fix for nova folsom for CVE-2013-2030

(Portage version: 2.1.11.55/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

3 files changed, 46 insertions, 2 deletions

diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index b8db0de47176..60d108a11395 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.10 2013/05/10 02:30:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.11 2013/05/10 04:11:00 prometheanfire Exp $
+
+*nova-2012.2.4-r1 (10 May 2013)
+
+  10 May 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/nova-folsom-4-CVE-2013-2030.patch, +nova-2012.2.4-r1.ebuild,
+  -nova-2012.2.4.ebuild:
+  fix for nova folsom for CVE-2013-2030
 
 *nova-2013.1.1 (10 May 2013)
 *nova-2012.2.4 (10 May 2013)
diff --git a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch
new file mode 100644
index 000000000000..a862cb8e477d
--- /dev/null
+++ b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch
@@ -0,0 +1,36 @@
+From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001
+From: Russell Bryant <rbryant@redhat.com>
+Date: Wed, 1 May 2013 09:41:57 -0400
+Subject: [PATCH] Remove insecure default for signing_dir option.
+
+The sample api-paste.ini file included an insecure value for the
+signing_dir option for the keystone authtoken middleware.  Comment out
+the option so that we just rely on the default behavior by default.
+
+Fix bug 1174608.
+
+Conflicts:
+	etc/nova/api-paste.ini
+
+Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403
+(cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce)
+---
+ etc/nova/api-paste.ini | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
+index 3970974..95307b2 100644
+--- a/etc/nova/api-paste.ini
++++ b/etc/nova/api-paste.ini
+@@ -124,4 +124,7 @@ auth_protocol = http
+ admin_tenant_name = %SERVICE_TENANT_NAME%
+ admin_user = %SERVICE_USER%
+ admin_password = %SERVICE_PASSWORD%
+-signing_dir = /tmp/keystone-signing-nova
++# signing_dir is configurable, but the default behavior of the authtoken
++# middleware should be sufficient.  It will create a temporary directory
++# in the home directory for the user the nova process is running as.
++#signing_dir = /var/lib/nova/keystone-signing
+-- 
+1.8.1.5
+
diff --git a/sys-cluster/nova/nova-2012.2.4.ebuild b/sys-cluster/nova/nova-2012.2.4-r1.ebuild
index e3b0eadb543c..27086453c574 100644
--- a/sys-cluster/nova/nova-2012.2.4.ebuild
+++ b/sys-cluster/nova/nova-2012.2.4-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.4.ebuild,v 1.1 2013/05/10 02:30:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.4-r1.ebuild,v 1.1 2013/05/10 04:11:00 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -44,6 +44,7 @@ RDEPEND="=dev-python/amqplib-0.6.1
 		>=dev-python/python-quantumclient-2.1[${PYTHON_USEDEP}]"
 
 PATCHES=(
+	"${FILESDIR}/nova-folsom-4-CVE-2013-2030.patch"
 )
 
 python_install() {