Created by Yolanda Robla and last modified
Get this branch:
bzr branch lp:~yolanda.robla/nova/precise-security
Only Yolanda Robla can upload to this branch. If you are Yolanda Robla please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Yolanda Robla
OpenStack Compute (nova)

Recent revisions

88. By Yolanda Robla

* Resynchronize with stable/essex (e52e6912) (LP: #1089488):
  - [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
  - [3bf5a58] snat rule too broad for some network configurations LP: 1048765
  - [efaacda] DOS by allocating all fixed ips LP: 1125468
  - [b683ced] Add nosehtmloutput as a test dependency.
  - [45274c8] Nova unit tests not running, but still passing for stable/essex
    LP: 1132835
  - [e02b459] vnc unit-test fixes
  - [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
  - [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
  - [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
  - [243d516] No authentication on block device used for os-volume_boot
    LP: 1069904
  - [80fefe5] use_single_default_gateway does not function correctly
    (LP: #1075859)
  - [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
    attached (LP: #1079745)
  - [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
    slow (LP: #1062314)
  - [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
    fixed_ip (LP: #1017633)
  - [20f98c5] failed to allocate fixed ip because old deleted one exists
    (LP: #996482)
  - [75f6922] snapshot stays in saving state if the vm base image is deleted
    (LP: #921774)
  - [1076699] lock files may be removed in error dues to permissions issues
    (LP: #1051924)
  - [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
  - [4eebe76] At termination, LXC rootfs is not always unmounted before
    rmtree() is called (LP: #1046313)
  - [47dabb3] Heavily loaded nova-compute instances don't sent reports
    frequently enough (LP: #1045152)
  - [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
  - [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
  - [014fcbc] Bridge port's hairpin mode not set after resuming a machine
    (LP: #1040537)
  - [2f35f8e] Nova flavor ephemeral space size reported incorrectly
    (LP: #1026210)
* Dropped, superseeded by new snapshot:
  - debian/patches/CVE-2013-0335.patch: [48e81f1]
  - debian/patches/CVE-2013-1838.patch: [efaacda]
  - debian/patches/CVE-2013-1664.patch: [c0a10db]
  - debian/patches/CVE-2013-0208.patch: [243d516]

87. By Yolanda Robla

New upstream release.

86. By Jamie Strandboge

* SECURITY UPDATE: fix denial of service via fixed IPs when using extensions
  - debian/patches/CVE-2013-1838.patch: add explicit quota for fixed IP
  - CVE-2013-1838
  - LP: #1125468
* SECURITY UPDATE: fix VNC token validation
  - debian/patches/CVE-2013-0335*.patch: force console auth service to flush
    all tokens associated with an instance when it is deleted
  - CVE-2013-0335
  - LP: #1125378

85. By Jamie Strandboge

* SECURITY UPDATE: fix denial of service
  - CVE-2013-1664.patch: Add a new utils.safe_minidom_parse_string function
    and update external API facing Nova modules to use it
  - CVE-2013-1664

84. By Jamie Strandboge

* SECURITY UPDATE: fix lack of authentication on block device used for
  - debian/patches/CVE-2013-0208.patch: adjust nova/compute/api.py to
    validate we can access the volumes
  - CVE-2013-0208

83. By Jamie Strandboge

* SECURITY UPDATE: Prohibit file injection writing to host filesystem
  - debian/patches/CVE-2012-3447.patch: update to perform the file name
    canonicalization as the root user
  - CVE-2012-3447

82. By Steve Beattie

* SECURITY UPDATE: scheduler affinity denial of service
  - debian/patches/CVE-2012-3371.patch: lookup instance ids only once
    instead of once for each scheduler hint instance id.

81. By Steve Beattie

* SECURITY UPDATE: arbitrary file injection/corruption
  - debian/patches/CVE-2012-3360+3361.patch: ensure that files cannot
    be injected in arbitrary locations
  - CVE-2012-3360
  - CVE-2012-3361

80. By Steve Beattie

* REGRESSION FIX: security group without protocol set failure (LP: #1010514)
  - debian/patches/CVE-2012-2654-regression.patch: only call .lower()
    when a protocol has been set.

79. By Steve Beattie

* SECURITY UPDATE: set security groups correctly if IP protocol is
  specified in upper/mixed case
  - debian/patches/CVE-2012-2654.patch: ensure protocols are in
    lowercase for the controllers

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.