Bug #1373993 “Trusted Filter uses unsafe SSL connection” : Bugs : OpenStack Compute (nova)

Revision history for this message

Sean Dague (sdague) wrote on 2014-09-25:

#1

Specific version of - https://bugs.launchpad.net/nova/+bug/1188189

Changed in nova:
status:	New → Triaged
importance:	Undecided → Critical
tags:	added: scheduler

Sylvain Bauza (sylvain-bauza) on 2014-09-25

Changed in nova:
assignee:	nobody → Sylvain Bauza (sylvain-bauza)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-29: Fix proposed to nova (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/124714

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-04: Fix proposed to nova (proposed/juno)

#3

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/126137

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-04: Fix merged to nova (master)

#4

Reviewed: https://review.openstack.org/124714
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=30871e8702737edbbfbcbbb5f21858873b37685c
Submitter: Jenkins
Branch: master

commit 30871e8702737edbbfbcbbb5f21858873b37685c
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.

SecurityImpact

Closes-Bug: #1373993

Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-07

tags:

added: juno-rc-potential

Thierry Carrez (ttx) on 2014-10-07

Changed in nova:
milestone:	none → juno-rc2

Thierry Carrez (ttx) on 2014-10-07

tags:

removed: juno-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix merged to nova (proposed/juno)

#5

Reviewed: https://review.openstack.org/126137
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cc88417637e4967860619e8d7e43f5d28957fcda
Submitter: Jenkins
Branch: proposed/juno

commit cc88417637e4967860619e8d7e43f5d28957fcda
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.

SecurityImpact

Closes-Bug: #1373993

Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44
(cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Thierry Carrez (ttx) on 2014-10-07

Changed in nova:
status:	Fix Committed → Fix Released

Yaguang Tang (heut2008) on 2014-10-09

tags:

added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Fix proposed to nova (stable/icehouse)

#6

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/127203

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-rc2 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to nova (master)

#7

Fix proposed to branch: master
Review: https://review.openstack.org/128894

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-20: Fix merged to nova (master)

#8

Download full text (7.7 KiB)

Reviewed: https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch: master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <email address hidden>
Date: Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno

    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.

This patch filters pci_request_id out from the tuple.

Cherry-Pick from:
https://review.openstack.org/#/c/126144/6

Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:22:36 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova

Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <email address hidden>
Date: Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno

    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno. This alias is needed when
    doing rolling upgrades from Juno to Kilo. With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.

    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a u...

Reviewed:  https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch:    master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <xuhj@linux.vnet.ibm.com>
Date:   Sun Oct 5 00:20:01 2014 +0800

Fix pci_request_id break the upgrade from icehouse to juno
    
    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.
    
    This patch filters pci_request_id out from the tuple.
    
    Cherry-Pick from:
    https://review.openstack.org/#/c/126144/6
    
    Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
    Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:22:36 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova
    
    Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <rbryant@redhat.com>
Date:   Wed Oct 8 12:14:31 2014 +0000

Fix broken cert revocation
    
    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672.  os.chdir() never returns
    anything, so this method would always raise an exception.  The proper
    way to handle an error from os.chdir() is to catch OSError.
    
    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned.  The
    tests were fixed to match the real behavior.
    
    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <rbryant@redhat.com>
Date:   Fri Oct 3 16:41:03 2014 -0400

Update rpc version aliases for juno
    
    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno.  This alias is needed when
    doing rolling upgrades from Juno to Kilo.  With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.
    
    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:53:42 2014 +0000

Mask passwords in exceptions and error messages
    
    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.
    
    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    OSSA is aware of this change request.
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

commit f98c28228b6db5b0796e9669b6bd692b82bbfa6d
Author: liyingjun <liyingjun1988@gmail.com>
Date:   Sat Sep 6 18:41:51 2014 +0800

Fix KeyError for euca-describe-images
    
    EC2 describe images crashes on volume backed instance snapshot which has
    several volumes.
    
    Change-Id: Ibe278688b118db01c9c3ae1763954adf19c7ee0d
    Closes-bug: #1370265
    (cherry picked from commit 1dea1cd710d54d4a2a584590e4ccf59dd3a41faa)

commit 0aeffa12a62604ee3238323d969345e41937b642
Author: Vishvananda Ishaya <vishvananda@gmail.com>
Date:   Wed Oct 1 07:43:19 2014 -0700

Fix the os_networks display to show cidr properly
    
    Converting network_get and network_get_all to use objects broke
    the display of the os_networks extension, because IPAddress
    fields in Network objects are dumped as lists by the jsonutils
    extension. We therefore must explicitly convert these object
    field values to string.
    
    The tests are updated to use objects so that we pick up bugs
    like this in the future. Incorrect assertEqual parameter order
    is fixed in the tests too since these are comparing dicts and
    it's not fun debugging a MismatchError when the reference/actual
    values are backwards.
    
    Change-Id: I0f05a9b4d7bbe5fe0a3b110c191455ca7edefcb5
    Closes-Bug: #1376945
    Co-authored-by: Matt Riedemann <mriedem@us.ibm.com>
    (cherry picked from commit da25467aafce9b62dd3fdff9d6cd84121fbee17e)

commit 0251b53966eaa9e724377a300ea247367fd778c7
Author: Matt Riedemann <mriedem@us.ibm.com>
Date:   Sun Oct 5 05:56:35 2014 -0700

Disable libvirt NUMA topology support if libvirt < 1.0.4
    
    If you're not at a new enough version of libvirt, the compute service
    fails on startup because VirtNUMATopologyCellUsage is not fully
    populated.
    
    This add a min version check before trying to get host NUMA topology
    information.
    
    Closes-Bug: #1376307
    
    Change-Id: I00f6325cb554bc5e34d9f0fe651af39630f35b5d
    (cherry picked from commit 8ba0d9188d492028fcf4e65f908aa2d3db571952)

commit 5065aeca1b4acad513c07e3832ec0e12de2e6568
Author: Arnaud Legendre <arnaudleg@gmail.com>
Date:   Wed Oct 1 15:46:22 2014 -0700

Destroy orig VM during resize if triggered by user
    
    Patch I7598afbf0dc3c527471af34224003d28e64daaff introduces a
    Minesweeper failure, due to the fact that it doesn't distinguish
    between destroy operation triggered by the user and by the revert
    resize.
    
    This patch fixes the issue by checking the task state. If the task
    state is revert_resize, the original VM doesn't get deleted.
    
    Closes-Bug: #1376492
    
    Change-Id: Idb9ac6c1ec5dcea52ce8e028f5cce08da1779321
    (cherry picked from commit e464bc518e8590d59c2741948466777982ca3319)

commit 7caf12e258f01bf0811302bbe0d47dd40b56e6f0
Author: Sean Dague <sean@dague.net>
Date:   Thu Sep 25 12:25:26 2014 -0400

move integrated api client to requests library
    
    The integrated api client previously did the HTTPConnection /
    HTTPSConnection url parsing dance. In python 2.x HTTPSConnection
    doesn't care about SSL certs at all. While not actually an issue for
    these tests, it does mean we keep around an example in the code that
    uses HTTPSConnection, which will prevent us from creating a hacking
    rule to keep those out once the other 4 actual security issues with
    HTTPSConnection are removed.
    
    Change-Id: Idd7d5a055600dda663f9c56b39883510f8688b12
    Related-Bug: #1188189
    (cherry picked from commit 777a5870c9f29949e6af704bfa03c2e204065ab1)

commit cc88417637e4967860619e8d7e43f5d28957fcda
Author: Sylvain Bauza <sbauza@redhat.com>
Date:   Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter
    
    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    
    SecurityImpact
    
    Closes-Bug: #1373993
    
    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-11: Fix merged to nova (stable/icehouse)

#9

Reviewed: https://review.openstack.org/127203
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=d7c8e936f373695580721f418e3eea7a31c00ea1
Submitter: Jenkins
Branch: stable/icehouse

commit d7c8e936f373695580721f418e3eea7a31c00ea1
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    SecurityImpact

    ReleaseNote
    This patch adds an option attestation_insecure_ssl in TrustedFilter which can be
    used to verify CAs. The default value is set to True, disabling SSL certificate
    verification. While this is the insecure option, it was selected for backward
    compatibility reasons.

Closes-Bug: #1373993
(cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Conflicts:
nova/tests/scheduler/test_host_filters.py

Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44

tags:

added: in-stable-icehouse

Alan Pevec (apevec) on 2015-03-13

tags:

removed: icehouse-backport-potential in-stable-icehouse

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Critical	Sylvain Bauza	OpenStack Compute (nova) 2014.2 "juno"
	Icehouse	Fix Released	Critical	Yaguang Tang	OpenStack Compute (nova) 2014.1.4

OpenStack Compute (nova)

Trusted Filter uses unsafe SSL connection

Bug Description

Other bug subscribers

Remote bug watches