Bug #1376368 “nova.crypto.revoke_cert always raises ProjectNotFo...” : Bugs : OpenStack Compute (nova)

Tristan Cacqueray (tristan-cacqueray) on 2014-10-01

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-10-01:

#1

Thanks for the report, the OSSA task have been set to incomplete pending additional security reviews.

Well os.chdir will raise an exception if the directory is not existent...
Yet the revocation code seems to be unreachable!

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-10-01:

#2

Do we know if this affects stable/icehouse? If not, then we can just open and hopefully expedite the fix into rc2.

Revision history for this message

Alex Gaynor (alex-gaynor) wrote on 2014-10-01:

#3

The commit that introduced the bug, as far as I can tell is from June, I'm not sure it was also backported.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-10-02:

#4

This was apparently not backported:
https://github.com/openstack/nova/blob/stable/icehouse/nova/crypto.py#L277-L278

Let's see if we can quickly get a patch proposed before we open it.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-10-06:

#5

Only in Juno, so if fixed before reolease, won't trigger an OSSA

information type:	Private Security → Public Security
tags:	added: juno-rc-potential
Changed in nova:
importance:	Undecided → Critical
status:	New → Confirmed
Changed in ossa:
status:	Incomplete → Won't Fix

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2014-10-06:

#6

ttx,

referenced lines were added, then modified by https://review.openstack.org/#/c/99373/5/nova/crypto.py,unified in response to this "bug" https://bugs.launchpad.net/nova/+bug/883320

-- dims

Davanum Srinivas (DIMS) (dims-v) on 2014-10-06

Changed in nova:
assignee:	nobody → Davanum Srinivas (DIMS) (dims-v)

Thierry Carrez (ttx) on 2014-10-07

Changed in nova:
milestone:	none → juno-rc2

Thierry Carrez (ttx) on 2014-10-07

tags:

removed: juno-rc-potential

Russell Bryant (russellb) on 2014-10-08

Changed in nova:
assignee:	Davanum Srinivas (DIMS) (dims-v) → Russell Bryant (russellb)
milestone:	juno-rc2 → kilo-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-08: Fix proposed to nova (master)

#7

Fix proposed to branch: master
Review: https://review.openstack.org/126890

Changed in nova:
status:	Confirmed → In Progress

Thierry Carrez (ttx) on 2014-10-08

Changed in nova:
milestone:	kilo-1 → juno-rc2
no longer affects:	nova/juno

OpenStack Infra (hudson-openstack) on 2014-10-08

Changed in nova:
assignee:	Russell Bryant (russellb) → Davanum Srinivas (DIMS) (dims-v)

OpenStack Infra (hudson-openstack) on 2014-10-08

Changed in nova:
assignee:	Davanum Srinivas (DIMS) (dims-v) → Russell Bryant (russellb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-08: Change abandoned on nova (master)

#8

Change abandoned by Davanum Srinivas (dims) (<email address hidden>) on branch: master
Review: https://review.openstack.org/126409
Reason: Oh well! :)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-08: Fix merged to nova (master)

#9

Reviewed: https://review.openstack.org/126890
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c8538208da00c3b0d0646629c9d668aa69944b85
Submitter: Jenkins
Branch: master

commit c8538208da00c3b0d0646629c9d668aa69944b85
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
Closes-bug: #1376368

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Fix proposed to nova (proposed/juno)

#10

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/127144

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Fix merged to nova (proposed/juno)

#11

Reviewed: https://review.openstack.org/127144
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3f9003270efd9ac036f3c229b36baa0bb05203bf
Submitter: Jenkins
Branch: proposed/juno

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-rc2 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to nova (master)

#12

Fix proposed to branch: master
Review: https://review.openstack.org/128894

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-20: Fix merged to nova (master)

#13

Download full text (7.7 KiB)

Reviewed: https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch: master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <email address hidden>
Date: Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno

    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.

This patch filters pci_request_id out from the tuple.

Cherry-Pick from:
https://review.openstack.org/#/c/126144/6

Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:22:36 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova

Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <email address hidden>
Date: Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno

    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno. This alias is needed when
    doing rolling upgrades from Juno to Kilo. With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.

    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a u...

Reviewed:  https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch:    master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <xuhj@linux.vnet.ibm.com>
Date:   Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno
    
    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.
    
    This patch filters pci_request_id out from the tuple.
    
    Cherry-Pick from:
    https://review.openstack.org/#/c/126144/6
    
    Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
    Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:22:36 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova
    
    Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <rbryant@redhat.com>
Date:   Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation
    
    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672.  os.chdir() never returns
    anything, so this method would always raise an exception.  The proper
    way to handle an error from os.chdir() is to catch OSError.
    
    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned.  The
    tests were fixed to match the real behavior.
    
    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <rbryant@redhat.com>
Date:   Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno
    
    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno.  This alias is needed when
    doing rolling upgrades from Juno to Kilo.  With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.
    
    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages
    
    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.
    
    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    OSSA is aware of this change request.
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

commit f98c28228b6db5b0796e9669b6bd692b82bbfa6d
Author: liyingjun <liyingjun1988@gmail.com>
Date:   Sat Sep 6 18:41:51 2014 +0800

Fix KeyError for euca-describe-images
    
    EC2 describe images crashes on volume backed instance snapshot which has
    several volumes.
    
    Change-Id: Ibe278688b118db01c9c3ae1763954adf19c7ee0d
    Closes-bug: #1370265
    (cherry picked from commit 1dea1cd710d54d4a2a584590e4ccf59dd3a41faa)

commit 0aeffa12a62604ee3238323d969345e41937b642
Author: Vishvananda Ishaya <vishvananda@gmail.com>
Date:   Wed Oct 1 07:43:19 2014 -0700

Fix the os_networks display to show cidr properly
    
    Converting network_get and network_get_all to use objects broke
    the display of the os_networks extension, because IPAddress
    fields in Network objects are dumped as lists by the jsonutils
    extension. We therefore must explicitly convert these object
    field values to string.
    
    The tests are updated to use objects so that we pick up bugs
    like this in the future. Incorrect assertEqual parameter order
    is fixed in the tests too since these are comparing dicts and
    it's not fun debugging a MismatchError when the reference/actual
    values are backwards.
    
    Change-Id: I0f05a9b4d7bbe5fe0a3b110c191455ca7edefcb5
    Closes-Bug: #1376945
    Co-authored-by: Matt Riedemann <mriedem@us.ibm.com>
    (cherry picked from commit da25467aafce9b62dd3fdff9d6cd84121fbee17e)

commit 0251b53966eaa9e724377a300ea247367fd778c7
Author: Matt Riedemann <mriedem@us.ibm.com>
Date:   Sun Oct 5 05:56:35 2014 -0700

Disable libvirt NUMA topology support if libvirt < 1.0.4
    
    If you're not at a new enough version of libvirt, the compute service
    fails on startup because VirtNUMATopologyCellUsage is not fully
    populated.
    
    This add a min version check before trying to get host NUMA topology
    information.
    
    Closes-Bug: #1376307
    
    Change-Id: I00f6325cb554bc5e34d9f0fe651af39630f35b5d
    (cherry picked from commit 8ba0d9188d492028fcf4e65f908aa2d3db571952)

commit 5065aeca1b4acad513c07e3832ec0e12de2e6568
Author: Arnaud Legendre <arnaudleg@gmail.com>
Date:   Wed Oct 1 15:46:22 2014 -0700

Destroy orig VM during resize if triggered by user
    
    Patch I7598afbf0dc3c527471af34224003d28e64daaff introduces a
    Minesweeper failure, due to the fact that it doesn't distinguish
    between destroy operation triggered by the user and by the revert
    resize.
    
    This patch fixes the issue by checking the task state. If the task
    state is revert_resize, the original VM doesn't get deleted.
    
    Closes-Bug: #1376492
    
    Change-Id: Idb9ac6c1ec5dcea52ce8e028f5cce08da1779321
    (cherry picked from commit e464bc518e8590d59c2741948466777982ca3319)

commit 7caf12e258f01bf0811302bbe0d47dd40b56e6f0
Author: Sean Dague <sean@dague.net>
Date:   Thu Sep 25 12:25:26 2014 -0400

move integrated api client to requests library
    
    The integrated api client previously did the HTTPConnection /
    HTTPSConnection url parsing dance. In python 2.x HTTPSConnection
    doesn't care about SSL certs at all. While not actually an issue for
    these tests, it does mean we keep around an example in the code that
    uses HTTPSConnection, which will prevent us from creating a hacking
    rule to keep those out once the other 4 actual security issues with
    HTTPSConnection are removed.
    
    Change-Id: Idd7d5a055600dda663f9c56b39883510f8688b12
    Related-Bug: #1188189
    (cherry picked from commit 777a5870c9f29949e6af704bfa03c2e204065ab1)

commit cc88417637e4967860619e8d7e43f5d28957fcda
Author: Sylvain Bauza <sbauza@redhat.com>
Date:   Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter
    
    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    
    SecurityImpact
    
    Closes-Bug: #1373993
    
    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Critical	Russell Bryant	OpenStack Compute (nova) 2014.2 "juno"
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

OpenStack Compute (nova)

nova.crypto.revoke_cert always raises ProjectNotFound

Bug Description

Other bug subscribers

Remote bug watches