Package: heat / 1:7.0.0-4
Metadata
Package | Version | Patches format |
---|---|---|
heat | 1:7.0.0-4 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
only run tests in heat.tests.patch | (download) |
.testr.conf |
2 1 + 1 - 0 ! |
only run tests within heat/tests |
fix requirements.txt.patch | (download) |
requirements.txt |
19 9 + 10 - 0 ! |
fix requirements.txt This patch avoids FTBFS with dpkg-gencontrol being confused by the != stuff. |
CVE 2016 9185_Prevent_template_validate_from_scanning_ports.patch | (download) |
heat/common/urlfetch.py |
3 2 + 1 - 0 ! |
cve-2016-9185: prevent template validate from scanning ports Prevent template validate from scanning ports . The template validation method in the heat API allows to specify the template to validate using a URL with the 'template_url,' parameter. . By entering invalid http URLs, like 'http://localhost:22' it is possible to scan ports by evaluating the error message of the request. . For example, the request . curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ -X POST -d '{"template_url": "http://localhost:22"}' \ http://127.0.0.1:8004/v1/<TENANT_ID>/validate . causes the following error message to be returned to the user: . "Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" . This could be misused by tenants to gain knowledge about the internal network the heat API runs in. . To prevent this information leak, this patch alters the error message to not include such details when the url scheme is not 'file'. . SecurityImpact . |
remove broken rst.patch | (download) |
doc/source/template_guide/hot_spec.rst |
10 0 + 10 - 0 ! |
remove broken rst In hot_spec.rst, there's some lines that are FTBFS with the newer docutils. Since it doesn't seem that important, and it's best to keep the rest of the documentation, we're just removing the block. |
allow sqlalchemy 1.1.patch | (download) |
requirements.txt |
2 1 + 1 - 0 ! |
allow sqla 1.1 |
1