Bug #1377981 “[OSSA 2014-036] Missing fix for ssh_execute (Excep...” : Bugs : Cinder

Tristan Cacqueray (tristan-cacqueray) on 2014-10-06

Changed in ossa:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Thierry Carrez (ttx) on 2014-10-06

Changed in cinder:
status:	New → In Progress
Changed in nova:
status:	New → In Progress
Changed in oslo-incubator:
status:	New → Fix Released
Changed in ossa:
status:	New → Triaged

Tristan Cacqueray (tristan-cacqueray) on 2014-10-06

Changed in ossa:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2014-10-06

Changed in nova:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)
Changed in cinder:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Thierry Carrez (ttx) on 2014-10-06

tags:	added: juno-rc-potential
Changed in ossa:
importance:	Undecided → Medium

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-10-06:

#1

Here is the updated impact description.

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder and Nova (versions up to 2014.1.3)
Trove (versions up to 2014.1.2)

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-10-06:

#2

I have a couple minor English grammar corrections to suggest:

"... An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed or when mask_password did not mask passwords properly."

Aside from that, the impact description looks fine. The products header is conflated with our usual versions header, but as this is for different versions of two projects that is probably unavoidable.

Tristan Cacqueray (tristan-cacqueray) on 2014-10-06

information type:

Public → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix merged to cinder (master)

#3

Reviewed: https://review.openstack.org/126052
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567
Submitter: Jenkins
Branch: master

commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:57:01 2014 +0000

Sync latest processutils from oslo-incubator

An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
to address ssh_execute(). This change set addresses ssh_execute.

------------------------------------------------

oslo-incubator head:

    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <email address hidden>
    Date: Mon Sep 29 23:12:14 2014 +0000

Merge "Script to list unreleased changes in all oslo projects"

-----------------------------------------------

The sync pulls in the following changes (newest to oldest):

6a60f842 - Mask passwords in exceptions and error messages (SSH)

-----------------------------------------------

Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
Closes-Bug: #1377981

Changed in cinder:
status:	In Progress → Fix Committed

Tristan Cacqueray (tristan-cacqueray) on 2014-10-07

summary:

Missing fix for ssh_execute (Exceptions thrown may contain passwords)
+ (CVE-2014-7230, CVE-2014-7231)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-10-07: Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

#4

@fungi Thanks!

Here is an updated impact description, including assigned CVE:

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder and Nova (versions up to 2014.1.3)
Trove (versions up to 2014.1.2)

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix proposed to cinder (proposed/juno)

#5

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/126592

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix proposed to nova (proposed/juno)

#6

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/126594

Thierry Carrez (ttx) on 2014-10-07

Changed in cinder:
milestone:	none → juno-rc2
tags:	removed: juno-rc-potential

Thierry Carrez (ttx) on 2014-10-07

Changed in cinder:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix proposed to cinder (stable/icehouse)

#7

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/126665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix proposed to nova (stable/icehouse)

#8

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/126699

Joe Gordon (jogo) on 2014-10-07

Changed in nova:
milestone:	none → juno-rc2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix merged to nova (master)

#9

Reviewed: https://review.openstack.org/126047
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8e7d6a60ff92df19aceb0972566b48992eee18b4
Submitter: Jenkins
Branch: master

commit 8e7d6a60ff92df19aceb0972566b48992eee18b4
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.

An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
to address ssh_execute(). This change set addresses ssh_execute.

OSSA is aware of this change request.

Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
Closes-Bug: #1377981

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix merged to cinder (proposed/juno)

#10

Reviewed: https://review.openstack.org/126592
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d5efe6703297761215907eeaf703cec040e6ad25
Submitter: Jenkins
Branch: proposed/juno

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:57:01 2014 +0000

Sync latest processutils from oslo-incubator

An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
to address ssh_execute(). This change set addresses ssh_execute.

------------------------------------------------

oslo-incubator head:

    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <email address hidden>
    Date: Mon Sep 29 23:12:14 2014 +0000

Merge "Script to list unreleased changes in all oslo projects"

-----------------------------------------------

The sync pulls in the following changes (newest to oldest):

6a60f842 - Mask passwords in exceptions and error messages (SSH)

-----------------------------------------------

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)

Changed in cinder:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-08: Fix merged to nova (proposed/juno)

#11

Reviewed: https://review.openstack.org/126594
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ee3594072a7ef1c3f5661021fb31118069cbd646
Submitter: Jenkins
Branch: proposed/juno

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.

An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
to address ssh_execute(). This change set addresses ssh_execute.

OSSA is aware of this change request.

Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
Closes-Bug: #1377981

Changed in nova:
status:	Fix Committed → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-10-09: Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

#12

oslo-incubator stable/icehouse merged @ https://review.openstack.org/#/c/125458

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-12: Fix merged to cinder (stable/icehouse)

#13

Reviewed: https://review.openstack.org/126665
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=390259bb40f85b20ea181166bf082f8b97c0a824
Submitter: Jenkins
Branch: stable/icehouse

commit 390259bb40f85b20ea181166bf082f8b97c0a824
Author: Tristan Cacqueray <email address hidden>
Date: Tue Oct 7 18:55:54 2014 +0000

Sync process utils from oslo

This patch backports the missing change to fix ssh_execute password leak

------------------------------------------------
The sync pulls in the following changes:

105169f8 - Mask passwords in exceptions and error messages (SSH)
-----------------------------------------------

Closes-Bug: 1377981
Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix merged to nova (stable/icehouse)

#14

Reviewed: https://review.openstack.org/126699
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=56b62b79a75624305858c10a5f285b08374b7506
Submitter: Jenkins
Branch: stable/icehouse

commit 56b62b79a75624305858c10a5f285b08374b7506
Author: Tristan Cacqueray <email address hidden>
Date: Tue Oct 7 19:36:07 2014 +0000

Sync process utils from oslo

This patch backports the missing change to fix ssh_execute password leak

------------------------------------------------
The sync pulls in the following changes:

105169f8 - Mask passwords in exceptions and error messages (SSH)
-----------------------------------------------

Closes-Bug: 1377981
Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958

Tristan Cacqueray (tristan-cacqueray) on 2014-10-15

Changed in oslo-incubator:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Tristan Cacqueray (tristan-cacqueray) on 2014-10-15

summary:	- Missing fix for ssh_execute (Exceptions thrown may contain passwords) - (CVE-2014-7230, CVE-2014-7231) + [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may + contain passwords) (CVE-2014-7230, CVE-2014-7231)
Changed in ossa:
status:	In Progress → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-rc2 → 2014.2

Thierry Carrez (ttx) on 2014-10-16

Changed in cinder:
milestone:	juno-rc2 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to nova (master)

#15

Fix proposed to branch: master
Review: https://review.openstack.org/128894

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to cinder (master)

#16

Fix proposed to branch: master
Review: https://review.openstack.org/128920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-20: Fix merged to nova (master)

#17

Download full text (7.7 KiB)

Reviewed: https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch: master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <email address hidden>
Date: Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno

    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.

This patch filters pci_request_id out from the tuple.

Cherry-Pick from:
https://review.openstack.org/#/c/126144/6

Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:22:36 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova

Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <email address hidden>
Date: Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno

    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno. This alias is needed when
    doing rolling upgrades from Juno to Kilo. With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.

    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a u...

Reviewed:  https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch:    master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <xuhj@linux.vnet.ibm.com>
Date:   Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno
    
    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.
    
    This patch filters pci_request_id out from the tuple.
    
    Cherry-Pick from:
    https://review.openstack.org/#/c/126144/6
    
    Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
    Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:22:36 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova
    
    Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <rbryant@redhat.com>
Date:   Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation
    
    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672.  os.chdir() never returns
    anything, so this method would always raise an exception.  The proper
    way to handle an error from os.chdir() is to catch OSError.
    
    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned.  The
    tests were fixed to match the real behavior.
    
    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <rbryant@redhat.com>
Date:   Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno
    
    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno.  This alias is needed when
    doing rolling upgrades from Juno to Kilo.  With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.
    
    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages
    
    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.
    
    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    OSSA is aware of this change request.
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

commit f98c28228b6db5b0796e9669b6bd692b82bbfa6d
Author: liyingjun <liyingjun1988@gmail.com>
Date:   Sat Sep 6 18:41:51 2014 +0800

Fix KeyError for euca-describe-images
    
    EC2 describe images crashes on volume backed instance snapshot which has
    several volumes.
    
    Change-Id: Ibe278688b118db01c9c3ae1763954adf19c7ee0d
    Closes-bug: #1370265
    (cherry picked from commit 1dea1cd710d54d4a2a584590e4ccf59dd3a41faa)

commit 0aeffa12a62604ee3238323d969345e41937b642
Author: Vishvananda Ishaya <vishvananda@gmail.com>
Date:   Wed Oct 1 07:43:19 2014 -0700

Fix the os_networks display to show cidr properly
    
    Converting network_get and network_get_all to use objects broke
    the display of the os_networks extension, because IPAddress
    fields in Network objects are dumped as lists by the jsonutils
    extension. We therefore must explicitly convert these object
    field values to string.
    
    The tests are updated to use objects so that we pick up bugs
    like this in the future. Incorrect assertEqual parameter order
    is fixed in the tests too since these are comparing dicts and
    it's not fun debugging a MismatchError when the reference/actual
    values are backwards.
    
    Change-Id: I0f05a9b4d7bbe5fe0a3b110c191455ca7edefcb5
    Closes-Bug: #1376945
    Co-authored-by: Matt Riedemann <mriedem@us.ibm.com>
    (cherry picked from commit da25467aafce9b62dd3fdff9d6cd84121fbee17e)

commit 0251b53966eaa9e724377a300ea247367fd778c7
Author: Matt Riedemann <mriedem@us.ibm.com>
Date:   Sun Oct 5 05:56:35 2014 -0700

Disable libvirt NUMA topology support if libvirt < 1.0.4
    
    If you're not at a new enough version of libvirt, the compute service
    fails on startup because VirtNUMATopologyCellUsage is not fully
    populated.
    
    This add a min version check before trying to get host NUMA topology
    information.
    
    Closes-Bug: #1376307
    
    Change-Id: I00f6325cb554bc5e34d9f0fe651af39630f35b5d
    (cherry picked from commit 8ba0d9188d492028fcf4e65f908aa2d3db571952)

commit 5065aeca1b4acad513c07e3832ec0e12de2e6568
Author: Arnaud Legendre <arnaudleg@gmail.com>
Date:   Wed Oct 1 15:46:22 2014 -0700

Destroy orig VM during resize if triggered by user
    
    Patch I7598afbf0dc3c527471af34224003d28e64daaff introduces a
    Minesweeper failure, due to the fact that it doesn't distinguish
    between destroy operation triggered by the user and by the revert
    resize.
    
    This patch fixes the issue by checking the task state. If the task
    state is revert_resize, the original VM doesn't get deleted.
    
    Closes-Bug: #1376492
    
    Change-Id: Idb9ac6c1ec5dcea52ce8e028f5cce08da1779321
    (cherry picked from commit e464bc518e8590d59c2741948466777982ca3319)

commit 7caf12e258f01bf0811302bbe0d47dd40b56e6f0
Author: Sean Dague <sean@dague.net>
Date:   Thu Sep 25 12:25:26 2014 -0400

move integrated api client to requests library
    
    The integrated api client previously did the HTTPConnection /
    HTTPSConnection url parsing dance. In python 2.x HTTPSConnection
    doesn't care about SSL certs at all. While not actually an issue for
    these tests, it does mean we keep around an example in the code that
    uses HTTPSConnection, which will prevent us from creating a hacking
    rule to keep those out once the other 4 actual security issues with
    HTTPSConnection are removed.
    
    Change-Id: Idd7d5a055600dda663f9c56b39883510f8688b12
    Related-Bug: #1188189
    (cherry picked from commit 777a5870c9f29949e6af704bfa03c2e204065ab1)

commit cc88417637e4967860619e8d7e43f5d28957fcda
Author: Sylvain Bauza <sbauza@redhat.com>
Date:   Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter
    
    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    
    SecurityImpact
    
    Closes-Bug: #1373993
    
    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-25: Change abandoned on cinder (master)

#18

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/128920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to cinder (master)

#19

Download full text (11.8 KiB)

Reviewed: https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch: master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication

    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.

    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.

This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.

    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <email address hidden>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <email address hidden>
Date: Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"

    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.

    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:25:28 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder

Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <email address hidden>
Date: Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean

...

Reviewed:  https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch:    master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Date:   Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication
    
    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.
    
    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
Date:   Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'
    
    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.
    
      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <zhithuang@ebaysf.com>
      Date: Sat Aug 23 18:32:57 2014 +0000
    
    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.
    
    This patch changes volume export behavior that exports a volume only if
    the volume status is 'in-use'.
    
    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <vbala@vmware.com>
Date:   Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"
    
    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.
    
    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:25:28 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder
    
    Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <singn@netapp.com>
Date:   Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean
    
    This patch fixes the issue of mock not getting
    cleaned for requests in unit tests.
    
    Closes-Bug: #1353506
    
    Change-Id: Iab401021d7f180ff1f2bf3ed79166699112cc367
    (cherry picked from commit 140956515327494a53de6ad09c35690624248f0a)

commit aaecfcf15e6b9defde5822453f2ae97aaf959408
Author: John Griffith <john.griffith8@gmail.com>
Date:   Tue Oct 7 11:49:58 2014 -0600

Make sure device support Direct before setting
    
    We added '-t none' option to the qemu-img convert operation
    in image_utils.py a while back to accomodate a couple of
    backend devices that didn't flush writes on disconnect.
    (Change: I7a04f683add8c23b9125fe837c4048ccc3ac224d)
    
    The only problem here is that some backend devices don't
    support Direct mode and raise an exception and fail when
    setting this option.
    
    This patch adds a simple check using dd to see if the dest
    supports the Direct flag and only sets '-t none' if the device
    does in fact support it.
    
    Additionally it was brought up that even yet other backends
    are using file devices not blk devices.  In their case setting
    Direct will still work, however it's sub-optimal as qemu-convert
    has internal mechanisms to make sure flushing etc are done
    correctly and efficiently for those devices.  So to accomodate
    that particular use case I'm also adding a check if blk dev
    that can be used for determining whether to set Direct for the
    qemu-convert process.
    
    Change-Id: I34127ac373ceadcfb6fc2662628b1a91eb7b0046
    Closes-Bug: 1375487
    (cherry picked from commit c42273fbc1983b146180c82b8a34b0d832a6f431)

commit a8cec39f8243fd4ee6c0a16fc0620d4b0980c749
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Wed Sep 24 18:51:07 2014 -0400

ZFSSA iSCSI vol create fails with vol type option
    
    Vol create with volume-type option is not working since
    volume_backend_name contains the class name as
    predefined string. No matter what was specified in cinder.conf
    as volume_backend_name, volume creation failed.
    Multi-backend option and using extra specs to create custom volumes
    won't work.
    The fix is to look whether volume_backend_name is part of the
    configuration or falls into the class name in case there is
    no backend name.
    
    Closes-Bug: 1373621
    DocImpact
    
    (cherry picked from commit 5c61d57d3693523e9cbf11bf0b5b09bafe699247)
    
    Change-Id: I1bc501dd4c5689d96c7beb720b64112df1770232

commit 04cd35fd88768ec0f5d23619cec2df4981ee7d8c
Author: Sean McGinnis <sean_mcginnis@dell.com>
Date:   Fri Sep 26 15:21:35 2014 -0500

Handle eqlx SSH connection close on abort.
    
    EqualLogic array CLI operation timeout causes the
    SSH thread to be aborted. This would cause SSH
    sessions to be orphaned and hit a max connection
    limit on the array. This fix catches these aborts
    and makes sure the connection is closed.
    
    Change-Id: I9392fd5dd79eb44f252bf50217f17cc473e6f2f0
    Closes-Bug: 1374613
    (cherry picked from commit 5cb23b67c53437fc51a6b37acac477fba4d6a7ab)

commit 787b328518b2eec8275956835ae16488644e7d87
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Tue Sep 16 11:23:36 2014 -0400

ZFSSA iSCSI driver cannot add multple initiators to a group
    
    All initiators defined in zfssa_initiator property would be
    added to the group.
    Also fixed some typos related to initiators error messages.
    
    Change-Id: Iec6c90702e5aafa153b4a7f1e429974ac450afc0
    Closes-Bug: #1369750
    (cherry picked from commit f94d671e627dd7b5143422ffe739418fcfb51a70)

commit c566767d6a5041d1d86b1e199028d78772ebc508
Author: Patrick East <patrick.east@purestorage.com>
Date:   Tue Sep 30 11:47:42 2014 -0700

Fix race condition in ISCSIConnector _disconnect_volume_multipath_iscsi
    
    This is a similar issue as seen in
    https://bugs.launchpad.net/cinder/+bug/1375382
    
    The list of devices returned by driver.get_all_block_devices() in
    _disconnect_volume_multipath_iscsi will potentially contain broken
    symlinks as the SCSI devices have been deleted from calling
    self._linuxscsi.remove_multipath_device(device_realpath) right before
    _disconnect_volume_multipath_iscsi but the udev rule for the symlink
    may not yet have completed.
    
    Adding in a check to os.path.exists() will ensure that we will not
    consider the broken symlinks as an “in use” device.
    
    Change-Id: I79c9627e9b47127d3765fcec5b7e3bacef179630
    Closes-Bug: #1375946
    (cherry picked from commit 4541521de576297d9b7d4115b040ff54773d9d50)

commit 40eff25fce9a350d1872b083503e4306242961de
Author: Clinton Knight <cknight@netapp.com>
Date:   Fri Sep 26 12:07:44 2014 -0400

Deprecate / obsolete NetApp volume extra specs
    
    The NetApp Data ONTAP (Cluster-mode) NFS & iSCSI drivers for Juno support
    the Cinder pools feature, but the drivers are reporting two qualified
    extra specs that must be converted to unqualified extra specs in order to
    be used by the Cinder scheduler's capability filter. Furthermore, there
    are four extra specs that must be deprecated due to having the pools
    feature.  Warnings will be logged during volume creation if any of the
    obsolete or deprecated extra specs are seen in the volume type.
    
    Change-Id: I4dbd667610e481356304a12b8dae84cff61aa9d9
    Closes-bug: 1374630
    (cherry picked from commit 4cb4be4122a44dc99d6f29f065cdd32ae86273ce)

commit 2601acaec8d3c154f7638db0e7dad307d0efcc48
Author: Vincent Hou <sbhou@cn.ibm.com>
Date:   Fri Sep 12 16:10:02 2014 +0800

IBM Storwize driver: Retype the volume with correct empty QoS
    
    * Currently for Storwzie driver, if the new type does not have QoS
    configurations, the old QoS configurations remain in the volume after
    retyping it. It should be retyped into a volume with empty QoS for the
    Storwize driver.
    * Refactor three dicts into one for better maintainance of the QoS keys
    for Storwize driver.
    
    DocImpact
    
    Change-Id: I2b2801a4ef72ef02c11392ed00b56f5263a8a7e4
    Closes-Bug: #1368595
    (cherry picked from commit 26de1b1d829849665dae921b8be739194b84515d)

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:57:01 2014 +0000

Sync latest processutils from oslo-incubator
    
    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    ------------------------------------------------
    
    oslo-incubator head:
    
    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <jenkins@review.openstack.org>
    Date:   Mon Sep 29 23:12:14 2014 +0000
    
        Merge "Script to list unreleased changes in all oslo projects"
    
    -----------------------------------------------
    
    The sync pulls in the following changes (newest to oldest):
    
    6a60f842 - Mask passwords in exceptions and error messages (SSH)
    
    -----------------------------------------------
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)

commit c70ef7d8d4d9479fe5d3f4a8387c4eac1dca274d
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Oct 6 16:09:05 2014 +0000

Updated from global requirements
    
    Change-Id: I116f04494e596e470f8fec242466ac5fe21b222c

commit 79afa849658f689a9105473fdfba1d993684d3df
Author: Lucian Petrut <lpetrut@cloudbasesolutions.com>
Date:   Tue Sep 30 11:58:22 2014 +0300

Windows SMBFS: Handle volume_name in _qemu_img_info
    
    The volume_name is now parsed to the _qemu_img_info wrapper. As
    this method is not prone to security issues because this driver
    does not support raw images (at least not yet), we don't have to
    perform any checks on the backing image file path.
    
    Thus, this method simply ignores this argument that will be parsed
    by the base class methods.
    
    Related-Bug: #1350504
    
    Change-Id: I801a6338250ec2dc631c4058543f7d0088b3e4d4
    (cherry picked from commit 5e0ce63d6df39dcad5a0ef35553369e49c67dfb8)

commit 608ecf565f99b9840095ecff424e396c4bae631a
Author: Eric Harney <eharney@redhat.com>
Date:   Tue Sep 9 16:20:24 2014 -0400

Refuse invalid qcow2 backing files
    
    Don't allow qcow2 files that are pointing to backing files outside of:
    
    volume-<id>
    volume-<id>.<snap-id>
    volume-<id>.tmp-snap-<snap-id>
    
    (optionally prefixed with /mnt/path)
    
    Closes-Bug: #1350504
    
    Change-Id: Ic89cffc93940b7b119cfcde3362f304c9f2875df
    (cherry picked from commit dca3c8323cf8cf12aa8ce4ba21f647ce631e8153)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-09: Fix proposed to nova (stable/liberty)

#20

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/314012

Revision history for this message

Kashyap Chamarthy (kashyapc) wrote on 2016-05-09:

#21

(Sorry, please disregard comment#20 -- it was an inadvertent typo, and meant for a different bug -- LP# 1562681)

Cinder

[OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to	Milestone
Cinder	Fix Released	Medium	Tristan Cacqueray	Cinder 2014.2 "juno"
Icehouse	Fix Released	Undecided	Tristan Cacqueray
OpenStack Compute (nova)	Fix Released	Undecided	Tristan Cacqueray	OpenStack Compute (nova) 2014.2 "juno"
Icehouse	Fix Released	Undecided	Tristan Cacqueray	OpenStack Compute (nova) 2014.1.4
OpenStack Security Advisory	Fix Released	Medium	Tristan Cacqueray
oslo-incubator	Fix Released	Undecided	Tristan Cacqueray
Icehouse	Fix Committed	Undecided	Tristan Cacqueray