From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 28A4F1395E1 for ; Fri, 4 Nov 2016 14:48:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3FE16E0BCA; Fri, 4 Nov 2016 14:48:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 17212E0BCA for ; Fri, 4 Nov 2016 14:48:34 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0891D3413AA for ; Fri, 4 Nov 2016 14:48:33 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 68565301 for ; Fri, 4 Nov 2016 14:48:31 +0000 (UTC) From: "Matt Thode" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Thode" Message-ID: <1478270884.3930fb660c9d11c546f1959d4a2bdf66dd8f67e2.prometheanfire@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-cluster/heat/files/CVE-2016-9185.patch sys-cluster/heat/heat-7.0.0-r1.ebuild sys-cluster/heat/heat-7.0.0.ebuild X-VCS-Directories: sys-cluster/heat/ sys-cluster/heat/files/ X-VCS-Committer: prometheanfire X-VCS-Committer-Name: Matt Thode X-VCS-Revision: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2 X-VCS-Branch: master Date: Fri, 4 Nov 2016 14:48:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 922947a0-9e7b-4267-8942-d825ae4727ef X-Archives-Hash: 9334d4695cc893d951bcb9a97bd137e2 commit: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2 Author: Matthew Thode gentoo org> AuthorDate: Fri Nov 4 14:48:04 2016 +0000 Commit: Matt Thode gentoo org> CommitDate: Fri Nov 4 14:48:04 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66 sys-cluster/heat: fix CVE-2016-9185 bug 598940 Package-Manager: portage-2.3.0 sys-cluster/heat/files/CVE-2016-9185.patch | 53 ++++++++++++++++++++++ .../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild} | 5 +- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch new file mode 100644 index 00000000..7b6bd86 --- /dev/null +++ b/sys-cluster/heat/files/CVE-2016-9185.patch @@ -0,0 +1,53 @@ +From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001 +From: Daniel Gonzalez +Date: Mon, 17 Oct 2016 10:22:42 +0200 +Subject: Prevent template validate from scanning ports + +The template validation method in the heat API allows to specify the +template to validate using a URL with the 'template_url' parameter. + +By entering invalid http URLs, like 'http://localhost:22' it is +possible to scan ports by evaluating the error message of the request. + +For example, the request + +curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ +-X POST -d '{"template_url": "http://localhost:22"}' \ +http://127.0.0.1:8004/v1//validate + +causes the following error message to be returned to the user: + +"Could not retrieve template: Failed to retrieve template: +('Connection aborted.', +BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" + +This could be misused by tenants to gain knowledge about the internal +network the heat API runs in. + +To prevent this information leak, this patch alters the error message +to not include such details when the url scheme is not 'file'. + +SecurityImpact + +Closes-Bug: #1606500 + +Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 +(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) +--- + heat/common/urlfetch.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py +index 7efd968..8a7deae 100644 +--- a/heat/common/urlfetch.py ++++ b/heat/common/urlfetch.py +@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): + return result + + except exceptions.RequestException as ex: +- raise URLFetchError(_('Failed to retrieve template: %s') % ex) ++ LOG.info(_LI('Failed to retrieve template: %s') % ex) ++ raise URLFetchError(_('Failed to retrieve template from %s') % url) +-- +cgit v0.12 + diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild similarity index 99% rename from sys-cluster/heat/heat-7.0.0.ebuild rename to sys-cluster/heat/heat-7.0.0-r1.ebuild index 9477a14..37461d9 100644 --- a/sys-cluster/heat/heat-7.0.0.ebuild +++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild @@ -113,8 +113,9 @@ RDEPEND=" >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] >=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]" -#PATCHES=( -#) +PATCHES=( + "${FILESDIR}/CVE-2016-9185.patch" +) pkg_setup() { enewgroup heat