diff options
| author |   Matt Thode <prometheanfire@gentoo.org> | 2013-11-17 22:36:04 +0000 |
|---|---|---|
| committer | Matt Thode <prometheanfire@gentoo.org> | 2013-11-17 22:36:04 +0000 |
| commit | 5166243e79a8f7c6d831249c84cf3b7279d04e09 (patch) | |
| tree | 776f7f33649da07e4276a0a8049348932ec8401e /sys-cluster | |
| parent | Version bump. (diff) | |
| download | historical-5166243e79a8f7c6d831249c84cf3b7279d04e09.tar.gz historical-5166243e79a8f7c6d831249c84cf3b7279d04e09.tar.bz2 historical-5166243e79a8f7c6d831249c84cf3b7279d04e09.zip | |
YAY CVE's
Package-Manager: portage-2.2.7/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-cluster')
17 files changed, 1090 insertions, 1078 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog index 039d4e187043..0b5b6993a469 100644 --- a/sys-cluster/nova/ChangeLog +++ b/sys-cluster/nova/ChangeLog @@ -1,6 +1,23 @@ # ChangeLog for sys-cluster/nova # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.38 2013/11/14 06:54:23 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.39 2013/11/17 22:35:55 prometheanfire Exp $ + +*nova-2013.2-r2 (17 Nov 2013) +*nova-2013.1.4-r1 (17 Nov 2013) + + 17 Nov 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/CVE-2013-4463_4469-grizzly.patch, + +files/CVE-2013-4463_4469-havana.patch, +files/CVE-2013-4497-1.patch, + +files/CVE-2013-4497-2.patch, +files/CVE-2013-4497-grizzly-1.patch, + +files/CVE-2013-4497-grizzly-2.patch, +nova-2013.1.4-r1.ebuild, + +nova-2013.2-r2.ebuild, -files/2012.2.4-CVE-2013-2256.patch, + -files/2012.2.4-CVE-2013-4185.patch, -files/2012.2.4-CVE-2013-4261.patch, + -files/2012.2.4-CVE-2013-4278.patch, -files/2013.1.3-CVE-2013-4261.patch, + -files/2013.1.3-CVE-2013-4278.patch, -files/nova-folsom-4-CVE-2013-2030.patch, + -files/nova-folsom-4-CVE-2013-2096.patch, + -files/nova-grizzly-1-CVE-2013-2096.patch, -nova-2013.1.4.ebuild, + -nova-2013.2-r1.ebuild: + YAY CVE's 14 Nov 2013; Matthew Thode <prometheanfire@gentoo.org> nova-2013.1.4.ebuild, nova-2013.1.9999.ebuild, nova-2013.2-r1.ebuild, nova-2013.2.9999.ebuild, diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest index a9ebcfe2d320..6a7d3e657e7c 100644 --- a/sys-cluster/nova/Manifest +++ b/sys-cluster/nova/Manifest @@ -1,42 +1,37 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -AUX 2012.2.4-CVE-2013-2256.patch 14502 SHA256 752d430cfda003c42877c16638b8eefbfd1632ca9845e229d40aa0811e203d6f SHA512 51091d2cb4d352ed6f996ee7b261361d6eac51bc9a69c33f9e0c03810fb2da607173331275494517e8bb12c9ba14aaad448b80826ea8f7be0db880e9b1f9d4ec WHIRLPOOL 287ab4cddc376101b0d70c789de635efa18da847e104a7953ff0cafd4bf5f12394abdac457d376d3d0cd7f7ba8d06e2435151d17869db27381f0940f1e5ae937 -AUX 2012.2.4-CVE-2013-4185.patch 4519 SHA256 f2665d38ffc294a53a41f2ca4a83768ed406da5679212919a311648dc1b53b1e SHA512 8a4fd266524a1d297079637e35cacf219b03533bdea5d3279152b898dc473d75c6be91311d21a27f58179246b6337a61de79477655d29ce2319556bf52fbbbc2 WHIRLPOOL ad97c81fe752edcf205b41db1dbb1173b66cc81583134da5a56a7966dcb48dfbe450a869d953946a5be979f915e8ca288b890df0176a3e393ff8ad0fd55147c0 -AUX 2012.2.4-CVE-2013-4261.patch 4252 SHA256 b63b8ef33f42dd6f591b36505427c477ae0521c0896221f29a1eb5f7392ffa27 SHA512 664a410ec37c356f7d095427593c2b4bf35b2a4f5be734d2af3f094deddc518eae58662a48ccfbbd981e826a4b924bcfdcf72b92524b37a0b7748acb06fd8322 WHIRLPOOL 8a397b6482d84cce0525558475190c6bceffbcdcd3a78683f8ad416deb319f9744229a6595d852cea8faca37dd5646cc91f019a426dc3343f0c42ced125180ee -AUX 2012.2.4-CVE-2013-4278.patch 3742 SHA256 507a18ee721fe99aef5c3c303b9692d54e803479f52a178a0410049dfd76e57b SHA512 8b5502f09dc57005afee8e041a1afb031823dc03596869aa75d4f7554977920879aa7ef2993e6d78cefc54086a9aadb2625813e653237dd143d36a2669d12b2a WHIRLPOOL aadb7faa567ceaf9fd70aba3b44e4e11085ee22fd8d0d1003efa76c1db01f523f16b66264c418d9b20d6f148cb12bcd3f57f3edcfc6464e8ca864db32e682e6e -AUX 2013.1.3-CVE-2013-4261.patch 3219 SHA256 8b16550aaaf0921a4a4020759b25944fcae1ad872637cc90283f7276e2e65711 SHA512 76919b36d76974d0f8d7fb7c978b7ca66e9c03181e47d3be9059da8f9efd8023ca6dcaf543d8d9af2ae0ff63199a134d4fe88defc08aec640e1790fa178fb4dc WHIRLPOOL da1976b1ebdfd0faa8e87e4e6db507883759d804a57d9a9b7fac7d14aa56faa7ee4b8cc1fccbe5ce8722eade8e19008fc8a9354ec30e5d9df24c640fc11c3991 -AUX 2013.1.3-CVE-2013-4278.patch 3539 SHA256 8f42a5397601515e8306ce6a336dd97913a1dc517c9d93df35313272e86bd87e SHA512 cd2eff99dbc3ba27131ba616392518ffb3ece9d6d3b6fcff58308ed3bd3c969bbf5a0d415dd4fdf58ff47d8223f68c7339351ef9f94e0100a1e30069848d5dfa WHIRLPOOL 30c8f83090a8a00f17f83ea4f0eed1b776012d6364de836435e519dfa7ceba4d7fd8021ce0b0422cad3c4ed6b08a291c1e23a4f51c878f129c54a1877cc85d0b +AUX CVE-2013-4463_4469-grizzly.patch 19603 SHA256 72abd5f11fa8bf4c5900d4beef411158a609590e33ce8ad2022cf44a4fd49a83 SHA512 0bad8afecfd985d84919db83a2687cd5332927b323d8836a67dc129af42430b46b39abb83783ba087fb953bf295961a770d56917e9e56ae19cf1abf0c2b58adf WHIRLPOOL 9bdedc9eeebd5a3ec1ab8f90dcb963e830f4523cbd39d1f37706ffc28f8775d450be23b4ecf71ddcbf41a5352bc5f737b7e37df23b16f191fdbc3279df7ee50f +AUX CVE-2013-4463_4469-havana.patch 20808 SHA256 2407de89451cefb46a4b156516bdf71bd5f324962fc4ea0f63a96752846f8885 SHA512 18622589bd383e27162b97c5f4ab854957981a63b6bb6e74a44765ca5e014e3f3061fb04f08cd12288a01e88eee2ed346d594db8c04e7e078aaed93d9593bdd8 WHIRLPOOL 27cf1c5543e8d30a3a7d6769133a7a1bc001f0201d752adc2089ea28b4b73fb2590df3edcc1326f11c2a333063c397e4f3dc2546d457203a2110592fd238005b +AUX CVE-2013-4497-grizzly-1.patch 4853 SHA256 b4477a17f45d505f0f09462888f6fdf59c2c5c89efbf38339a357f00e098c877 SHA512 9d9f4edbdcbffe9abe96526be454f68675543cf8601dac622943389350cc9d2ed28addb5e51fa61305142bd981e80d2f79f6f2b13d9bdc2ec76a1a5438d52798 WHIRLPOOL e30cd6d15c5fad7227c23a9b5a10b57cc7100b626d862a794108dd0ef3caa903bbafb1b497af2d18acbc3f371e59b924f848356134e43df323eef3db483b0c47 +AUX CVE-2013-4497-grizzly-2.patch 1945 SHA256 8c4be7bc42b485afd64d5ec1dd61ecfb5540555640c370649afc5312a3ddcac1 SHA512 1153e89733d0e8cffe1c6cbcaf9b3cabf8ebbf797e578c8ab379df9b01bd88758606ca450f0d7741efdc92869c078f4e1229b29cbb4fa9b8107ef9b92935452a WHIRLPOOL 843758c9f16fa476f0c1e67c2f3596b8adaba26f6d4dfd7c7213294221fe048b22356ba504bd264dab7313a48ce2ca0a8d968767184fe1cdb7b8ac815269ee27 AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348 -AUX nova-folsom-4-CVE-2013-2030.patch 1303 SHA256 55ee950de12d27420762b99514a56075bcaf866eb4352dfc038a56eaa2f458f9 SHA512 1dade2e76f559fed97be0259ab1bf16404ee86fcd2039f1e4df78ecf0ddc9cd2ccd8cbb557f4194bc949bc2d9634abef4939f1fbd564ee73def997ce759f6dc3 WHIRLPOOL 45cef89069302b3d73da205600201620115364a5e4d9dc7c850073aed03baff3a731126308ab2ba75d16677d7e32cd17d780640aa8571a753bf797ae664924d1 -AUX nova-folsom-4-CVE-2013-2096.patch 4545 SHA256 b7203f3d380b3d545259060872933e38d40a53b1e9081ab8b93f623fb2a30115 SHA512 f97c4330f4cd8433b150390f22194e86fccf50ecd9300f1b3692e07e3a8b53ee4ec844f191ea28a75298535c66f11aed77c6cb8fb8624b382a793d05e683bc68 WHIRLPOOL 4460bf65d8bffe03f8a4518a99f81f86f6c2f11ce8c6d1ce6ff03ce836da247dc6c8bed73e875a3b47427970291a10d6f34be5b056c4c7fef505ca2bab0b18ed -AUX nova-grizzly-1-CVE-2013-2096.patch 4019 SHA256 d20b89067fb63f4d37ebc5c258841c3d18bd9e4e59c455f247f8df1a25973be6 SHA512 e4b80eaf8260765534d1a69c1c3883c794e611ac17acf299443b519c09503f0f063bc2ea1b090e1519e30ef3afa84253ce0e2603a764001556e52c6b09bfc814 WHIRLPOOL 44215c9e48d06976ba372421b5de29083a72172f1f02a84649eecd1dff675ecbdde9be69851ca10fe194346ad750e900c1dafa0ea4be8799c4bf055126bd18e7 AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2 AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c DIST nova-2013.1.4.tar.gz 5801779 SHA256 0491ec81552b9c407021941ea1c477d5bcd93ec1dcc66d5fc0c1cef594dac760 SHA512 de1addcbc4577c4a376d8762e44d6f7c455bd63ba0be9d8a6a7176ef7a24e85f2bf9014e31d1180e42e48308ee6a17dcf039da2739388501a5fedbad8e5a7f0c WHIRLPOOL 08898e55b7380bd1852c00dcd8e03d4eb06c8c888688d66ba717842929973235eb9d6d34dda4be2700f208a7ff9e088de2690a74acd97f5cb6b81bcce743ece3 DIST nova-2013.2.tar.gz 8909222 SHA256 55a51f8d8b6c7b0ba6f8ff9c48604bb82a90bdc3f21460ed325d1cee2dfea95a SHA512 655d6f5a4ab9ddfb741a920417061808bf22521c967d324f0fa1856c801795969df6f4982362bce26836975c09e7f41e25575309cde5c6788ed32e69304381ea WHIRLPOOL d88272c8101426ed4930a924b254d045a5c965f867573039b72b51f7aa5ba2daa47f54332f63e09e781dd22ca55c142acdb432dc92ad366e13b56138ff8f3186 -EBUILD nova-2013.1.4.ebuild 5159 SHA256 cfa64d1568f0a94652e491115daca5136d9c88a9fe5fa3c5baf6a083644916b3 SHA512 4db1929006fd01b3d38d05afcf494227e6eadd44c2abd57f33256cb15becaa2785d69287d5afaa341dc6b668b89a60a8b67664f45000215d09334dfb10eaf49e WHIRLPOOL 0a6a35acbadccc928161084ba338dcf8cbae7b007f18a5f61501515c57c6bd5c05d10743d4f703cd4b64a4ba841ff7258156301876309ffcfea52387faff6c87 +EBUILD nova-2013.1.4-r1.ebuild 5300 SHA256 64114c54b4cea0841591d365e611dd4212312ed693b364d20747e62f09cd63ed SHA512 19aaabacbbc61e0c1b1432aa3c00946798bc0a9ee282da0c9319424c8e1cf27cf592addd0971fc60b5481332b9c5252f70d0bb904cab55dfd0b2631749b73358 WHIRLPOOL 46231efc19340eed3d3182391e16282a682a43bdf6967885edabf4003ca288a64e6aee95fefeceaa8d67db18cc7d1fed6022c3029988fea89b9b37502b52d8ab EBUILD nova-2013.1.9999.ebuild 5073 SHA256 cd1b26465d4bbdbf9daa606fb4787e075461e45acf624eee0753424c2facdb44 SHA512 2d2f40807775654e9e277a8c6910555686dc7d481f75c18d710bb0c12442e92ab852b2243dfd9236ef327aec91899fcacbed55b5429bf158f3714c866b47a453 WHIRLPOOL bbe37fe1d3f294b9d871433b303c4c3265f7e6095263e10954ccd30796d57236dde2aa742bd134ff762de27d4ee3866e1da232d99b6aef68269e66bd52dc632f -EBUILD nova-2013.2-r1.ebuild 5094 SHA256 0df802f19f49e2d5bba55a2a7e42a50f927e8f5f9159266d3320acc4d557b950 SHA512 a942f66a230f3c56a0962c00e7fea7ec006db1d53cd4ce634013b37663afe4f604957946b42a40e325728a885cfbee7f216e59d6ad2a3256de242e7845b46c79 WHIRLPOOL b1264e312de1bc2a87fac09d551379521105a9f0e00db5654a456b509f5624d72b3455aac1e971526d8dd0787dcf0e8f4abe72179d9f7f3c2774b0ca227b1c7b +EBUILD nova-2013.2-r2.ebuild 5141 SHA256 b4d5854b18fe9b1f1b9129706bcbf332e207203a5cc044179c54f54c31eee2d3 SHA512 52964982215d4673f65f8da8fba5000e14b894c607e0c46cce7c53b697d63d4eeb081a2119f3d9845aa51eec106984eb88bf99dc8a1155152c79a6f0c6f181c0 WHIRLPOOL 9f12a7cb282c255e6c810c7e58819d088b45610cdcc288d6e4df931ebf9cd723d4831b046f5dd30f08e1d5159ee612eba2e4b7f5ff3800f8068d93656d676568 EBUILD nova-2013.2.9999.ebuild 5101 SHA256 4e0bfb9d479db641b87f6e04ed38e3ed90d08bdfc89fd95647dd1abf6a7bda63 SHA512 fc450f52b996cacd01d9ee9e57f0b8adbab16c185df61aa93b934a39e230da7f02d7f1dee52dd5a64f943c84294190b6035510f6a6d18ff12a653cbe98bb9969 WHIRLPOOL d26cb0a8ccc580182c5d65028fdbb82c90da9d22b4ab0d91a3e9091e96bf6c5401e6bb177fe27e2f65a3bd04dbd48fa9136d4910b06015f294ecc8aa0d21d44b EBUILD nova-2013.2.ebuild 5091 SHA256 3e18d1530a30248532784f79551f7244a147156c0973f0861d8e79790e5afcd2 SHA512 c01281735be75d81c7e2176e4ab9704352f02815c329bec3489ba3ce1e5cd90fbcde9f4785bc5f1a9b3b0e316104e06c4fb5bae0c32610f56965fd8417f8b1f4 WHIRLPOOL 8f0281afe77ee165ab4a1bd2c7010c4d47c3b90d3085bdb7a3f08ce4364825250d1f968574c04a0e7fc26f0422af7ab529c66701590ae2e381deb9c690ccc3ff EBUILD nova-9999.ebuild 5243 SHA256 fbdbb709ec8711377d025fcdea8afbac8da691c329c01632bfca2673f2299707 SHA512 bf7d2b1392e151e3d5fe8d2e355662d3257f7e6362ec6ecd0461673b0b7ece29ba9e6411d8a9c4b1de89600413e1acbe31a151e5cf27000120c10a17a6710657 WHIRLPOOL 7445b8b89e49f25ebb415edf4617caed7a34b2c03987b2eedbbe8e8dbe481884193d8e97f31426a356e836a96b3d43cd9911ec60c472cf918aa2d7f71d578304 -MISC ChangeLog 8587 SHA256 af200ffd5e451fd7ce5b65c2ec99f0058c3a3bd24deea5e5de056eb6be72dc0d SHA512 529819065d87d3c87b674b90e4fa926693d4ef29d5facd66f12f891c57781a5e8b0ae40baacb2264d1b401915eaf0e308823fc42f4128edbebbf56ab6fed9052 WHIRLPOOL 0ccc26092ef52107cf659f408dbb06515e13f43c1f2dbf8de019e92b95d1515ea7cbfce092faefec17966846e30bf74ba064c969ec776db03d536f39b4483639 +MISC ChangeLog 9405 SHA256 cb50415ecff934324b0481a2b1a57c5f3452ca107c151178845f087c9e701375 SHA512 8477977681e9a3a301ecf1ed877ada7e45502b80db89b12300dfc36099df7057a537ea561997c6d1e9457c3a68eb03c33ebb2907642ab5a8a79c92193da22168 WHIRLPOOL a1e8f3a0e93878abd370cc9b02b571c5442b961f77af1813619e2a3286e2c71da8df55c7ee40e24531ba0e30ba49a351f9e4ebc7a1f5d83043dd3deeab35ec81 MISC metadata.xml 1452 SHA256 29bf3efaab7a4e45f5e442b26a7606edaed3f47e4ffec3e8990f95aea6bf2450 SHA512 537664b6ff29f4afe09eb4635c2cb06d87a6c3c3101e8ef89d1ab9b5b802c79024e94a0cce5a44ec2fd5b1cc37a251dd42156a015b6a294f219b90daff17c9c1 WHIRLPOOL c6e44f9a48fea6ae2a323e9e03d8805301fb0d94bb5634b1946909715f6c05d45c49180204d00221aae1e6dc6748347b4273fae838216b5d5d07932bc473a851 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) -iQIcBAEBCAAGBQJShHRAAAoJECRx6z5ArFrDBEAP/2nrtQOrEWply8ai8XlYj9Gy -VLDlUjUgx/s953Y0/yDGETZmj9qsLXdzGidDyE2h7PDWdbi9Z5SHI7biF/+5liST -ENV5WQqVvTgFJpjXr2s71V/nhqSKiTCvigUHciIbgBJS9tRIq9lVklc1ZCfG9LUR -GNpCyZDNyqwD4zl5Ksjdv4jfYOYXrCrkt7X4YU8vTdqeKYNnltGgxX7qaiPsAyjh -YKIp9c/BvUTPtLHxbP7bQf3FkC67quL5CfAydT3OzOfB5DQm35t5OZz4Vc7QcdBt -EW6mbIGdP9zeM2aVJO6OgTMraSjP5f02Oje3VScz1X3Iao0tfpnC4GtADUfsTwmF -pxoDLMpuoLTFvci4RG9Kpswp83f8lzIkB8LSThMPW3D0uZ93UPch6BdvtMCvFP67 -nkON7jBD3RNRmcVRId4zGdML9C31GAkK/0NXvf3qT/OqVsQkNkgCRjGcAEUU5APw -8rTUS/iU7BYuja0p2NerZP6plK6zkjiof2xcevqq6vroP8eBIjFqthqdMAlC40Tr -iYZtDeMtbaTG5bmF2M1X4wGgga9GpELQPGr4f3xhxu6e431HtQMJQNI478L/1KkX -uT94yg1Lv4GSY4Yz7fNZ1i9/VWTGChI6Yz1Nij+DrnOt8QtR4GXOP+CwopBIRPKa -IjKt8BKWYo7/mcUBjhyp -=Ttqg +iQIcBAEBCAAGBQJSiUVfAAoJECRx6z5ArFrD0Y8QAIzj4KZkr/PdwnssyyFMa1b8 +otCB9rf0NudUZKw92fehoj6KF57gVSR+2fTpC1NkGeLvUKyrTBJ3bGi2Y7hJdMn0 +I3T7JjL5ia5920nkxX9+FqMTY5K7pSlqRoNNUmy51GPTQVGjCqxUhXm80HSQDi8A +KBlRXQgjJT5Kz232I7pgXNe+rgfnwTkoqqc510yzX6HeF0n7pAbBMm//3HvBsXns +9FP7W+RcuG5IJKabIP1iXi4z/XnmUYLIvQErjCi3Xt9/codvnW+nQH6dTU61U3pt +jLXV46RNzYJbzT/DbFzvvNfBcrnfXV3Ij2XERyPeGWh/R/vUmmOyvVs4f/lwqJj0 +BQl1H2HV3qLTjDWZW7FhmFNLRZj7vMfXbCjSKpyANDqqVkR7k8nvQgqswFjTixyH +tP82vSeduJx6lg6SxJZP4PEpjJBFtOGOGeFCt2+gL3JzCyHBKE9OHiEJdS9sH+qd +yp4wO6YvC51SK78Z4oSM3++VdjpT131JG9ziM8dr36YxdVMzUpBKo0BaVB8t5X3M +0FL9uqFPVaXxs3WiPY0p6hx09pNepPrMnyQB6IdWfNxYEg/zzlTK2sg+n2xeasyP +WL6gEGP0PdfVwseYTuX2eZNveQj4trY9sJ2W/8slf3DVXYaG8seAiDw9sfqmESEy +8pnIZi7omu/DRUfJzmbd +=VwVd -----END PGP SIGNATURE----- diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch deleted file mode 100644 index 7b2f90663a8c..000000000000 --- a/sys-cluster/nova/files/2012.2.4-CVE-2013-2256.patch +++ /dev/null @@ -1,327 +0,0 @@ -From f7aaf1fa04331522aee2158e372940df92f45cb0 Mon Sep 17 00:00:00 2001 -From: Russell Bryant <rbryant@redhat.com> -Date: Thu, 27 Jun 2013 21:00:05 +0000 -Subject: [PATCH] Make flavors is_public option actually work - -When you create a flavor, you can set an is_public flag to be True or -False. It is True by default. When False, the intention is that the -flavor is only accessible by an admin, unless you use the flavor_access -API extension to grant access to specific tenants. - -Unfortunately, the only place in the code where this was being enforced -was when listing flavors through the API. It would filter out the -non-public ones for a non-admin. Otherwise, the flavor was accessible. -You could get the details, and you could boot an instance with it, if -you figured out a valid flavor ID. - -This patch adds enforcement down in the db layer. It also fixes one -place in the API where the context wasn't passed down to enable the -enforcement to happen. - -Fix bug 1194093. - -master -> grizzly -(cherry picked from commit b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de) - -Conflicts: - nova/api/openstack/compute/contrib/flavor_access.py - nova/api/openstack/compute/contrib/flavormanage.py - nova/api/openstack/compute/flavors.py - nova/compute/api.py - nova/db/sqlalchemy/api.py - nova/tests/api/openstack/compute/contrib/test_flavor_access.py - nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py - nova/tests/api/openstack/compute/contrib/test_flavor_manage.py - nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py - nova/tests/api/openstack/compute/contrib/test_flavor_swap.py - nova/tests/api/openstack/compute/contrib/test_flavorextradata.py - nova/tests/api/openstack/compute/test_flavors.py - nova/tests/db/test_db_api.py - -grizzly -> folsom -(cherry picked from commit 6df1b7a2a1413a98bffc8b8e0b947f3c90e3bbf5) - -Conflicts: - nova/db/sqlalchemy/api.py - nova/tests/api/openstack/compute/test_flavors.py - -Change-Id: I5b37fa0bb19683fe1642fd81222547d4a317054e ---- - .../api/openstack/compute/contrib/flavor_access.py | 3 ++- - nova/api/openstack/compute/contrib/flavormanage.py | 2 +- - nova/api/openstack/compute/flavors.py | 4 +++- - nova/compute/api.py | 2 +- - nova/compute/instance_types.py | 2 +- - nova/db/api.py | 4 ++-- - nova/db/sqlalchemy/api.py | 26 +++++++++++++++------- - .../compute/contrib/test_flavor_access.py | 2 +- - .../compute/contrib/test_flavor_disabled.py | 2 +- - .../compute/contrib/test_flavor_manage.py | 3 ++- - .../openstack/compute/contrib/test_flavor_rxtx.py | 2 +- - .../openstack/compute/contrib/test_flavor_swap.py | 2 +- - .../compute/contrib/test_flavorextradata.py | 2 +- - nova/tests/api/openstack/compute/test_flavors.py | 4 ++-- - 14 files changed, 37 insertions(+), 23 deletions(-) - -diff --git a/nova/api/openstack/compute/contrib/flavor_access.py b/nova/api/openstack/compute/contrib/flavor_access.py -index 9991408..26cd77f 100644 ---- a/nova/api/openstack/compute/contrib/flavor_access.py -+++ b/nova/api/openstack/compute/contrib/flavor_access.py -@@ -99,7 +99,8 @@ class FlavorAccessController(object): - authorize(context) - - try: -- flavor = instance_types.get_instance_type_by_flavor_id(flavor_id) -+ flavor = instance_types.get_instance_type_by_flavor_id(flavor_id, -+ ctxt=context) - except exception.FlavorNotFound: - explanation = _("Flavor not found.") - raise webob.exc.HTTPNotFound(explanation=explanation) -diff --git a/nova/api/openstack/compute/contrib/flavormanage.py b/nova/api/openstack/compute/contrib/flavormanage.py -index e7731cc..79551b1 100644 ---- a/nova/api/openstack/compute/contrib/flavormanage.py -+++ b/nova/api/openstack/compute/contrib/flavormanage.py -@@ -43,7 +43,7 @@ class FlavorManageController(wsgi.Controller): - - try: - flavor = instance_types.get_instance_type_by_flavor_id( -- id, read_deleted="no") -+ id, ctxt=context, read_deleted="no") - except exception.NotFound, e: - raise webob.exc.HTTPNotFound(explanation=e.format_message()) - -diff --git a/nova/api/openstack/compute/flavors.py b/nova/api/openstack/compute/flavors.py -index 8aa57a2..d51b48a 100644 ---- a/nova/api/openstack/compute/flavors.py -+++ b/nova/api/openstack/compute/flavors.py -@@ -84,7 +84,9 @@ class Controller(wsgi.Controller): - def show(self, req, id): - """Return data about the given flavor id.""" - try: -- flavor = instance_types.get_instance_type_by_flavor_id(id) -+ context = req.environ['nova.context'] -+ flavor = instance_types.get_instance_type_by_flavor_id(id, -+ ctxt=context) - req.cache_db_flavor(flavor) - except exception.NotFound: - raise webob.exc.HTTPNotFound() -diff --git a/nova/compute/api.py b/nova/compute/api.py -index 5319d04..ca78830 100644 ---- a/nova/compute/api.py -+++ b/nova/compute/api.py -@@ -1080,7 +1080,7 @@ class API(base.Base): - #NOTE(bcwaldon): this doesn't really belong in this class - def get_instance_type(self, context, instance_type_id): - """Get an instance type by instance type id.""" -- return instance_types.get_instance_type(instance_type_id) -+ return instance_types.get_instance_type(instance_type_id, ctxt=context) - - def get(self, context, instance_id): - """Get a single instance with the given instance_id.""" -diff --git a/nova/compute/instance_types.py b/nova/compute/instance_types.py -index 6869672..5be97c1 100644 ---- a/nova/compute/instance_types.py -+++ b/nova/compute/instance_types.py -@@ -163,7 +163,7 @@ def get_instance_type_by_flavor_id(flavorid, ctxt=None, read_deleted="yes"): - if ctxt is None: - ctxt = context.get_admin_context(read_deleted=read_deleted) - -- return db.instance_type_get_by_flavor_id(ctxt, flavorid) -+ return db.instance_type_get_by_flavor_id(ctxt, flavorid, read_deleted) - - - def get_instance_type_access_by_flavor_id(flavorid, ctxt=None): -diff --git a/nova/db/api.py b/nova/db/api.py -index 9f2ff73..40db686 100644 ---- a/nova/db/api.py -+++ b/nova/db/api.py -@@ -1460,9 +1460,9 @@ def instance_type_get_by_name(context, name): - return IMPL.instance_type_get_by_name(context, name) - - --def instance_type_get_by_flavor_id(context, id): -+def instance_type_get_by_flavor_id(context, id, read_deleted=None): - """Get instance type by flavor id.""" -- return IMPL.instance_type_get_by_flavor_id(context, id) -+ return IMPL.instance_type_get_by_flavor_id(context, id, read_deleted) - - - def instance_type_destroy(context, name): -diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py -index 7fcc4f8..ea32168 100644 ---- a/nova/db/sqlalchemy/api.py -+++ b/nova/db/sqlalchemy/api.py -@@ -3910,7 +3910,7 @@ def instance_type_create(context, values): - pass - try: - instance_type_get_by_flavor_id(context, values['flavorid'], -- session) -+ read_deleted='no', session=session) - raise exception.InstanceTypeExists(name=values['name']) - except exception.FlavorNotFound: - pass -@@ -3952,9 +3952,16 @@ def _dict_with_extra_specs(inst_type_query): - - - def _instance_type_get_query(context, session=None, read_deleted=None): -- return model_query(context, models.InstanceTypes, session=session, -+ query = model_query(context, models.InstanceTypes, session=session, - read_deleted=read_deleted).\ -- options(joinedload('extra_specs')) -+ options(joinedload('extra_specs')) -+ if not context.is_admin: -+ the_filter = [models.InstanceTypes.is_public == True] -+ the_filter.extend([ -+ models.InstanceTypes.projects.any(project_id=context.project_id) -+ ]) -+ query = query.filter(or_(*the_filter)) -+ return query - - - @require_context -@@ -4029,9 +4036,11 @@ def instance_type_get_by_name(context, name, session=None): - - - @require_context --def instance_type_get_by_flavor_id(context, flavor_id, session=None): -+def instance_type_get_by_flavor_id(context, flavor_id, read_deleted, -+ session=None): - """Returns a dict describing specific flavor_id""" -- result = _instance_type_get_query(context, session=session).\ -+ result = _instance_type_get_query(context, read_deleted=read_deleted, -+ session=session).\ - filter_by(flavorid=flavor_id).\ - first() - -@@ -4083,7 +4092,7 @@ def instance_type_access_add(context, flavor_id, project_id): - session = get_session() - with session.begin(): - instance_type_ref = instance_type_get_by_flavor_id(context, flavor_id, -- session=session) -+ read_deleted='no', session=session) - instance_type_id = instance_type_ref['id'] - access_ref = _instance_type_access_query(context, session=session).\ - filter_by(instance_type_id=instance_type_id).\ -@@ -4111,7 +4120,7 @@ def instance_type_access_remove(context, flavor_id, project_id): - session = get_session() - with session.begin(): - instance_type_ref = instance_type_get_by_flavor_id(context, flavor_id, -- session=session) -+ read_deleted='no', session=session) - instance_type_id = instance_type_ref['id'] - access_ref = _instance_type_access_query(context, session=session).\ - filter_by(instance_type_id=instance_type_id).\ -@@ -4447,7 +4456,8 @@ def instance_type_extra_specs_update_or_create(context, flavor_id, - specs): - session = get_session() - spec_ref = None -- instance_type = instance_type_get_by_flavor_id(context, flavor_id) -+ instance_type = instance_type_get_by_flavor_id(context, flavor_id, -+ read_deleted='no') - for key, value in specs.iteritems(): - try: - spec_ref = instance_type_extra_specs_get_item( -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_access.py b/nova/tests/api/openstack/compute/contrib/test_flavor_access.py -index 0bf1f1b..075810b 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavor_access.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_access.py -@@ -68,7 +68,7 @@ def fake_get_instance_type_access_by_flavor_id(flavorid): - return res - - --def fake_get_instance_type_by_flavor_id(flavorid): -+def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None): - return INSTANCE_TYPES[flavorid] - - -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py b/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py -index 1225b56..933178a 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_disabled.py -@@ -44,7 +44,7 @@ FAKE_FLAVORS = { - } - - --def fake_instance_type_get_by_flavor_id(flavorid): -+def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): - return FAKE_FLAVORS['flavor %s' % flavorid] - - -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py -index 70fd5e4..7174ed2 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py -@@ -25,7 +25,8 @@ from nova import test - from nova.tests.api.openstack import fakes - - --def fake_get_instance_type_by_flavor_id(flavorid, read_deleted='yes'): -+def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None, -+ read_deleted='yes'): - if flavorid == 'failtest': - raise exception.NotFound("Not found sucka!") - elif not str(flavorid) == '1234': -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py b/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py -index 52163c7..afa2259 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_rxtx.py -@@ -43,7 +43,7 @@ FAKE_FLAVORS = { - } - - --def fake_instance_type_get_by_flavor_id(flavorid): -+def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): - return FAKE_FLAVORS['flavor %s' % flavorid] - - -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py b/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py -index 75e9cd7..3fd1ae9 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_swap.py -@@ -43,7 +43,7 @@ FAKE_FLAVORS = { - } - - --def fake_instance_type_get_by_flavor_id(flavorid): -+def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): - return FAKE_FLAVORS['flavor %s' % flavorid] - - -diff --git a/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py b/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py -index 8f5301a..9654605 100644 ---- a/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py -+++ b/nova/tests/api/openstack/compute/contrib/test_flavorextradata.py -@@ -23,7 +23,7 @@ from nova import test - from nova.tests.api.openstack import fakes - - --def fake_get_instance_type_by_flavor_id(flavorid): -+def fake_get_instance_type_by_flavor_id(flavorid, ctxt=None): - return { - 'id': flavorid, - 'flavorid': str(flavorid), -diff --git a/nova/tests/api/openstack/compute/test_flavors.py b/nova/tests/api/openstack/compute/test_flavors.py -index 77d40df..cfa3429 100644 ---- a/nova/tests/api/openstack/compute/test_flavors.py -+++ b/nova/tests/api/openstack/compute/test_flavors.py -@@ -54,7 +54,7 @@ FAKE_FLAVORS = { - } - - --def fake_instance_type_get_by_flavor_id(flavorid): -+def fake_instance_type_get_by_flavor_id(flavorid, ctxt=None): - return FAKE_FLAVORS['flavor %s' % flavorid] - - -@@ -80,7 +80,7 @@ def empty_instance_type_get_all(inactive=False, filters=None): - return {} - - --def return_instance_type_not_found(flavor_id): -+def return_instance_type_not_found(flavor_id, ctxt=None): - raise exception.InstanceTypeNotFound(flavor_id=flavor_id) - - --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch deleted file mode 100644 index 3e02ae10a473..000000000000 --- a/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch +++ /dev/null @@ -1,101 +0,0 @@ -From d4ee081c5c0a5132781235177c430ebcf72b0b0b Mon Sep 17 00:00:00 2001 -From: Vishvananda Ishaya <vishvananda@gmail.com> -Date: Fri, 19 Jul 2013 10:23:59 -0700 -Subject: [PATCH] Use cached nwinfo for secgroup rules - -This stops a potential DOS with source security groups by using the -db cached version of the network info instead of calling out to -the network api multiple times. - -Fixes bug 1184041 - -Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6 -(cherry picked from commit 85aac04704350566d6b06aa7a3b99649946c672c) ---- - nova/db/sqlalchemy/api.py | 2 ++ - nova/tests/test_libvirt.py | 4 +++- - nova/tests/test_xenapi.py | 5 +++-- - nova/virt/firewall.py | 12 +++--------- - 4 files changed, 11 insertions(+), 12 deletions(-) - -diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py -index 7fcc4f8..6d3b139 100644 ---- a/nova/db/sqlalchemy/api.py -+++ b/nova/db/sqlalchemy/api.py -@@ -3649,6 +3649,8 @@ def security_group_rule_get_by_security_group(context, security_group_id, - return _security_group_rule_get_query(context, session=session).\ - filter_by(parent_group_id=security_group_id).\ - options(joinedload_all('grantee_group.instances.instance_type')).\ -+ options(joinedload('grantee_group.instances.' -+ 'info_cache')).\ - all() - - -diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py -index b26a006..e956eb0 100644 ---- a/nova/tests/test_libvirt.py -+++ b/nova/tests/test_libvirt.py -@@ -3240,7 +3240,9 @@ class IptablesFirewallTestCase(test.TestCase): - from nova.network import linux_net - linux_net.iptables_manager.execute = fake_iptables_execute - -- _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model) -+ from nova.compute import utils as compute_utils -+ self.stubs.Set(compute_utils, 'get_nw_info_for_instance', -+ lambda instance: network_model) - - network_info = network_model.legacy() - self.fw.prepare_instance_filter(instance_ref, network_info) -diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py -index 0cf69d6..7a8f9b4 100644 ---- a/nova/tests/test_xenapi.py -+++ b/nova/tests/test_xenapi.py -@@ -1690,8 +1690,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): - network_model = fake_network.fake_get_instance_nw_info(self.stubs, - 1, spectacular=True) - -- fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs, -- lambda *a, **kw: network_model) -+ from nova.compute import utils as compute_utils -+ self.stubs.Set(compute_utils, 'get_nw_info_for_instance', -+ lambda instance: network_model) - - network_info = network_model.legacy() - self.fw.prepare_instance_filter(instance_ref, network_info) -diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py -index a093a35..7c22c86 100644 ---- a/nova/virt/firewall.py -+++ b/nova/virt/firewall.py -@@ -17,10 +17,10 @@ - # License for the specific language governing permissions and limitations - # under the License. - -+from nova.compute import utils as compute_utils - from nova import context - from nova import db - from nova import flags --from nova import network - from nova.network import linux_net - from nova.openstack.common import cfg - from nova.openstack.common import importutils -@@ -405,15 +405,9 @@ class IptablesFirewallDriver(FirewallDriver): - fw_rules += [' '.join(args)] - else: - if rule['grantee_group']: -- # FIXME(jkoelker) This needs to be ported up into -- # the compute manager which already -- # has access to a nw_api handle, -- # and should be the only one making -- # making rpc calls. -- nw_api = network.API() - for instance in rule['grantee_group']['instances']: -- nw_info = nw_api.get_instance_nw_info(ctxt, -- instance) -+ nw_info = compute_utils.get_nw_info_for_instance( -+ instance) - - ips = [ip['address'] - for ip in nw_info.fixed_ips() --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-4261.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-4261.patch deleted file mode 100644 index eacc6286fb98..000000000000 --- a/sys-cluster/nova/files/2012.2.4-CVE-2013-4261.patch +++ /dev/null @@ -1,114 +0,0 @@ -From ef5730a4620b409a3b46e46966e3bc6f3a306464 Mon Sep 17 00:00:00 2001 -From: Ben Nemec <bnemec@us.ibm.com> -Date: Thu, 9 May 2013 19:06:45 +0000 -Subject: [PATCH] Fix problem with long messages in Qpid (from oslo) - -This is commit 478ac3a3e in oslo-incubator - -Qpid has a limitation where it cannot serialize a dict containing a -string greater than 65535 characters. This change alters the Qpid -implementation to JSON encode the dict before sending it, but only if -Qpid would fail to serialize it. This maintains as much backward -compatibility as possible, though long messages will still fail if they -are sent to an older receiver. - -Even though this change will modify the message format, it will only do -it when messages are longer than 65K which would be broken anyway and -could cause serious bugs like the one linked below. - -Fixes bug 1215091 - -Change-Id: I2f0e88435748bab631d969573d3a598d9e1f7fef ---- - nova/openstack/common/rpc/impl_qpid.py | 47 ++++++++++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -diff --git a/nova/openstack/common/rpc/impl_qpid.py b/nova/openstack/common/rpc/impl_qpid.py -index e579316..67388fd 100644 ---- a/nova/openstack/common/rpc/impl_qpid.py -+++ b/nova/openstack/common/rpc/impl_qpid.py -@@ -23,6 +23,7 @@ import uuid - - import eventlet - import greenlet -+import qpid.codec010 as qpid_codec - import qpid.messaging - import qpid.messaging.exceptions - -@@ -63,6 +64,8 @@ qpid_opts = [ - - cfg.CONF.register_opts(qpid_opts) - -+JSON_CONTENT_TYPE = 'application/json; charset=utf8' -+ - - class ConsumerBase(object): - """Consumer base class.""" -@@ -117,10 +120,27 @@ class ConsumerBase(object): - self.receiver = session.receiver(self.address) - self.receiver.capacity = 1 - -+ def _unpack_json_msg(self, msg): -+ """Load the JSON data in msg if msg.content_type indicates that it -+ is necessary. Put the loaded data back into msg.content and -+ update msg.content_type appropriately. -+ -+ A Qpid Message containing a dict will have a content_type of -+ 'amqp/map', whereas one containing a string that needs to be converted -+ back from JSON will have a content_type of JSON_CONTENT_TYPE. -+ -+ :param msg: a Qpid Message object -+ :returns: None -+ """ -+ if msg.content_type == JSON_CONTENT_TYPE: -+ msg.content = jsonutils.loads(msg.content) -+ msg.content_type = 'amqp/map' -+ - def consume(self): - """Fetch the message and pass it to the callback object""" - message = self.receiver.fetch() - try: -+ self._unpack_json_msg(message) - self.callback(message.content) - except Exception: - LOG.exception(_("Failed to process message... skipping it.")) -@@ -220,8 +240,35 @@ class Publisher(object): - """Re-establish the Sender after a reconnection""" - self.sender = session.sender(self.address) - -+ def _pack_json_msg(self, msg): -+ """Qpid cannot serialize dicts containing strings longer than 65535 -+ characters. This function dumps the message content to a JSON -+ string, which Qpid is able to handle. -+ -+ :param msg: May be either a Qpid Message object or a bare dict. -+ :returns: A Qpid Message with its content field JSON encoded. -+ """ -+ try: -+ msg.content = jsonutils.dumps(msg.content) -+ except AttributeError: -+ # Need to have a Qpid message so we can set the content_type. -+ msg = qpid.messaging.Message(jsonutils.dumps(msg)) -+ msg.content_type = JSON_CONTENT_TYPE -+ return msg -+ - def send(self, msg): - """Send a message""" -+ try: -+ # Check if Qpid can encode the message -+ check_msg = msg -+ if not hasattr(check_msg, 'content_type'): -+ check_msg = qpid.messaging.Message(msg) -+ content_type = check_msg.content_type -+ enc, dec = qpid.messaging.message.get_codec(content_type) -+ enc(check_msg.content) -+ except qpid_codec.CodecException: -+ # This means the message couldn't be serialized as a dict. -+ msg = self._pack_json_msg(msg) - self.sender.send(msg) - - --- -1.8.1.2 - - diff --git a/sys-cluster/nova/files/2012.2.4-CVE-2013-4278.patch b/sys-cluster/nova/files/2012.2.4-CVE-2013-4278.patch deleted file mode 100644 index a0b9b4119741..000000000000 --- a/sys-cluster/nova/files/2012.2.4-CVE-2013-4278.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 6825959560e06725d26625fd21f5c0b78b305492 Mon Sep 17 00:00:00 2001 -From: Russell Bryant <rbryant@redhat.com> -Date: Tue, 20 Aug 2013 11:06:12 -0400 -Subject: [PATCH] Enforce flavor access during instance boot - -The code in the servers API did not pass the context when retrieving -flavor details. That means it would use an admin context instead, -bypassing all flavor access control checks. - -This patch includes the fix, and the corresponding unit test for the v2 -API. - -Closes-bug: #1212179 - -(cherry picked from commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9) - -Conflicts: - nova/api/openstack/compute/plugins/v3/servers.py - nova/api/openstack/compute/servers.py - nova/tests/api/openstack/compute/plugins/v3/test_servers.py - nova/tests/api/openstack/compute/test_servers.py - -Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b ---- - nova/api/openstack/compute/servers.py | 3 ++- - nova/tests/api/openstack/compute/test_servers.py | 23 +++++++++++++++++++++-- - 2 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py -index 6908262..ab06595 100644 ---- a/nova/api/openstack/compute/servers.py -+++ b/nova/api/openstack/compute/servers.py -@@ -844,7 +844,8 @@ class Controller(wsgi.Controller): - - try: - _get_inst_type = instance_types.get_instance_type_by_flavor_id -- inst_type = _get_inst_type(flavor_id, read_deleted="no") -+ inst_type = _get_inst_type(flavor_id, ctxt=context, -+ read_deleted="no") - - (instances, resv_id) = self.compute_api.create(context, - inst_type, -diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py -index cd88a2a..5cb26bd 100644 ---- a/nova/tests/api/openstack/compute/test_servers.py -+++ b/nova/tests/api/openstack/compute/test_servers.py -@@ -34,6 +34,7 @@ import nova.compute.api - from nova.compute import instance_types - from nova.compute import task_states - from nova.compute import vm_states -+import nova.context - import nova.db - from nova.db.sqlalchemy import models - from nova import flags -@@ -1703,10 +1704,10 @@ class ServersControllerCreateTest(test.TestCase): - """ - self.assertTrue("adminPass" not in server_dict) - -- def _test_create_instance(self): -+ def _test_create_instance(self, flavor=2): - image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77' - body = dict(server=dict( -- name='server_test', imageRef=image_uuid, flavorRef=2, -+ name='server_test', imageRef=image_uuid, flavorRef=flavor, - metadata={'hello': 'world', 'open': 'stack'}, - personality={})) - req = fakes.HTTPRequest.blank('/v2/fake/servers') -@@ -1718,6 +1719,24 @@ class ServersControllerCreateTest(test.TestCase): - self._check_admin_pass_len(server) - self.assertEqual(FAKE_UUID, server['id']) - -+ def test_create_instance_private_flavor(self): -+ values = { -+ 'name': 'fake_name', -+ 'memory_mb': 512, -+ 'vcpus': 1, -+ 'root_gb': 10, -+ 'ephemeral_gb': 10, -+ 'flavorid': '1324', -+ 'swap': 0, -+ 'rxtx_factor': 0.5, -+ 'vcpu_weight': 1, -+ 'disabled': False, -+ 'is_public': False, -+ } -+ nova.db.instance_type_create(nova.context.get_admin_context(), values) -+ self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance, -+ flavor=1324) -+ - def test_create_server_bad_image_href(self): - image_href = 1 - flavor_ref = 'http://localhost/123/flavors/3' --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/2013.1.3-CVE-2013-4261.patch b/sys-cluster/nova/files/2013.1.3-CVE-2013-4261.patch deleted file mode 100644 index ce266d4dd453..000000000000 --- a/sys-cluster/nova/files/2013.1.3-CVE-2013-4261.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 2d949c415b97ed9649e78c880ab149d0d39c1152 Mon Sep 17 00:00:00 2001 -From: Xavier Queralt <xqueralt@redhat.com> -Date: Thu, 5 Sep 2013 10:08:29 +0200 -Subject: [PATCH] Fix Qpid when sending long messages (from oslo) - -This is commit 4f97479ad in oslo-incubator - -Qpid has a limitation where it cannot serialize a dict containing a -string greater than 65535 characters. This change alters the Qpid -implementation to JSON encode the dict before sending it, but only if -Qpid would fail to serialize it. This maintains as much backward -compatibility as possible, though long messages will still fail if they -are sent to an older receiver. - -The first part of this fix was ported to Grizzly in Ib52e9458a to allow -receiving messages from Havana using the new format. Even though this -change will modify the message format, it will only do it when messages -are longer than 65K which would be broken anyway and could cause serious -bugs like the one linked below. - -Fixes bug 1215091 - -Change-Id: I505b648c3d0e1176ec7a3fc7d1646fa5a5232261 ---- - nova/openstack/common/rpc/impl_qpid.py | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - -diff --git a/nova/openstack/common/rpc/impl_qpid.py b/nova/openstack/common/rpc/impl_qpid.py -index 0044088..a7aebc1 100644 ---- a/nova/openstack/common/rpc/impl_qpid.py -+++ b/nova/openstack/common/rpc/impl_qpid.py -@@ -31,6 +31,7 @@ from nova.openstack.common import log as logging - from nova.openstack.common.rpc import amqp as rpc_amqp - from nova.openstack.common.rpc import common as rpc_common - -+qpid_codec = importutils.try_import("qpid.codec010") - qpid_messaging = importutils.try_import("qpid.messaging") - qpid_exceptions = importutils.try_import("qpid.messaging.exceptions") - -@@ -247,8 +248,35 @@ class Publisher(object): - """Re-establish the Sender after a reconnection""" - self.sender = session.sender(self.address) - -+ def _pack_json_msg(self, msg): -+ """Qpid cannot serialize dicts containing strings longer than 65535 -+ characters. This function dumps the message content to a JSON -+ string, which Qpid is able to handle. -+ -+ :param msg: May be either a Qpid Message object or a bare dict. -+ :returns: A Qpid Message with its content field JSON encoded. -+ """ -+ try: -+ msg.content = jsonutils.dumps(msg.content) -+ except AttributeError: -+ # Need to have a Qpid message so we can set the content_type. -+ msg = qpid_messaging.Message(jsonutils.dumps(msg)) -+ msg.content_type = JSON_CONTENT_TYPE -+ return msg -+ - def send(self, msg): - """Send a message""" -+ try: -+ # Check if Qpid can encode the message -+ check_msg = msg -+ if not hasattr(check_msg, 'content_type'): -+ check_msg = qpid_messaging.Message(msg) -+ content_type = check_msg.content_type -+ enc, dec = qpid_messaging.message.get_codec(content_type) -+ enc(check_msg.content) -+ except qpid_codec.CodecException: -+ # This means the message couldn't be serialized as a dict. -+ msg = self._pack_json_msg(msg) - self.sender.send(msg) - - --- -1.8.1.2 - - diff --git a/sys-cluster/nova/files/2013.1.3-CVE-2013-4278.patch b/sys-cluster/nova/files/2013.1.3-CVE-2013-4278.patch deleted file mode 100644 index 51c3af50a144..000000000000 --- a/sys-cluster/nova/files/2013.1.3-CVE-2013-4278.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 8b686195afe7e6dfb46c56c1ef2fe9c993d8e495 Mon Sep 17 00:00:00 2001 -From: Russell Bryant <rbryant@redhat.com> -Date: Tue, 20 Aug 2013 11:06:12 -0400 -Subject: [PATCH] Enforce flavor access during instance boot - -The code in the servers API did not pass the context when retrieving -flavor details. That means it would use an admin context instead, -bypassing all flavor access control checks. - -This patch includes the fix, and the corresponding unit test for the v2 -API. - -Closes-bug: #1212179 - -(cherry picked from commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9) - -Conflicts: - nova/api/openstack/compute/plugins/v3/servers.py - nova/api/openstack/compute/servers.py - nova/tests/api/openstack/compute/plugins/v3/test_servers.py - nova/tests/api/openstack/compute/test_servers.py - -Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b ---- - nova/api/openstack/compute/servers.py | 3 ++- - nova/tests/api/openstack/compute/test_servers.py | 22 ++++++++++++++++++++-- - 2 files changed, 22 insertions(+), 3 deletions(-) - -diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py -index 85ef080..6c38219 100644 ---- a/nova/api/openstack/compute/servers.py -+++ b/nova/api/openstack/compute/servers.py -@@ -873,7 +873,8 @@ class Controller(wsgi.Controller): - - try: - _get_inst_type = instance_types.get_instance_type_by_flavor_id -- inst_type = _get_inst_type(flavor_id, read_deleted="no") -+ inst_type = _get_inst_type(flavor_id, ctxt=context, -+ read_deleted="no") - - (instances, resv_id) = self.compute_api.create(context, - inst_type, -diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py -index 7748c2e..89d0f8a 100644 ---- a/nova/tests/api/openstack/compute/test_servers.py -+++ b/nova/tests/api/openstack/compute/test_servers.py -@@ -1822,10 +1822,10 @@ class ServersControllerCreateTest(test.TestCase): - """utility function - check server_dict for absence of adminPass.""" - self.assertTrue("adminPass" not in server_dict) - -- def _test_create_instance(self): -+ def _test_create_instance(self, flavor=2): - image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77' - body = dict(server=dict( -- name='server_test', imageRef=image_uuid, flavorRef=2, -+ name='server_test', imageRef=image_uuid, flavorRef=flavor, - metadata={'hello': 'world', 'open': 'stack'}, - personality={})) - req = fakes.HTTPRequest.blank('/v2/fake/servers') -@@ -1837,6 +1837,24 @@ class ServersControllerCreateTest(test.TestCase): - self._check_admin_pass_len(server) - self.assertEqual(FAKE_UUID, server['id']) - -+ def test_create_instance_private_flavor(self): -+ values = { -+ 'name': 'fake_name', -+ 'memory_mb': 512, -+ 'vcpus': 1, -+ 'root_gb': 10, -+ 'ephemeral_gb': 10, -+ 'flavorid': '1324', -+ 'swap': 0, -+ 'rxtx_factor': 0.5, -+ 'vcpu_weight': 1, -+ 'disabled': False, -+ 'is_public': False, -+ } -+ db.instance_type_create(context.get_admin_context(), values) -+ self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance, -+ flavor=1324) -+ - def test_create_server_bad_image_href(self): - image_href = 1 - flavor_ref = 'http://localhost/123/flavors/3' --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/CVE-2013-4463_4469-grizzly.patch b/sys-cluster/nova/files/CVE-2013-4463_4469-grizzly.patch new file mode 100644 index 000000000000..f2dd6cdca46c --- /dev/null +++ b/sys-cluster/nova/files/CVE-2013-4463_4469-grizzly.patch @@ -0,0 +1,432 @@ +From 135faa7b5d9855312bedc19e5e1ecebae34d3d18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady@redhat.com> +Date: Fri, 27 Sep 2013 04:07:14 +0100 +Subject: [PATCH] ensure we don't boot oversized images + +Since we can't generally shrink incoming images, add extra checks +to ensure oversized images are not allowed through. +All cases when populating the libvirt image cache are now handled, +including the initial download from glance, where we avoid +converting to raw, as that could generate non sparse images +much larger than the downloaded image. + +* nova/virt/libvirt/utils.py (fetch_image): Allow passing through +of the max_size parameter. +* nova/virt/images.py (fetch_to_raw): Accept the max_size parameter, +and use it to discard images with larger (virtual) sizes. +* nova/virt/libvirt/imagebackend.py (verify_base_size): A new +refactored function to identify and raise exception to oversized images. +(Raw.create_image): Pass the max_size to the fetch function. +Also enforce virtual image size checking for already fetched images, +as this class (despite the name) can be handling qcow files. +(Qcow2.create_image): Pass the max_size to the fetch function, +or verify the virtual size for the instance as done previously. +(Lvm.create_image): Pass the max_size to the fetch function. +Also check the size before transferring to the volume to improve +efficiency by not even attempting the transfer of oversized images. +(Rbd.create_image): Likewise. +* nova/tests/fake_libvirt_utils.py: Support max_size arg. +* nova/tests/test_libvirt.py (test_fetch_raw_image): +Add a case to check oversized images are discarded. +* nova/tests/test_imagebackend.py (test_create_image_too_small): +Adjust to avoid the fetch size check. + +Fixes bug: 1177830 +Fixes bug: 1206081 + +Conflicts: + + nova/tests/test_imagebackend.py + nova/virt/libvirt/imagebackend.py + +Change-Id: Idc35fce580be4f74e23883d1b4bea6475c3f6e30 +--- + nova/tests/fake_libvirt_utils.py | 2 +- + nova/tests/test_imagebackend.py | 35 ++++++++++------------------- + nova/tests/test_libvirt.py | 24 +++++++++++++++++--- + nova/virt/images.py | 24 +++++++++++++++++--- + nova/virt/libvirt/imagebackend.py | 47 ++++++++++++++++++++++++++++++--------- + nova/virt/libvirt/utils.py | 5 +++-- + 6 files changed, 95 insertions(+), 42 deletions(-) + +diff --git a/nova/tests/fake_libvirt_utils.py b/nova/tests/fake_libvirt_utils.py +index 23b758e..ecf357a 100644 +--- a/nova/tests/fake_libvirt_utils.py ++++ b/nova/tests/fake_libvirt_utils.py +@@ -193,7 +193,7 @@ def get_fs_info(path): + 'free': 84 * (1024 ** 3)} + + +-def fetch_image(context, target, image_id, user_id, project_id): ++def fetch_image(context, target, image_id, user_id, project_id, max_size=0): + pass + + +diff --git a/nova/tests/test_imagebackend.py b/nova/tests/test_imagebackend.py +index 77446e8..93ed23d 100644 +--- a/nova/tests/test_imagebackend.py ++++ b/nova/tests/test_imagebackend.py +@@ -189,7 +189,7 @@ def prepare_mocks(self): + + def test_create_image(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH, image_id=None) ++ fn(target=self.TEMPLATE_PATH, max_size=None, image_id=None) + imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH, self.PATH) + self.mox.ReplayAll() + +@@ -210,7 +210,7 @@ def test_create_image_generated(self): + + def test_create_image_extend(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH, image_id=None) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH, image_id=None) + imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH, self.PATH) + imagebackend.disk.extend(self.PATH, self.SIZE) + self.mox.ReplayAll() +@@ -260,7 +260,7 @@ def prepare_mocks(self): + + def test_create_image(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=None, target=self.TEMPLATE_PATH) + imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH, + self.PATH) + self.mox.ReplayAll() +@@ -272,15 +272,12 @@ def test_create_image(self): + + def test_create_image_with_size(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + if self.OLD_STYLE_INSTANCE_PATH: + os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) + os.path.exists(self.TEMPLATE_PATH).AndReturn(False) + os.path.exists(self.PATH).AndReturn(False) +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(False) + imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH, + self.PATH) +@@ -294,27 +291,24 @@ def test_create_image_with_size(self): + + def test_create_image_too_small(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') + self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + if self.OLD_STYLE_INSTANCE_PATH: + os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) +- os.path.exists(self.TEMPLATE_PATH).AndReturn(False) +- os.path.exists(self.PATH).AndReturn(False) ++ os.path.exists(self.TEMPLATE_PATH).AndReturn(True) + imagebackend.disk.get_disk_size(self.TEMPLATE_PATH + ).AndReturn(self.SIZE) + self.mox.ReplayAll() + + image = self.image_class(self.INSTANCE, self.NAME) +- self.assertRaises(exception.ImageTooLarge, image.create_image, fn, +- self.TEMPLATE_PATH, 1) ++ self.assertRaises(exception.InstanceTypeDiskTooSmall, ++ image.create_image, fn, self.TEMPLATE_PATH, 1) + self.mox.VerifyAll() + + def test_generate_resized_backing_files(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + self.mox.StubOutWithMock(imagebackend.libvirt_utils, + 'get_disk_backing_file') + if self.OLD_STYLE_INSTANCE_PATH: +@@ -329,8 +323,6 @@ def test_generate_resized_backing_files(self): + self.QCOW2_BASE) + imagebackend.disk.extend(self.QCOW2_BASE, self.SIZE) + +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(True) + self.mox.ReplayAll() + +@@ -341,9 +333,8 @@ def test_generate_resized_backing_files(self): + + def test_qcow2_exists_and_has_no_backing_file(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + self.mox.StubOutWithMock(imagebackend.libvirt_utils, + 'get_disk_backing_file') + if self.OLD_STYLE_INSTANCE_PATH: +@@ -353,8 +344,6 @@ def test_qcow2_exists_and_has_no_backing_file(self): + + imagebackend.libvirt_utils.get_disk_backing_file(self.PATH)\ + .AndReturn(None) +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(True) + self.mox.ReplayAll() + +@@ -391,7 +380,7 @@ def prepare_mocks(self): + + def _create_image(self, sparse): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=None, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, + self.LV, + self.TEMPLATE_SIZE, +@@ -423,7 +412,7 @@ def _create_image_generated(self, sparse): + + def _create_image_resize(self, sparse): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, self.LV, + self.SIZE, sparse=sparse) + self.disk.get_disk_size(self.TEMPLATE_PATH +@@ -462,7 +451,7 @@ def test_create_image_resize_sparsed(self): + + def test_create_image_negative(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, + self.LV, + self.SIZE, +diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py +index d8c4cf2..e422ec7 100644 +--- a/nova/tests/test_libvirt.py ++++ b/nova/tests/test_libvirt.py +@@ -4826,7 +4826,8 @@ def test_fetch_image(self): + image_id = '4' + user_id = 'fake' + project_id = 'fake' +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=0) + + self.mox.ReplayAll() + libvirt_utils.fetch_image(context, target, image_id, +@@ -4856,20 +4857,27 @@ class FakeImgInfo(object): + file_format = path.split('.')[-2] + elif file_format == 'converted': + file_format = 'raw' ++ + if 'backing' in path: + backing_file = 'backing' + else: + backing_file = None + ++ if 'big' in path: ++ virtual_size = 2 ++ else: ++ virtual_size = 1 ++ + FakeImgInfo.file_format = file_format + FakeImgInfo.backing_file = backing_file ++ FakeImgInfo.virtual_size = virtual_size + + return FakeImgInfo() + + self.stubs.Set(utils, 'execute', fake_execute) + self.stubs.Set(os, 'rename', fake_rename) + self.stubs.Set(os, 'unlink', fake_unlink) +- self.stubs.Set(images, 'fetch', lambda *_: None) ++ self.stubs.Set(images, 'fetch', lambda *_, **__: None) + self.stubs.Set(images, 'qemu_img_info', fake_qemu_img_info) + self.stubs.Set(utils, 'delete_if_exists', fake_rm_on_errror) + +@@ -4884,7 +4892,8 @@ class FakeImgInfo(object): + 't.qcow2.part', 't.qcow2.converted'), + ('rm', 't.qcow2.part'), + ('mv', 't.qcow2.converted', 't.qcow2')] +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=1) + self.assertEqual(self.executes, expected_commands) + + target = 't.raw' +@@ -4901,6 +4910,15 @@ class FakeImgInfo(object): + context, image_id, target, user_id, project_id) + self.assertEqual(self.executes, expected_commands) + ++ target = 'big.qcow2' ++ self.executes = [] ++ expected_commands = [('rm', '-f', 'big.qcow2.part')] ++ self.assertRaises(exception.InstanceTypeDiskTooSmall, ++ images.fetch_to_raw, ++ context, image_id, target, user_id, project_id, ++ max_size=1) ++ self.assertEqual(self.executes, expected_commands) ++ + del self.executes + + def test_get_disk_backing_file(self): +diff --git a/nova/virt/images.py b/nova/virt/images.py +index b40f566..541779a 100755 +--- a/nova/virt/images.py ++++ b/nova/virt/images.py +@@ -190,7 +190,7 @@ def convert_image(source, dest, out_format, run_as_root=False): + utils.execute(*cmd, run_as_root=run_as_root) + + +-def fetch(context, image_href, path, _user_id, _project_id): ++def fetch(context, image_href, path, _user_id, _project_id, max_size=0): + # TODO(vish): Improve context handling and add owner and auth data + # when it is added to glance. Right now there is no + # auth checking in glance, so we assume that access was +@@ -202,9 +202,10 @@ def fetch(context, image_href, path, _user_id, _project_id): + image_service.download(context, image_id, image_file) + + +-def fetch_to_raw(context, image_href, path, user_id, project_id): ++def fetch_to_raw(context, image_href, path, user_id, project_id, max_size=0): + path_tmp = "%s.part" % path +- fetch(context, image_href, path_tmp, user_id, project_id) ++ fetch(context, image_href, path_tmp, user_id, project_id, ++ max_size=max_size) + + with utils.remove_path_on_error(path_tmp): + data = qemu_img_info(path_tmp) +@@ -220,6 +221,23 @@ def fetch_to_raw(context, image_href, path, user_id, project_id): + raise exception.ImageUnacceptable(image_id=image_href, + reason=_("fmt=%(fmt)s backed by: %(backing_file)s") % locals()) + ++ # We can't generally shrink incoming images, so disallow ++ # images > size of the flavor we're booting. Checking here avoids ++ # an immediate DoS where we convert large qcow images to raw ++ # (which may compress well but not be sparse). ++ # TODO(p-draigbrady): loop through all flavor sizes, so that ++ # we might continue here and not discard the download. ++ # If we did that we'd have to do the higher level size checks ++ # irrespective of whether the base image was prepared or not. ++ disk_size = data.virtual_size ++ if max_size and max_size < disk_size: ++ msg = _('%(base)s virtual size %(disk_size)s ' ++ 'larger than flavor root disk size %(size)s') ++ LOG.error(msg % {'base': path, ++ 'disk_size': disk_size, ++ 'size': max_size}) ++ raise exception.InstanceTypeDiskTooSmall() ++ + if fmt != "raw" and CONF.force_raw_images: + staged = "%s.converted" % path + LOG.debug("%s was %s, converting to raw" % (image_href, fmt)) +diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py +index e2c7ccf..dc85c97 100755 +--- a/nova/virt/libvirt/imagebackend.py ++++ b/nova/virt/libvirt/imagebackend.py +@@ -177,6 +177,36 @@ def _can_fallocate(self): + (CONF.preallocate_images, self.path)) + return can_fallocate + ++ @staticmethod ++ def verify_base_size(base, size, base_size=0): ++ """Check that the base image is not larger than size. ++ Since images can't be generally shrunk, enforce this ++ constraint taking account of virtual image size. ++ """ ++ ++ # Note(pbrady): The size and min_disk parameters of a glance ++ # image are checked against the instance size before the image ++ # is even downloaded from glance, but currently min_disk is ++ # adjustable and doesn't currently account for virtual disk size, ++ # so we need this extra check here. ++ # NOTE(cfb): Having a flavor that sets the root size to 0 and having ++ # nova effectively ignore that size and use the size of the ++ # image is considered a feature at this time, not a bug. ++ ++ if size is None: ++ return ++ ++ if size and not base_size: ++ base_size = disk.get_disk_size(base) ++ ++ if size < base_size: ++ msg = _('%(base)s virtual size %(base_size)s ' ++ 'larger than flavor root disk size %(size)s') ++ LOG.error(msg % {'base': base, ++ 'base_size': base_size, ++ 'size': size}) ++ raise exception.InstanceTypeDiskTooSmall() ++ + def snapshot_create(self): + raise NotImplementedError + +@@ -217,7 +247,8 @@ def copy_raw_image(base, target, size): + #Generating image in place + prepare_template(target=self.path, *args, **kwargs) + else: +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) ++ self.verify_base_size(base, size) + if not os.path.exists(self.path): + with utils.remove_path_on_error(self.path): + copy_raw_image(base, self.path, size) +@@ -257,7 +288,9 @@ def copy_qcow2_image(base, target, size): + + # Download the unmodified base image unless we already have a copy. + if not os.path.exists(base): +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) ++ else: ++ self.verify_base_size(base, size) + + legacy_backing_size = None + legacy_base = base +@@ -283,13 +316,6 @@ def copy_qcow2_image(base, target, size): + libvirt_utils.copy_image(base, legacy_base) + disk.extend(legacy_base, legacy_backing_size) + +- # NOTE(cfb): Having a flavor that sets the root size to 0 and having +- # nova effectively ignore that size and use the size of the +- # image is considered a feature at this time, not a bug. +- if size and size < disk.get_disk_size(base): +- LOG.error('%s virtual size larger than flavor root disk size %s' % +- (base, size)) +- raise exception.ImageTooLarge() + if not os.path.exists(self.path): + with utils.remove_path_on_error(self.path): + copy_qcow2_image(base, self.path, size) +@@ -348,6 +374,7 @@ def create_image(self, prepare_template, base, size, *args, **kwargs): + lock_path=self.lock_path) + def create_lvm_image(base, size): + base_size = disk.get_disk_size(base) ++ self.verify_base_size(base, size, base_size=base_size) + resize = size > base_size + size = size if resize else base_size + libvirt_utils.create_lvm_image(self.vg, self.lv, +@@ -365,7 +392,7 @@ def create_lvm_image(base, size): + with self.remove_volume_on_error(self.path): + prepare_template(target=self.path, *args, **kwargs) + else: +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) + with self.remove_volume_on_error(self.path): + create_lvm_image(base, size) + +diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py +index 6972243..4c31fcb 100755 +--- a/nova/virt/libvirt/utils.py ++++ b/nova/virt/libvirt/utils.py +@@ -592,9 +592,10 @@ def get_fs_info(path): + 'used': used} + + +-def fetch_image(context, target, image_id, user_id, project_id): ++def fetch_image(context, target, image_id, user_id, project_id, max_size=0): + """Grab image.""" +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=max_size) + + + def get_instance_path(instance, forceold=False, relative=False): +-- +1.8.4 + diff --git a/sys-cluster/nova/files/CVE-2013-4463_4469-havana.patch b/sys-cluster/nova/files/CVE-2013-4463_4469-havana.patch new file mode 100644 index 000000000000..575b11d9bbdf --- /dev/null +++ b/sys-cluster/nova/files/CVE-2013-4463_4469-havana.patch @@ -0,0 +1,452 @@ +From 3cdfe894ab58f7b91bf7fb690fc5bc724e44066f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady@redhat.com> +Date: Fri, 27 Sep 2013 04:07:14 +0100 +Subject: [PATCH] ensure we don't boot oversized images + +Since we can't generally shrink incoming images, add extra checks +to ensure oversized images are not allowed through. +All cases when populating the libvirt image cache are now handled, +including the initial download from glance, where we avoid +converting to raw, as that could generate non sparse images +much larger than the downloaded image. + +* nova/virt/libvirt/utils.py (fetch_image): Allow passing through +of the max_size parameter. +* nova/virt/images.py (fetch_to_raw): Accept the max_size parameter, +and use it to discard images with larger (virtual) sizes. +* nova/virt/libvirt/imagebackend.py (verify_base_size): A new +refactored function to identify and raise exception to oversized images. +(Raw.create_image): Pass the max_size to the fetch function. +Also enforce virtual image size checking for already fetched images, +as this class (despite the name) can be handling qcow files. +(Qcow2.create_image): Pass the max_size to the fetch function, +or verify the virtual size for the instance as done previously. +(Lvm.create_image): Pass the max_size to the fetch function. +Also check the size before transferring to the volume to improve +efficiency by not even attempting the transfer of oversized images. +(Rbd.create_image): Likewise. +* nova/tests/virt/libvirt/fake_libvirt_utils.py: Support max_size arg. +* nova/tests/virt/libvirt/test_libvirt.py (test_fetch_raw_image): +Add a case to check oversized images are discarded. +* nova/tests/virt/libvirt/test_imagebackend.py +(test_create_image_too_small): Adjust to avoid the fetch size check. + +Fixes bug: 1177830 +Fixes bug: 1206081 +Change-Id: I3d47adaa2ad07434853f447feb27d7aae0e2e717 +--- + nova/tests/virt/libvirt/fake_libvirt_utils.py | 2 +- + nova/tests/virt/libvirt/test_imagebackend.py | 34 ++++++----------- + nova/tests/virt/libvirt/test_libvirt.py | 24 ++++++++++-- + nova/virt/images.py | 24 ++++++++++-- + nova/virt/libvirt/imagebackend.py | 55 +++++++++++++++++++-------- + nova/virt/libvirt/utils.py | 5 ++- + 6 files changed, 98 insertions(+), 46 deletions(-) + +diff --git a/nova/tests/virt/libvirt/fake_libvirt_utils.py b/nova/tests/virt/libvirt/fake_libvirt_utils.py +index e18f9df..4799837 100644 +--- a/nova/tests/virt/libvirt/fake_libvirt_utils.py ++++ b/nova/tests/virt/libvirt/fake_libvirt_utils.py +@@ -197,7 +197,7 @@ def get_fs_info(path): + 'free': 84 * (1024 ** 3)} + + +-def fetch_image(context, target, image_id, user_id, project_id): ++def fetch_image(context, target, image_id, user_id, project_id, max_size=0): + pass + + +diff --git a/nova/tests/virt/libvirt/test_imagebackend.py b/nova/tests/virt/libvirt/test_imagebackend.py +index b862510..2455ec8 100644 +--- a/nova/tests/virt/libvirt/test_imagebackend.py ++++ b/nova/tests/virt/libvirt/test_imagebackend.py +@@ -190,7 +190,7 @@ def prepare_mocks(self): + + def test_create_image(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH, image_id=None) ++ fn(target=self.TEMPLATE_PATH, max_size=None, image_id=None) + imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH, self.PATH) + self.mox.ReplayAll() + +@@ -211,7 +211,7 @@ def test_create_image_generated(self): + + def test_create_image_extend(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH, image_id=None) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH, image_id=None) + imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH, self.PATH) + imagebackend.disk.extend(self.PATH, self.SIZE, use_cow=False) + self.mox.ReplayAll() +@@ -261,7 +261,7 @@ def prepare_mocks(self): + + def test_create_image(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=None, target=self.TEMPLATE_PATH) + imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH, + self.PATH) + self.mox.ReplayAll() +@@ -273,15 +273,12 @@ def test_create_image(self): + + def test_create_image_with_size(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + if self.OLD_STYLE_INSTANCE_PATH: + os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) + os.path.exists(self.TEMPLATE_PATH).AndReturn(False) + os.path.exists(self.PATH).AndReturn(False) +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(False) + imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH, + self.PATH) +@@ -295,13 +292,11 @@ def test_create_image_with_size(self): + + def test_create_image_too_small(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') + self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + if self.OLD_STYLE_INSTANCE_PATH: + os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) +- os.path.exists(self.TEMPLATE_PATH).AndReturn(False) +- os.path.exists(self.PATH).AndReturn(False) ++ os.path.exists(self.TEMPLATE_PATH).AndReturn(True) + imagebackend.disk.get_disk_size(self.TEMPLATE_PATH + ).AndReturn(self.SIZE) + self.mox.ReplayAll() +@@ -313,9 +308,8 @@ def test_create_image_too_small(self): + + def test_generate_resized_backing_files(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + self.mox.StubOutWithMock(imagebackend.libvirt_utils, + 'get_disk_backing_file') + if self.OLD_STYLE_INSTANCE_PATH: +@@ -330,8 +324,6 @@ def test_generate_resized_backing_files(self): + self.QCOW2_BASE) + imagebackend.disk.extend(self.QCOW2_BASE, self.SIZE, use_cow=True) + +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(True) + self.mox.ReplayAll() + +@@ -342,9 +334,8 @@ def test_generate_resized_backing_files(self): + + def test_qcow2_exists_and_has_no_backing_file(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.mox.StubOutWithMock(os.path, 'exists') +- self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') + self.mox.StubOutWithMock(imagebackend.libvirt_utils, + 'get_disk_backing_file') + if self.OLD_STYLE_INSTANCE_PATH: +@@ -354,8 +345,6 @@ def test_qcow2_exists_and_has_no_backing_file(self): + + imagebackend.libvirt_utils.get_disk_backing_file(self.PATH)\ + .AndReturn(None) +- imagebackend.disk.get_disk_size(self.TEMPLATE_PATH +- ).AndReturn(self.SIZE) + os.path.exists(self.PATH).AndReturn(True) + self.mox.ReplayAll() + +@@ -392,7 +381,7 @@ def prepare_mocks(self): + + def _create_image(self, sparse): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=None, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, + self.LV, + self.TEMPLATE_SIZE, +@@ -424,7 +413,7 @@ def _create_image_generated(self, sparse): + + def _create_image_resize(self, sparse): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, self.LV, + self.SIZE, sparse=sparse) + self.disk.get_disk_size(self.TEMPLATE_PATH +@@ -463,7 +452,7 @@ def test_create_image_resize_sparsed(self): + + def test_create_image_negative(self): + fn = self.prepare_mocks() +- fn(target=self.TEMPLATE_PATH) ++ fn(max_size=self.SIZE, target=self.TEMPLATE_PATH) + self.libvirt_utils.create_lvm_image(self.VG, + self.LV, + self.SIZE, +@@ -607,7 +596,7 @@ def test_cache_template_exists(self): + + def test_create_image(self): + fn = self.prepare_mocks() +- fn(rbd=self.rbd, target=self.TEMPLATE_PATH) ++ fn(max_size=None, rbd=self.rbd, target=self.TEMPLATE_PATH) + + self.rbd.RBD_FEATURE_LAYERING = 1 + +@@ -635,6 +624,7 @@ def fake_fetch(target, *args, **kwargs): + return + + self.stubs.Set(os.path, 'exists', lambda _: True) ++ self.stubs.Set(image, 'check_image_exists', lambda: True) + + image.cache(fake_fetch, self.TEMPLATE_PATH, self.SIZE) + +diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py +index ac36be4..5d1361e 100644 +--- a/nova/tests/virt/libvirt/test_libvirt.py ++++ b/nova/tests/virt/libvirt/test_libvirt.py +@@ -6308,7 +6308,8 @@ def test_fetch_image(self): + image_id = '4' + user_id = 'fake' + project_id = 'fake' +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=0) + + self.mox.ReplayAll() + libvirt_utils.fetch_image(context, target, image_id, +@@ -6338,20 +6339,27 @@ class FakeImgInfo(object): + file_format = path.split('.')[-2] + elif file_format == 'converted': + file_format = 'raw' ++ + if 'backing' in path: + backing_file = 'backing' + else: + backing_file = None + ++ if 'big' in path: ++ virtual_size = 2 ++ else: ++ virtual_size = 1 ++ + FakeImgInfo.file_format = file_format + FakeImgInfo.backing_file = backing_file ++ FakeImgInfo.virtual_size = virtual_size + + return FakeImgInfo() + + self.stubs.Set(utils, 'execute', fake_execute) + self.stubs.Set(os, 'rename', fake_rename) + self.stubs.Set(os, 'unlink', fake_unlink) +- self.stubs.Set(images, 'fetch', lambda *_: None) ++ self.stubs.Set(images, 'fetch', lambda *_, **__: None) + self.stubs.Set(images, 'qemu_img_info', fake_qemu_img_info) + self.stubs.Set(fileutils, 'delete_if_exists', fake_rm_on_error) + +@@ -6373,7 +6381,8 @@ class FakeImgInfo(object): + 't.qcow2.part', 't.qcow2.converted'), + ('rm', 't.qcow2.part'), + ('mv', 't.qcow2.converted', 't.qcow2')] +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=1) + self.assertEqual(self.executes, expected_commands) + + target = 't.raw' +@@ -6390,6 +6399,15 @@ class FakeImgInfo(object): + context, image_id, target, user_id, project_id) + self.assertEqual(self.executes, expected_commands) + ++ target = 'big.qcow2' ++ self.executes = [] ++ expected_commands = [('rm', '-f', 'big.qcow2.part')] ++ self.assertRaises(exception.InstanceTypeDiskTooSmall, ++ images.fetch_to_raw, ++ context, image_id, target, user_id, project_id, ++ max_size=1) ++ self.assertEqual(self.executes, expected_commands) ++ + del self.executes + + def test_get_disk_backing_file(self): +diff --git a/nova/virt/images.py b/nova/virt/images.py +index 9c4c101..6d20e65 100644 +--- a/nova/virt/images.py ++++ b/nova/virt/images.py +@@ -179,7 +179,7 @@ def convert_image(source, dest, out_format, run_as_root=False): + utils.execute(*cmd, run_as_root=run_as_root) + + +-def fetch(context, image_href, path, _user_id, _project_id): ++def fetch(context, image_href, path, _user_id, _project_id, max_size=0): + # TODO(vish): Improve context handling and add owner and auth data + # when it is added to glance. Right now there is no + # auth checking in glance, so we assume that access was +@@ -190,9 +190,10 @@ def fetch(context, image_href, path, _user_id, _project_id): + image_service.download(context, image_id, dst_path=path) + + +-def fetch_to_raw(context, image_href, path, user_id, project_id): ++def fetch_to_raw(context, image_href, path, user_id, project_id, max_size=0): + path_tmp = "%s.part" % path +- fetch(context, image_href, path_tmp, user_id, project_id) ++ fetch(context, image_href, path_tmp, user_id, project_id, ++ max_size=max_size) + + with fileutils.remove_path_on_error(path_tmp): + data = qemu_img_info(path_tmp) +@@ -209,6 +210,23 @@ def fetch_to_raw(context, image_href, path, user_id, project_id): + reason=(_("fmt=%(fmt)s backed by: %(backing_file)s") % + {'fmt': fmt, 'backing_file': backing_file})) + ++ # We can't generally shrink incoming images, so disallow ++ # images > size of the flavor we're booting. Checking here avoids ++ # an immediate DoS where we convert large qcow images to raw ++ # (which may compress well but not be sparse). ++ # TODO(p-draigbrady): loop through all flavor sizes, so that ++ # we might continue here and not discard the download. ++ # If we did that we'd have to do the higher level size checks ++ # irrespective of whether the base image was prepared or not. ++ disk_size = data.virtual_size ++ if max_size and max_size < disk_size: ++ msg = _('%(base)s virtual size %(disk_size)s ' ++ 'larger than flavor root disk size %(size)s') ++ LOG.error(msg % {'base': path, ++ 'disk_size': disk_size, ++ 'size': max_size}) ++ raise exception.InstanceTypeDiskTooSmall() ++ + if fmt != "raw" and CONF.force_raw_images: + staged = "%s.converted" % path + LOG.debug("%s was %s, converting to raw" % (image_href, fmt)) +diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py +index 84c46e8..e900789 100644 +--- a/nova/virt/libvirt/imagebackend.py ++++ b/nova/virt/libvirt/imagebackend.py +@@ -193,6 +193,36 @@ def _can_fallocate(self): + (CONF.preallocate_images, self.path)) + return can_fallocate + ++ @staticmethod ++ def verify_base_size(base, size, base_size=0): ++ """Check that the base image is not larger than size. ++ Since images can't be generally shrunk, enforce this ++ constraint taking account of virtual image size. ++ """ ++ ++ # Note(pbrady): The size and min_disk parameters of a glance ++ # image are checked against the instance size before the image ++ # is even downloaded from glance, but currently min_disk is ++ # adjustable and doesn't currently account for virtual disk size, ++ # so we need this extra check here. ++ # NOTE(cfb): Having a flavor that sets the root size to 0 and having ++ # nova effectively ignore that size and use the size of the ++ # image is considered a feature at this time, not a bug. ++ ++ if size is None: ++ return ++ ++ if size and not base_size: ++ base_size = disk.get_disk_size(base) ++ ++ if size < base_size: ++ msg = _('%(base)s virtual size %(base_size)s ' ++ 'larger than flavor root disk size %(size)s') ++ LOG.error(msg % {'base': base, ++ 'base_size': base_size, ++ 'size': size}) ++ raise exception.InstanceTypeDiskTooSmall() ++ + def snapshot_create(self): + raise NotImplementedError() + +@@ -234,7 +264,8 @@ def copy_raw_image(base, target, size): + #Generating image in place + prepare_template(target=self.path, *args, **kwargs) + else: +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) ++ self.verify_base_size(base, size) + if not os.path.exists(self.path): + with fileutils.remove_path_on_error(self.path): + copy_raw_image(base, self.path, size) +@@ -273,7 +304,9 @@ def copy_qcow2_image(base, target, size): + + # Download the unmodified base image unless we already have a copy. + if not os.path.exists(base): +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) ++ else: ++ self.verify_base_size(base, size) + + legacy_backing_size = None + legacy_base = base +@@ -299,17 +332,6 @@ def copy_qcow2_image(base, target, size): + libvirt_utils.copy_image(base, legacy_base) + disk.extend(legacy_base, legacy_backing_size, use_cow=True) + +- # NOTE(cfb): Having a flavor that sets the root size to 0 and having +- # nova effectively ignore that size and use the size of the +- # image is considered a feature at this time, not a bug. +- disk_size = disk.get_disk_size(base) +- if size and size < disk_size: +- msg = _('%(base)s virtual size %(disk_size)s' +- 'larger than flavor root disk size %(size)s') +- LOG.error(msg % {'base': base, +- 'disk_size': disk_size, +- 'size': size}) +- raise exception.InstanceTypeDiskTooSmall() + if not os.path.exists(self.path): + with fileutils.remove_path_on_error(self.path): + copy_qcow2_image(base, self.path, size) +@@ -367,6 +389,7 @@ def create_image(self, prepare_template, base, size, *args, **kwargs): + @utils.synchronized(base, external=True, lock_path=self.lock_path) + def create_lvm_image(base, size): + base_size = disk.get_disk_size(base) ++ self.verify_base_size(base, size, base_size=base_size) + resize = size > base_size + size = size if resize else base_size + libvirt_utils.create_lvm_image(self.vg, self.lv, +@@ -384,7 +407,7 @@ def create_lvm_image(base, size): + with self.remove_volume_on_error(self.path): + prepare_template(target=self.path, *args, **kwargs) + else: +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) + with self.remove_volume_on_error(self.path): + create_lvm_image(base, size) + +@@ -514,7 +537,9 @@ def create_image(self, prepare_template, base, size, *args, **kwargs): + features = self.rbd.RBD_FEATURE_LAYERING + + if not os.path.exists(base): +- prepare_template(target=base, *args, **kwargs) ++ prepare_template(target=base, max_size=size, *args, **kwargs) ++ else: ++ self.verify_base_size(base, size) + + # keep using the command line import instead of librbd since it + # detects zeroes to preserve sparseness in the image +diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py +index 66ff83e..d7c92b7 100644 +--- a/nova/virt/libvirt/utils.py ++++ b/nova/virt/libvirt/utils.py +@@ -639,9 +639,10 @@ def get_fs_info(path): + 'used': used} + + +-def fetch_image(context, target, image_id, user_id, project_id): ++def fetch_image(context, target, image_id, user_id, project_id, max_size=0): + """Grab image.""" +- images.fetch_to_raw(context, image_id, target, user_id, project_id) ++ images.fetch_to_raw(context, image_id, target, user_id, project_id, ++ max_size=max_size) + + + def get_instance_path(instance, forceold=False, relative=False): +-- +1.8.4 + diff --git a/sys-cluster/nova/files/CVE-2013-4497-grizzly-1.patch b/sys-cluster/nova/files/CVE-2013-4497-grizzly-1.patch new file mode 100644 index 000000000000..e8e14c0ab747 --- /dev/null +++ b/sys-cluster/nova/files/CVE-2013-4497-grizzly-1.patch @@ -0,0 +1,111 @@ +From df2ea2e3acdede21b40d47b7adbeac04213d031b Mon Sep 17 00:00:00 2001 +From: John Garbutt <john.garbutt@rackspace.com> +Date: Thu, 12 Sep 2013 18:11:49 +0100 +Subject: [PATCH] xenapi: enforce filters after live-migration + +Currently and network filters, including security groups, are +lost after a server has been live-migrated. + +This partially fixes the issue by ensuring that security groups are +re-applied to the VM once it reached the destination, and been started. + +This leaves a small amount of time during the live-migrate where the VM +is not protected. There is a further bug raised to close the rest of +this whole, but this helps keep the VM protected for the majority of the +time. + +Fixes bug 1202266 + +(Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7) + +Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a +--- + nova/tests/test_xenapi.py | 22 +++++++++++++++++++++- + nova/virt/xenapi/driver.py | 4 ++-- + nova/virt/xenapi/vmops.py | 18 ++++++++++++++++++ + 3 files changed, 41 insertions(+), 3 deletions(-) + +diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py +index f7fb81d..d4c19a4 100644 +--- a/nova/tests/test_xenapi.py ++++ b/nova/tests/test_xenapi.py +@@ -2723,7 +2723,27 @@ def test_post_live_migration_at_destination(self): + # ensure method is present + stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests) + self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) +- self.conn.post_live_migration_at_destination(None, None, None, None) ++ ++ fake_instance = "instance" ++ fake_network_info = "network_info" ++ ++ def fake_fw(instance, network_info): ++ self.assertEquals(instance, fake_instance) ++ self.assertEquals(network_info, fake_network_info) ++ fake_fw.called += 1 ++ ++ fake_fw.called = 0 ++ _vmops = self.conn._vmops ++ self.stubs.Set(_vmops.firewall_driver, ++ 'setup_basic_filtering', fake_fw) ++ self.stubs.Set(_vmops.firewall_driver, ++ 'prepare_instance_filter', fake_fw) ++ self.stubs.Set(_vmops.firewall_driver, ++ 'apply_instance_filter', fake_fw) ++ ++ self.conn.post_live_migration_at_destination(None, fake_instance, ++ fake_network_info, None) ++ self.assertEqual(fake_fw.called, 3) + + def test_check_can_live_migrate_destination_with_block_migration(self): + stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests) +diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py +index 128f67f..564c587 100755 +--- a/nova/virt/xenapi/driver.py ++++ b/nova/virt/xenapi/driver.py +@@ -1,4 +1,3 @@ +-# vim: tabstop=4 shiftwidth=4 softtabstop=4 + + # Copyright (c) 2010 Citrix Systems, Inc. + # Copyright 2010 OpenStack Foundation +@@ -514,7 +513,8 @@ def post_live_migration_at_destination(self, ctxt, instance_ref, + :params : block_migration: if true, post operation of block_migraiton. + """ + # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel +- pass ++ self._vmops.post_live_migration_at_destination(ctxt, instance_ref, ++ network_info, block_device_info, block_device_info) + + def unfilter_instance(self, instance_ref, network_info): + """Removes security groups configured for an instance.""" +diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py +index eccf3e0..ae5c697 100644 +--- a/nova/virt/xenapi/vmops.py ++++ b/nova/virt/xenapi/vmops.py +@@ -1737,6 +1737,24 @@ def live_migrate(self, context, instance, destination_hostname, + recover_method(context, instance, destination_hostname, + block_migration) + ++ def post_live_migration_at_destination(self, context, instance, ++ network_info, block_migration, ++ block_device_info): ++ # FIXME(johngarbutt): we should block all traffic until we have ++ # applied security groups, however this requires changes to XenServer ++ try: ++ self.firewall_driver.setup_basic_filtering( ++ instance, network_info) ++ except NotImplementedError: ++ # NOTE(salvatore-orlando): setup_basic_filtering might be ++ # empty or not implemented at all, as basic filter could ++ # be implemented with VIF rules created by xapi plugin ++ pass ++ ++ self.firewall_driver.prepare_instance_filter(instance, ++ network_info) ++ self.firewall_driver.apply_instance_filter(instance, network_info) ++ + def get_per_instance_usage(self): + """Get usage info about each active instance.""" + usage = {} +-- +1.8.4 + diff --git a/sys-cluster/nova/files/CVE-2013-4497-grizzly-2.patch b/sys-cluster/nova/files/CVE-2013-4497-grizzly-2.patch new file mode 100644 index 000000000000..28fbbca758c8 --- /dev/null +++ b/sys-cluster/nova/files/CVE-2013-4497-grizzly-2.patch @@ -0,0 +1,51 @@ +From 01de658210fd65171bfbf5450c93673b5ce0bd9e Mon Sep 17 00:00:00 2001 +From: John Garbutt <john.garbutt@rackspace.com> +Date: Mon, 21 Oct 2013 19:34:43 +0100 +Subject: [PATCH] xenapi: apply firewall rules in finish_migrate + +When security groups were added, the rules were not re-applied to +servers that have been migrated to a new hypervisor. + +This change ensures the firewall rules are applied as part of creating +the new VM in finish_migrate. This code follows a very similar pattern +to the code in spawn, and that is where the cut and paste code comes +from. This code duplication was removed in Havana. + +Fixes bug 1073306 + +Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e +--- + nova/virt/xenapi/vmops.py | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py +index eccf3e0..7a96ac2 100644 +--- a/nova/virt/xenapi/vmops.py ++++ b/nova/virt/xenapi/vmops.py +@@ -277,8 +277,23 @@ def finish_migration(self, context, migration, instance, disk_info, + + self._attach_mapped_block_devices(instance, block_device_info) + ++ try: ++ self.firewall_driver.setup_basic_filtering( ++ instance, network_info) ++ except NotImplementedError: ++ # NOTE(salvatore-orlando): setup_basic_filtering might be ++ # empty or not implemented at all, as basic filter could ++ # be implemented with VIF rules created by xapi plugin ++ pass ++ ++ self.firewall_driver.prepare_instance_filter(instance, ++ network_info) ++ + # 5. Start VM + self._start(instance, vm_ref=vm_ref) ++ ++ self.firewall_driver.apply_instance_filter(instance, network_info) ++ + self._update_instance_progress(context, instance, + step=5, + total_steps=RESIZE_TOTAL_STEPS) +-- +1.8.4 + diff --git a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch deleted file mode 100644 index a862cb8e477d..000000000000 --- a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001 -From: Russell Bryant <rbryant@redhat.com> -Date: Wed, 1 May 2013 09:41:57 -0400 -Subject: [PATCH] Remove insecure default for signing_dir option. - -The sample api-paste.ini file included an insecure value for the -signing_dir option for the keystone authtoken middleware. Comment out -the option so that we just rely on the default behavior by default. - -Fix bug 1174608. - -Conflicts: - etc/nova/api-paste.ini - -Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403 -(cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce) ---- - etc/nova/api-paste.ini | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini -index 3970974..95307b2 100644 ---- a/etc/nova/api-paste.ini -+++ b/etc/nova/api-paste.ini -@@ -124,4 +124,7 @@ auth_protocol = http - admin_tenant_name = %SERVICE_TENANT_NAME% - admin_user = %SERVICE_USER% - admin_password = %SERVICE_PASSWORD% --signing_dir = /tmp/keystone-signing-nova -+# signing_dir is configurable, but the default behavior of the authtoken -+# middleware should be sufficient. It will create a temporary directory -+# in the home directory for the user the nova process is running as. -+#signing_dir = /var/lib/nova/keystone-signing --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2096.patch b/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2096.patch deleted file mode 100644 index 304a61f9d20f..000000000000 --- a/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2096.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 6740c4141ea1152529b82cbf6e5b808eaba912e7 Mon Sep 17 00:00:00 2001 -From: Chet Burgess <cfb@metacloud.com> -Date: Thu, 9 May 2013 09:57:28 +0000 -Subject: [PATCH] Check QCOW2 image size during root disk creation - -glance can only tell us the size of the file, not the virtual -size of the QCOW2. As such we need to check the virtual size of -the image once its cached and ensure it's <= to the flavor's -root disk size. - -Change-Id: I833467284126557eb598b8350a84e10c06292fa9 -Fixes: bug 1177830 -(cherry picked from commit 44a8aba1d5da87d54db48079103fdef946666d80) ---- - nova/tests/test_imagebackend.py | 18 ++++++++++++++++++ - nova/virt/libvirt/imagebackend.py | 12 ++++++++++++ - 2 files changed, 30 insertions(+) - -diff --git a/nova/tests/test_imagebackend.py b/nova/tests/test_imagebackend.py -index f0bb718..da14f20 100644 ---- a/nova/tests/test_imagebackend.py -+++ b/nova/tests/test_imagebackend.py -@@ -17,6 +17,7 @@ - - import os - -+from nova import exception - from nova import flags - from nova import test - from nova.tests import fake_libvirt_utils -@@ -190,7 +191,10 @@ class Qcow2TestCase(_ImageTestCase): - fn = self.prepare_mocks() - fn(target=self.TEMPLATE_PATH) - self.mox.StubOutWithMock(os.path, 'exists') -+ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') - os.path.exists(self.QCOW2_BASE).AndReturn(False) -+ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH -+ ).AndReturn(self.SIZE) - imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH, - self.QCOW2_BASE) - imagebackend.disk.extend(self.QCOW2_BASE, self.SIZE) -@@ -203,11 +207,25 @@ class Qcow2TestCase(_ImageTestCase): - - self.mox.VerifyAll() - -+ def test_create_image_too_small(self): -+ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') -+ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH -+ ).AndReturn(self.SIZE) -+ self.mox.ReplayAll() -+ -+ image = self.image_class(self.INSTANCE, self.NAME) -+ self.assertRaises(exception.ImageTooLarge, image.create_image, None, -+ self.TEMPLATE_PATH, 1) -+ self.mox.VerifyAll() -+ - def test_create_image_with_size_template_exists(self): - fn = self.prepare_mocks() - fn(target=self.TEMPLATE_PATH) - self.mox.StubOutWithMock(os.path, 'exists') -+ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') - os.path.exists(self.QCOW2_BASE).AndReturn(True) -+ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH -+ ).AndReturn(self.SIZE) - imagebackend.libvirt_utils.create_cow_image(self.QCOW2_BASE, - self.PATH) - self.mox.ReplayAll() -diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py -index 0f2f044..5e7023e 100644 ---- a/nova/virt/libvirt/imagebackend.py -+++ b/nova/virt/libvirt/imagebackend.py -@@ -19,14 +19,17 @@ import abc - import contextlib - import os - -+from nova import exception - from nova import flags - from nova.openstack.common import cfg - from nova.openstack.common import excutils -+from nova.openstack.common import log as logging - from nova import utils - from nova.virt.disk import api as disk - from nova.virt.libvirt import config - from nova.virt.libvirt import utils as libvirt_utils - -+ - __imagebackend_opts = [ - cfg.StrOpt('libvirt_images_type', - default='default', -@@ -46,6 +49,8 @@ __imagebackend_opts = [ - FLAGS = flags.FLAGS - FLAGS.register_opts(__imagebackend_opts) - -+LOG = logging.getLogger(__name__) -+ - - class Image(object): - __metaclass__ = abc.ABCMeta -@@ -170,6 +175,13 @@ class Qcow2(Image): - disk.extend(qcow2_base, size) - libvirt_utils.create_cow_image(qcow2_base, target) - -+ # NOTE(cfb): Having a flavor that sets the root size to 0 and having -+ # nova effectively ignore that size and use the size of the -+ # image is considered a feature at this time, not a bug. -+ if size and size < disk.get_disk_size(base): -+ LOG.error('%s virtual size larger than flavor root disk size %s' % -+ (base, size)) -+ raise exception.ImageTooLarge() - prepare_template(target=base, *args, **kwargs) - with utils.remove_path_on_error(self.path): - copy_qcow2_image(base, self.path, size) --- -1.8.1.5 - diff --git a/sys-cluster/nova/files/nova-grizzly-1-CVE-2013-2096.patch b/sys-cluster/nova/files/nova-grizzly-1-CVE-2013-2096.patch deleted file mode 100644 index 5067ca97d77f..000000000000 --- a/sys-cluster/nova/files/nova-grizzly-1-CVE-2013-2096.patch +++ /dev/null @@ -1,96 +0,0 @@ -From a4fc0c800502338e4530cad910efb64a5483e1ea Mon Sep 17 00:00:00 2001 -From: Chet Burgess <cfb@metacloud.com> -Date: Thu, 9 May 2013 09:57:28 +0000 -Subject: [PATCH] Check QCOW2 image size during root disk creation - -glance can only tell us the size of the file, not the virtual -size of the QCOW2. As such we need to check the virtual size of -the image once its cached and ensure it's <= to the flavor's -root disk size. - -Change-Id: I833467284126557eb598b8350a84e10c06292fa9 -Fixes: bug 1177830 -(cherry picked from commit 44a8aba1d5da87d54db48079103fdef946666d80) ---- - nova/tests/test_imagebackend.py | 21 +++++++++++++++++++++ - nova/virt/libvirt/imagebackend.py | 8 ++++++++ - 2 files changed, 29 insertions(+) - -diff --git a/nova/tests/test_imagebackend.py b/nova/tests/test_imagebackend.py -index d571bbf..4ec36da 100644 ---- a/nova/tests/test_imagebackend.py -+++ b/nova/tests/test_imagebackend.py -@@ -20,6 +20,7 @@ import os - import fixtures - from oslo.config import cfg - -+from nova import exception - from nova.openstack.common import uuidutils - from nova import test - from nova.tests import fake_libvirt_utils -@@ -253,9 +254,12 @@ class Qcow2TestCase(_ImageTestCase, test.TestCase): - fn = self.prepare_mocks() - fn(target=self.TEMPLATE_PATH) - self.mox.StubOutWithMock(os.path, 'exists') -+ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') - if self.OLD_STYLE_INSTANCE_PATH: - os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) - os.path.exists(self.TEMPLATE_PATH).AndReturn(False) -+ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH -+ ).AndReturn(self.SIZE) - os.path.exists(self.PATH).AndReturn(False) - imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH, - self.PATH) -@@ -267,6 +271,23 @@ class Qcow2TestCase(_ImageTestCase, test.TestCase): - - self.mox.VerifyAll() - -+ def test_create_image_too_small(self): -+ fn = self.prepare_mocks() -+ fn(target=self.TEMPLATE_PATH) -+ self.mox.StubOutWithMock(os.path, 'exists') -+ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size') -+ if self.OLD_STYLE_INSTANCE_PATH: -+ os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False) -+ os.path.exists(self.TEMPLATE_PATH).AndReturn(False) -+ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH -+ ).AndReturn(self.SIZE) -+ self.mox.ReplayAll() -+ -+ image = self.image_class(self.INSTANCE, self.NAME) -+ self.assertRaises(exception.ImageTooLarge, image.create_image, fn, -+ self.TEMPLATE_PATH, 1) -+ self.mox.VerifyAll() -+ - - class LvmTestCase(_ImageTestCase, test.TestCase): - VG = 'FakeVG' -diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py -index b6b1b88..2ca71cc 100755 ---- a/nova/virt/libvirt/imagebackend.py -+++ b/nova/virt/libvirt/imagebackend.py -@@ -21,6 +21,7 @@ import os - - from oslo.config import cfg - -+from nova import exception - from nova.openstack.common import excutils - from nova.openstack.common import fileutils - from nova.openstack.common import lockutils -@@ -255,6 +256,13 @@ class Qcow2(Image): - - if not os.path.exists(base): - prepare_template(target=base, *args, **kwargs) -+ # NOTE(cfb): Having a flavor that sets the root size to 0 and having -+ # nova effectively ignore that size and use the size of the -+ # image is considered a feature at this time, not a bug. -+ if size and size < disk.get_disk_size(base): -+ LOG.error('%s virtual size larger than flavor root disk size %s' % -+ (base, size)) -+ raise exception.ImageTooLarge() - if not os.path.exists(self.path): - with utils.remove_path_on_error(self.path): - copy_qcow2_image(base, self.path, size) --- -1.8.1.5 - diff --git a/sys-cluster/nova/nova-2013.1.4.ebuild b/sys-cluster/nova/nova-2013.1.4-r1.ebuild index 8f41ae9724da..e2a1d44941e4 100644 --- a/sys-cluster/nova/nova-2013.1.4.ebuild +++ b/sys-cluster/nova/nova-2013.1.4-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4.ebuild,v 1.3 2013/11/14 06:54:23 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r1.ebuild,v 1.1 2013/11/17 22:35:55 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -70,6 +70,9 @@ RDEPEND=">=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}] app-emulation/xen-tools )" PATCHES=( + "${FILESDIR}/CVE-2013-4463_4469-grizzly.patch" + "${FILESDIR}/CVE-2013-4497-grizzly-1.patch" + "${FILESDIR}/CVE-2013-4497-grizzly-2.patch" ) pkg_setup() { diff --git a/sys-cluster/nova/nova-2013.2-r1.ebuild b/sys-cluster/nova/nova-2013.2-r2.ebuild index e0279c6e8ee9..4498e44fccbc 100644 --- a/sys-cluster/nova/nova-2013.2-r1.ebuild +++ b/sys-cluster/nova/nova-2013.2-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r1.ebuild,v 1.2 2013/11/14 06:54:23 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r2.ebuild,v 1.1 2013/11/17 22:35:55 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}] app-emulation/xen-tools )" PATCHES=( + "${FILESDIR}/CVE-2013-4463_4469-havana.patch" ) pkg_setup() { |