ++++ b/nova/tests/api/openstack/compute/test_flavors.py +@@ -54,7 +54,7 @@ FAKE_FLAVORS = { + } + + +-def fake_instance_type_get_by_flavor_id(flavorid): ++def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): + return FAKE_FLAVORS['flavor %s' % flavorid] + + +@@ -80,7 +80,7 @@ def empty_instance_type_get_all(inactive=False, filters=None): + return {} + + +-def return_instance_type_not_found(flavor_id): ++def return_instance_type_not_found(flavor_id, ctxt=None): + raise exception.InstanceTypeNotFound(flavor_id=flavor_id) + + +-- +1.8.1.5 + diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch new file mode 100644 index 000000000000..3e02ae10a473 --- /dev/null +++ b/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch @@ -0,0 +1,101 @@ +From d4ee081c5c0a5132781235177c430ebcf72b0b0b Mon Sep 17 00:00:00 2001 +From: Vishvananda Ishaya <vishvananda@gmail.com> +Date: Fri, 19 Jul 2013 10:23:59 -0700 +Subject: [PATCH] Use cached nwinfo for secgroup rules + +This stops a potential DOS with source security groups by using the +db cached version of the network info instead of calling out to +the network api multiple times. + +Fixes bug 1184041 + +Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6 +(cherry picked from commit 85aac04704350566d6b06aa7a3b99649946c672c) +--- + nova/db/sqlalchemy/api.py | 2 ++ + nova/tests/test_libvirt.py | 4 +++- + nova/tests/test_xenapi.py | 5 +++-- + nova/virt/firewall.py | 12 +++--------- + 4 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py +index 7fcc4f8..6d3b139 100644 +--- a/nova/db/sqlalchemy/api.py ++++ b/nova/db/sqlalchemy/api.py +@@ -3649,6 +3649,8 @@ def security_group_rule_get_by_security_group(context, security_group_id, + return _security_group_rule_get_query(context, session=session).\ + filter_by(parent_group_id=security_group_id).\ + options(joinedload_all('grantee_group.instances.instance_type')).\ ++ options(joinedload('grantee_group.instances.' ++ 'info_cache')).\ + all() + + +diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py +index b26a006..e956eb0 100644 +--- a/nova/tests/test_libvirt.py ++++ b/nova/tests/test_libvirt.py +@@ -3240,7 +3240,9 @@ class IptablesFirewallTestCase(test.TestCase): + from nova.network import linux_net + linux_net.iptables_manager.execute = fake_iptables_execute + +- _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model) ++ from nova.compute import utils as compute_utils ++ self.stubs.Set(compute_utils, 'get_nw_info_for_instance', ++ lambda instance: network_model) + + network_info = network_model.legacy() + self.fw.prepare_instance_filter(instance_ref, network_info) +diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py +index 0cf69d6..7a8f9b4 100644 +--- a/nova/tests/test_xenapi.py ++++ b/nova/tests/test_xenapi.py +@@ -1690,8 +1690,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): + network_model = fake_network.fake_get_instance_nw_info(self.stubs, + 1, spectacular=True) + +- fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs, +- lambda *a, **kw: network_model) ++ from nova.compute import utils as compute_utils ++ self.stubs.Set(compute_utils, 'get_nw_info_for_instance', ++ lambda instance: network_model) + + network_info = network_model.legacy() + self.fw.prepare_instance_filter(instance_ref, network_info) +diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py +index a093a35..7c22c86 100644 +--- a/nova/virt/firewall.py ++++ b/nova/virt/firewall.py +@@ -17,10 +17,10 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++from nova.compute import utils as compute_utils + from nova import context + from nova import db + from nova import flags +-from nova import network + from nova.network import linux_net + from nova.openstack.common import cfg + from nova.openstack.common import importutils +@@ -405,15 +405,9 @@ class IptablesFirewallDriver(FirewallDriver): + fw_rules += [' '.join(args)] + else: + if rule['grantee_group']: +- # FIXME(jkoelker) This needs to be ported up into +- # the compute manager which already +- # has access to a nw_api handle, +- # and should be the only one making +- # making rpc calls. +- nw_api = network.API() + for instance in rule['grantee_group']['instances']: +- nw_info = nw_api.get_instance_nw_info(ctxt, +- instance) ++ nw_info = compute_utils.get_nw_info_for_instance( ++ instance) + + ips = [ip['address'] + for ip in nw_info.fixed_ips() +-- +1.8.1.5 + diff --git a/sys-cluster/nova/nova-2012.2.4-r3.ebuild b/sys-cluster/nova/nova-2012.2.4-r4.ebuild index f08ab6c27de0..84343ee8697c 100644 --- a/sys-cluster/nova/nova-2012.2.4-r3.ebuild +++ b/sys-cluster/nova/nova-2012.2.4-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.4-r3.ebuild,v 1.1 2013/06/25 19:04:50 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.4-r4.ebuild,v 1.1 2013/08/11 03:48:28 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -46,6 +46,8 @@ RDEPEND="=dev-python/amqplib-0.6.1 PATCHES=( "${FILESDIR}/nova-folsom-4-CVE-2013-2030.patch" "${FILESDIR}/nova-folsom-4-CVE-2013-2096.patch" + "${FILESDIR}/2012.2.4-CVE-2013-2256.patch" + "${FILESDIR}/2012.2.4-CVE-2013-4185.patch" ) python_install() { |