Package: nova / 2012.1.1-18
Metadata
Package | Version | Patches format |
---|---|---|
nova | 2012.1.1-18 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
nova manage_flagfile_location.patch | (download) |
bin/nova-manage |
5 4 + 1 - 0 ! |
fixe path to nova.conf in nova-manage |
path to the xenhost.conf fixup.patch | (download) |
plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost |
2 1 + 1 - 0 ! |
fixes the path to the xenhost.conf file |
CVE 2012 3360_CVE 2012 3361.patch | (download) |
nova/tests/test_virt.py |
20 20 + 0 - 0 ! |
--- |
stable_essex_20120710.patch | (download) |
.gitreview |
1 1 + 0 - 0 ! |
--- |
iscsiadm_path.patch | (download) |
nova/rootwrap/volume.py |
2 1 + 1 - 0 ! |
--- |
CVE 2012 3371.patch | (download) |
nova/scheduler/filters/affinity_filter.py |
19 11 + 8 - 0 ! |
[patch] use compute_api.get_all in affinity filters. Updates the affinity filters so they make a single compute API call to lookup instance host information rather than single lookups for each UUID. This resolves a potential performance issue which can cause a scheduler to hang while processing requests which contain large numbers of UUID's in the scheduler_hints. Fixes LP Bug #1017795. |
CVE 2012 3447_compute node file injection.patch | (download) |
nova/rootwrap/compute.py |
4 4 + 0 - 0 ! |
prohibit file injection writing to host filesystem This is a refinement of the previous fix in commit 2427d4a, which does the file name canonicalization as the root user. This is required so that guest images could not for example, protect malicious symlinks in a directory only readable by root. |
fixes path to binaries in rootwrap config.patch | (download) |
nova/rootwrap/compute.py |
4 2 + 2 - 0 ! |
fixes path to some binaries in the rootwrap config |
CVE 2013 0208_disallow boot from volume from specifying arbitrary volumes.patch | (download) |
nova/compute/api.py |
16 16 + 0 - 0 ! |
cve-2013-0208 disallow boot from arbitrary volumes Fix a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume they don't own, potentially resulting in full access to that 3rd-party volume. Date: Thu, 24 Jan 2013 10:45:19 +0000 Bug-Debian: http://bugs.debian.org/699266 Bug-Ubuntu: https://launchpad.net/bugs/1069904 |
CVE 2013 1664_CVE 2013 1665_Information leak and Denial of Service using XML entities.patch | (download) |
nova/api/openstack/common.py |
10 5 + 5 - 0 ! |
cve-2013-1664 & cve-2013-1665: add a safe_minidom_parse_string function. Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server. This only affects servers with XML support enabled. . Adds a new utils.safe_minidom_parse_string function and updates external API facing Nova modules to use it. This ensures we have safe defaults on our incoming API XML parsing. . Internally safe_minidom_parse_string uses a ProtectedExpatParser class to disable DTDs and entities from being parsed when using minidom. |
CVE 2013 0335_VNC proxy can connect to the wrong VM.patch | (download) |
nova/compute/api.py |
10 10 + 0 - 0 ! |
flush tokens on instance delete Force console auth service to flush all tokens associated with an instance when it is deleted. This will fix bug 1125378, where the console for the wrong instance can be connected to via theconsole if the correct circumstances occur. This change also adds a call to validate the token when it is used. This check will ensure that all tokens are valid for their target instances. Tokens can become scrambled when a compute node is restarted, because the virt driver may not assign ports in the same way. Bug-Debian: http://bugs.debian.org/701773 Bug-Ubuntu: https://launchpad.net/bugs/1125378 |
CVE 2013 0335_VNC unit tests fixes.patch | (download) |
nova/consoleauth/manager.py |
21 11 + 10 - 0 ! |
vnc unit-test fixes |
CVE 2013 1838 Nova_DoS_by_allocating_all_Fixed_IPs_essex.patch | (download) |
nova/api/openstack/compute/contrib/quotas.py |
5 3 + 2 - 0 ! |
cve-2013-1838: nova dos by allocating all fixed ips Vish Ishaya reported a vulnerability in Nova where there is no quota for Fixed IPs. Previously the instance quota acted as a proxy for a Fixed IP quota, but if your configuration allows an instance to consume more than one Fixed IP via an extension such as multinic then this is no longer true. Running out of Fixed IPs would result in not being able to spawn new instances. . This patch adds quotas for fixed ips. |
Fixed_broken_vncproxy_flush_tokens.patch | (download) |
nova/compute/api.py |
8 5 + 3 - 0 ! |
fixed broken vncproxy flush tokens patch This review (https://review.openstack.org/22872) attempted to resolve a critical security issue but ended up completely breaking the vncproxy. The wrong dict keys were being used for Essex and the API calls were incomplete. This patch makes the proxy work again. |