lp:~yolanda.robla/nova/precise-security
- Get this branch:
- bzr branch lp:~yolanda.robla/nova/precise-security
Branch merges
- James Page: Approve
-
Diff: 173813 lines (+26521/-71314)90 files modified.gitignore (+0/-20)
.gitreview (+0/-5)
.mailmap (+0/-82)
.pc/0001-fix-useexisting-deprecation-warnings.patch/nova/db/sqlalchemy/migrate_repo/versions/075_convert_bw_usage_to_store_network_id.py (+0/-97)
.pc/0001-fix-useexisting-deprecation-warnings.patch/nova/db/sqlalchemy/migrate_repo/versions/081_drop_instance_id_bw_cache.py (+0/-69)
.pc/CVE-2013-0208.patch/nova/compute/api.py (+0/-1842)
.pc/CVE-2013-0208.patch/nova/exception.py (+0/-1031)
.pc/CVE-2013-0335.patch/nova/compute/api.py (+0/-1858)
.pc/CVE-2013-0335.patch/nova/compute/manager.py (+0/-2585)
.pc/CVE-2013-0335.patch/nova/consoleauth/manager.py (+0/-81)
.pc/CVE-2013-0335.patch/nova/tests/test_compute.py (+0/-3691)
.pc/CVE-2013-0335.patch/nova/tests/test_consoleauth.py (+0/-54)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/consoleauth/manager.py (+0/-109)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/policy.json (+0/-178)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/test_compute.py (+0/-3732)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/test_consoleauth.py (+0/-61)
.pc/CVE-2013-1664.patch/nova/api/openstack/common.py (+0/-490)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/hosts.py (+0/-305)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/security_groups.py (+0/-673)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/servers.py (+0/-1170)
.pc/CVE-2013-1664.patch/nova/api/openstack/wsgi.py (+0/-1124)
.pc/CVE-2013-1664.patch/nova/tests/test_utils.py (+0/-1188)
.pc/CVE-2013-1664.patch/nova/utils.py (+0/-1727)
.pc/CVE-2013-1838.patch/nova/api/openstack/compute/contrib/quotas.py (+0/-110)
.pc/CVE-2013-1838.patch/nova/db/api.py (+0/-1753)
.pc/CVE-2013-1838.patch/nova/db/sqlalchemy/api.py (+0/-4380)
.pc/CVE-2013-1838.patch/nova/network/manager.py (+0/-1899)
.pc/CVE-2013-1838.patch/nova/quota.py (+0/-229)
.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute/contrib/test_quotas.py (+0/-204)
.pc/CVE-2013-1838.patch/nova/tests/network/test_manager.py (+0/-1790)
.pc/applied-patches (+0/-12)
.pc/fix-docs-build-without-network.patch/doc/source/conf.py (+0/-234)
.pc/fix-pep8-errors.patch/nova/api/openstack/compute/contrib/hosts.py (+0/-305)
.pc/fix-pep8-errors.patch/nova/api/openstack/compute/contrib/networks.py (+0/-140)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_admin_actions.py (+0/-278)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_disk_config.py (+0/-253)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_scheduler_hints.py (+0/-98)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_security_groups.py (+0/-1185)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py (+0/-340)
.pc/fix-pep8-errors.patch/nova/tests/test_libvirt_vif.py (+0/-175)
.pc/fix-pep8-errors.patch/nova/virt/baremetal/nodes.py (+0/-42)
.pc/fix-pep8-errors.patch/nova/virt/baremetal/proxy.py (+0/-794)
.pc/fix-pep8-errors.patch/nova/virt/fake.py (+0/-343)
.pc/fix-pep8-errors.patch/nova/virt/libvirt/connection.py (+0/-2541)
.pc/fix-pep8-errors.patch/nova/virt/vmwareapi/vmops.py (+0/-825)
.pc/fix-pep8-errors.patch/nova/virt/xenapi/volume_utils.py (+0/-413)
.pc/fix-pep8-errors.patch/nova/virt/xenapi_conn.py (+0/-638)
.pc/fix-pep8-errors.patch/nova/vnc/xvp_proxy.py (+0/-187)
.pc/fix-pep8-errors.patch/tools/hacking.py (+0/-195)
.pc/fix-pep8-errors.patch/tools/xenserver/vdi_chain_cleanup.py (+0/-128)
.pc/fix-ubuntu-tests.patch/nova/tests/test_api.py (+0/-610)
.pc/kombu_tests_timeout.patch/nova/tests/rpc/test_kombu.py (+0/-295)
.pc/nova-manage_flagfile_location.patch/bin/nova-manage (+0/-1746)
.pc/path-to-the-xenhost.conf-fixup.patch/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost (+0/-435)
Authors (+7/-1)
ChangeLog (+26276/-25487)
PKG-INFO (+1/-1)
debian/changelog (+49/-0)
debian/patches/CVE-2013-0208.patch (+0/-69)
debian/patches/CVE-2013-0335.patch (+0/-202)
debian/patches/CVE-2013-0335_testsuite-fixes.patch (+0/-188)
debian/patches/CVE-2013-1664.patch (+0/-309)
debian/patches/CVE-2013-1838.patch (+0/-232)
debian/patches/series (+0/-5)
nova.egg-info/PKG-INFO (+1/-1)
nova.egg-info/SOURCES.txt (+0/-3)
nova/api/openstack/compute/contrib/flavorextradata.py (+1/-1)
nova/api/openstack/compute/contrib/simple_tenant_usage.py (+7/-0)
nova/compute/api.py (+7/-3)
nova/consoleauth/manager.py (+5/-4)
nova/db/sqlalchemy/api.py (+1/-1)
nova/manager.py (+5/-0)
nova/network/l3.py (+4/-2)
nova/network/linux_net.py (+17/-12)
nova/network/manager.py (+1/-2)
nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py (+22/-6)
nova/tests/fakelibvirt.py (+2/-0)
nova/tests/network/test_manager.py (+35/-0)
nova/tests/test_compute.py (+5/-3)
nova/tests/test_db_api.py (+2/-0)
nova/tests/test_libvirt.py (+13/-1)
nova/tests/test_linux_net.py (+1/-1)
nova/utils.py (+11/-9)
nova/version.py (+1/-1)
nova/virt/disk/api.py (+1/-0)
nova/virt/firewall.py (+14/-6)
nova/virt/libvirt/connection.py (+24/-10)
nova/virt/libvirt/volume.py (+5/-3)
tools/pip-requires (+2/-2)
tools/test-requires (+1/-0)
Branch information
Recent revisions
- 88. By Yolanda Robla
-
* Resynchronize with stable/essex (e52e6912) (LP: #1089488):
- [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
- [3bf5a58] snat rule too broad for some network configurations LP: 1048765
- [efaacda] DOS by allocating all fixed ips LP: 1125468
- [b683ced] Add nosehtmloutput as a test dependency.
- [45274c8] Nova unit tests not running, but still passing for stable/essex
LP: 1132835
- [e02b459] vnc unit-test fixes
- [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
- [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
- [243d516] No authentication on block device used for os-volume_boot
LP: 1069904
- [80fefe5] use_single_default_ gateway does not function correctly
(LP: #1075859)
- [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
attached (LP: #1079745)
- [86a5937] do_refresh_security_ group_rules in nova.virt.firewall is very
slow (LP: #1062314)
- [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
fixed_ip (LP: #1017633)
- [20f98c5] failed to allocate fixed ip because old deleted one exists
(LP: #996482)
- [75f6922] snapshot stays in saving state if the vm base image is deleted
(LP: #921774)
- [1076699] lock files may be removed in error dues to permissions issues
(LP: #1051924)
- [40c5e94] ensure_default_ security_ group() does not call sgh (LP: #1050982)
- [4eebe76] At termination, LXC rootfs is not always unmounted before
rmtree() is called (LP: #1046313)
- [47dabb3] Heavily loaded nova-compute instances don't sent reports
frequently enough (LP: #1045152)
- [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
- [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
- [014fcbc] Bridge port's hairpin mode not set after resuming a machine
(LP: #1040537)
- [2f35f8e] Nova flavor ephemeral space size reported incorrectly
(LP: #1026210)
* Dropped, superseeded by new snapshot:
- debian/patches/ CVE-2013- 0335.patch: [48e81f1]
- debian/patches/ CVE-2013- 1838.patch: [efaacda]
- debian/patches/ CVE-2013- 1664.patch: [c0a10db]
- debian/patches/ CVE-2013- 0208.patch: [243d516] - 86. By Jamie Strandboge
-
* SECURITY UPDATE: fix denial of service via fixed IPs when using extensions
- debian/patches/ CVE-2013- 1838.patch: add explicit quota for fixed IP
- CVE-2013-1838
- LP: #1125468
* SECURITY UPDATE: fix VNC token validation
- debian/patches/ CVE-2013- 0335*.patch: force console auth service to flush
all tokens associated with an instance when it is deleted
- CVE-2013-0335
- LP: #1125378 - 85. By Jamie Strandboge
-
* SECURITY UPDATE: fix denial of service
- CVE-2013-1664.patch: Add a new utils.safe_ minidom_ parse_string function
and update external API facing Nova modules to use it
- CVE-2013-1664 - 84. By Jamie Strandboge
-
* SECURITY UPDATE: fix lack of authentication on block device used for
os-volume_boot
- debian/patches/ CVE-2013- 0208.patch: adjust nova/compute/api.py to
validate we can access the volumes
- CVE-2013-0208 - 83. By Jamie Strandboge
-
* SECURITY UPDATE: Prohibit file injection writing to host filesystem
- debian/patches/ CVE-2012- 3447.patch: update to perform the file name
canonicalization as the root user
- CVE-2012-3447 - 82. By Steve Beattie
-
* SECURITY UPDATE: scheduler affinity denial of service
- debian/patches/ CVE-2012- 3371.patch: lookup instance ids only once
instead of once for each scheduler hint instance id. - 81. By Steve Beattie
-
* SECURITY UPDATE: arbitrary file injection/
corruption
- debian/patches/ CVE-2012- 3360+3361. patch: ensure that files cannot
be injected in arbitrary locations
- CVE-2012-3360
- CVE-2012-3361 - 80. By Steve Beattie
-
* REGRESSION FIX: security group without protocol set failure (LP: #1010514)
- debian/patches/ CVE-2012- 2654-regression .patch: only call .lower()
when a protocol has been set. - 79. By Steve Beattie
-
* SECURITY UPDATE: set security groups correctly if IP protocol is
specified in upper/mixed case
- debian/patches/ CVE-2012- 2654.patch: ensure protocols are in
lowercase for the controllers
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)