lp:~yolanda.robla/nova/precise-security

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:ubuntu/precise-security/nova

James Page: Approve on 2013-04-24

Diff: 173813 lines (+26521/-71314)

90 files modified

.gitignore (+0/-20)
.gitreview (+0/-5)
.mailmap (+0/-82)
.pc/0001-fix-useexisting-deprecation-warnings.patch/nova/db/sqlalchemy/migrate_repo/versions/075_convert_bw_usage_to_store_network_id.py (+0/-97)
.pc/0001-fix-useexisting-deprecation-warnings.patch/nova/db/sqlalchemy/migrate_repo/versions/081_drop_instance_id_bw_cache.py (+0/-69)
.pc/CVE-2013-0208.patch/nova/compute/api.py (+0/-1842)
.pc/CVE-2013-0208.patch/nova/exception.py (+0/-1031)
.pc/CVE-2013-0335.patch/nova/compute/api.py (+0/-1858)
.pc/CVE-2013-0335.patch/nova/compute/manager.py (+0/-2585)
.pc/CVE-2013-0335.patch/nova/consoleauth/manager.py (+0/-81)
.pc/CVE-2013-0335.patch/nova/tests/test_compute.py (+0/-3691)
.pc/CVE-2013-0335.patch/nova/tests/test_consoleauth.py (+0/-54)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/consoleauth/manager.py (+0/-109)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/policy.json (+0/-178)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/test_compute.py (+0/-3732)
.pc/CVE-2013-0335_testsuite-fixes.patch/nova/tests/test_consoleauth.py (+0/-61)
.pc/CVE-2013-1664.patch/nova/api/openstack/common.py (+0/-490)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/hosts.py (+0/-305)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/security_groups.py (+0/-673)
.pc/CVE-2013-1664.patch/nova/api/openstack/compute/servers.py (+0/-1170)
.pc/CVE-2013-1664.patch/nova/api/openstack/wsgi.py (+0/-1124)
.pc/CVE-2013-1664.patch/nova/tests/test_utils.py (+0/-1188)
.pc/CVE-2013-1664.patch/nova/utils.py (+0/-1727)
.pc/CVE-2013-1838.patch/nova/api/openstack/compute/contrib/quotas.py (+0/-110)
.pc/CVE-2013-1838.patch/nova/db/api.py (+0/-1753)
.pc/CVE-2013-1838.patch/nova/db/sqlalchemy/api.py (+0/-4380)
.pc/CVE-2013-1838.patch/nova/network/manager.py (+0/-1899)
.pc/CVE-2013-1838.patch/nova/quota.py (+0/-229)
.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute/contrib/test_quotas.py (+0/-204)
.pc/CVE-2013-1838.patch/nova/tests/network/test_manager.py (+0/-1790)
.pc/applied-patches (+0/-12)
.pc/fix-docs-build-without-network.patch/doc/source/conf.py (+0/-234)
.pc/fix-pep8-errors.patch/nova/api/openstack/compute/contrib/hosts.py (+0/-305)
.pc/fix-pep8-errors.patch/nova/api/openstack/compute/contrib/networks.py (+0/-140)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_admin_actions.py (+0/-278)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_disk_config.py (+0/-253)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_scheduler_hints.py (+0/-98)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_security_groups.py (+0/-1185)
.pc/fix-pep8-errors.patch/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py (+0/-340)
.pc/fix-pep8-errors.patch/nova/tests/test_libvirt_vif.py (+0/-175)
.pc/fix-pep8-errors.patch/nova/virt/baremetal/nodes.py (+0/-42)
.pc/fix-pep8-errors.patch/nova/virt/baremetal/proxy.py (+0/-794)
.pc/fix-pep8-errors.patch/nova/virt/fake.py (+0/-343)
.pc/fix-pep8-errors.patch/nova/virt/libvirt/connection.py (+0/-2541)
.pc/fix-pep8-errors.patch/nova/virt/vmwareapi/vmops.py (+0/-825)
.pc/fix-pep8-errors.patch/nova/virt/xenapi/volume_utils.py (+0/-413)
.pc/fix-pep8-errors.patch/nova/virt/xenapi_conn.py (+0/-638)
.pc/fix-pep8-errors.patch/nova/vnc/xvp_proxy.py (+0/-187)
.pc/fix-pep8-errors.patch/tools/hacking.py (+0/-195)
.pc/fix-pep8-errors.patch/tools/xenserver/vdi_chain_cleanup.py (+0/-128)
.pc/fix-ubuntu-tests.patch/nova/tests/test_api.py (+0/-610)
.pc/kombu_tests_timeout.patch/nova/tests/rpc/test_kombu.py (+0/-295)
.pc/nova-manage_flagfile_location.patch/bin/nova-manage (+0/-1746)
.pc/path-to-the-xenhost.conf-fixup.patch/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost (+0/-435)
Authors (+7/-1)
ChangeLog (+26276/-25487)
PKG-INFO (+1/-1)
debian/changelog (+49/-0)
debian/patches/CVE-2013-0208.patch (+0/-69)
debian/patches/CVE-2013-0335.patch (+0/-202)
debian/patches/CVE-2013-0335_testsuite-fixes.patch (+0/-188)
debian/patches/CVE-2013-1664.patch (+0/-309)
debian/patches/CVE-2013-1838.patch (+0/-232)
debian/patches/series (+0/-5)
nova.egg-info/PKG-INFO (+1/-1)
nova.egg-info/SOURCES.txt (+0/-3)
nova/api/openstack/compute/contrib/flavorextradata.py (+1/-1)
nova/api/openstack/compute/contrib/simple_tenant_usage.py (+7/-0)
nova/compute/api.py (+7/-3)
nova/consoleauth/manager.py (+5/-4)
nova/db/sqlalchemy/api.py (+1/-1)
nova/manager.py (+5/-0)
nova/network/l3.py (+4/-2)
nova/network/linux_net.py (+17/-12)
nova/network/manager.py (+1/-2)
nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py (+22/-6)
nova/tests/fakelibvirt.py (+2/-0)
nova/tests/network/test_manager.py (+35/-0)
nova/tests/test_compute.py (+5/-3)
nova/tests/test_db_api.py (+2/-0)
nova/tests/test_libvirt.py (+13/-1)
nova/tests/test_linux_net.py (+1/-1)
nova/utils.py (+11/-9)
nova/version.py (+1/-1)
nova/virt/disk/api.py (+1/-0)
nova/virt/firewall.py (+14/-6)
nova/virt/libvirt/connection.py (+24/-10)
nova/virt/libvirt/volume.py (+5/-3)
tools/pip-requires (+2/-2)
tools/test-requires (+1/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

88. By Yolanda Robla on 2013-04-24

* Resynchronize with stable/essex (e52e6912) (LP: #1089488):
  - [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
  - [3bf5a58] snat rule too broad for some network configurations LP: 1048765
  - [efaacda] DOS by allocating all fixed ips LP: 1125468
  - [b683ced] Add nosehtmloutput as a test dependency.
  - [45274c8] Nova unit tests not running, but still passing for stable/essex
    LP: 1132835
  - [e02b459] vnc unit-test fixes
  - [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
  - [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
  - [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
  - [243d516] No authentication on block device used for os-volume_boot
    LP: 1069904
  - [80fefe5] use_single_default_gateway does not function correctly
    (LP: #1075859)
  - [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
    attached (LP: #1079745)
  - [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
    slow (LP: #1062314)
  - [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
    fixed_ip (LP: #1017633)
  - [20f98c5] failed to allocate fixed ip because old deleted one exists
    (LP: #996482)
  - [75f6922] snapshot stays in saving state if the vm base image is deleted
    (LP: #921774)
  - [1076699] lock files may be removed in error dues to permissions issues
    (LP: #1051924)
  - [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
  - [4eebe76] At termination, LXC rootfs is not always unmounted before
    rmtree() is called (LP: #1046313)
  - [47dabb3] Heavily loaded nova-compute instances don't sent reports
    frequently enough (LP: #1045152)
  - [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
  - [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
  - [014fcbc] Bridge port's hairpin mode not set after resuming a machine
    (LP: #1040537)
  - [2f35f8e] Nova flavor ephemeral space size reported incorrectly
    (LP: #1026210)
* Dropped, superseeded by new snapshot:
  - debian/patches/CVE-2013-0335.patch: [48e81f1]
  - debian/patches/CVE-2013-1838.patch: [efaacda]
  - debian/patches/CVE-2013-1664.patch: [c0a10db]
  - debian/patches/CVE-2013-0208.patch: [243d516]

87. By Yolanda Robla on 2013-04-24

New upstream release.

86. By Jamie Strandboge on 2013-03-20

* SECURITY UPDATE: fix denial of service via fixed IPs when using extensions
  - debian/patches/CVE-2013-1838.patch: add explicit quota for fixed IP
  - CVE-2013-1838
  - LP: #1125468
* SECURITY UPDATE: fix VNC token validation
  - debian/patches/CVE-2013-0335*.patch: force console auth service to flush
    all tokens associated with an instance when it is deleted
  - CVE-2013-0335
  - LP: #1125378

85. By Jamie Strandboge on 2013-02-19

* SECURITY UPDATE: fix denial of service
  - CVE-2013-1664.patch: Add a new utils.safe_minidom_parse_string function
    and update external API facing Nova modules to use it
  - CVE-2013-1664

84. By Jamie Strandboge on 2013-01-23

* SECURITY UPDATE: fix lack of authentication on block device used for
  os-volume_boot
  - debian/patches/CVE-2013-0208.patch: adjust nova/compute/api.py to
    validate we can access the volumes
  - CVE-2013-0208

83. By Jamie Strandboge on 2012-08-17

* SECURITY UPDATE: Prohibit file injection writing to host filesystem
  - debian/patches/CVE-2012-3447.patch: update to perform the file name
    canonicalization as the root user
  - CVE-2012-3447

82. By Steve Beattie on 2012-07-05

* SECURITY UPDATE: scheduler affinity denial of service
  - debian/patches/CVE-2012-3371.patch: lookup instance ids only once
    instead of once for each scheduler hint instance id.

81. By Steve Beattie on 2012-07-02

* SECURITY UPDATE: arbitrary file injection/corruption
  - debian/patches/CVE-2012-3360+3361.patch: ensure that files cannot
    be injected in arbitrary locations
  - CVE-2012-3360
  - CVE-2012-3361

80. By Steve Beattie on 2012-06-11

* REGRESSION FIX: security group without protocol set failure (LP: #1010514)
  - debian/patches/CVE-2012-2654-regression.patch: only call .lower()
    when a protocol has been set.

79. By Steve Beattie on 2012-05-29

* SECURITY UPDATE: set security groups correctly if IP protocol is
  specified in upper/mixed case
  - debian/patches/CVE-2012-2654.patch: ensure protocols are in
    lowercase for the controllers