python-keystoneclient

Merge lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545 into lp:~ubuntu-server-dev/python-keystoneclient/kilo

  1. kilo-fix-lp-1368545
  2. Merge into kilo
Proposed by Jorge Niedbalski
Status: Merged
Merged at revision: 100
Proposed branch: lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545
Merge into: lp:~ubuntu-server-dev/python-keystoneclient/kilo
Diff against target: 145 lines (+123/-0)
4 files modified
debian/changelog (+17/-0)
debian/patches/CVE-2015-1852.patch (+79/-0)
debian/patches/fix-1368545.patch (+25/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545
Reviewer Review Type Date Requested Status
Corey Bryant Approve
Review via email: mp+267361@code.launchpad.net

Description of the change

Fixes LP: #1368545

To post a comment you must log in.
lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545 updated
104. By Jorge Niedbalski

Typo on description

Revision history for this message
Corey Bryant (corey.bryant) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2015-03-05 14:03:29 +0000
3+++ debian/changelog 2015-08-07 15:08:21 +0000
4@@ -1,3 +1,20 @@
5+python-keystoneclient (1:1.2.0-0ubuntu1.2) vivid; urgency=medium
6+
7+ * debian/patches/fix-1368545.patch: Changing the value type of
8+ http_connect_timeout to IntOpt. (LP: #1368545)
9+
10+ -- Jorge Niedbalski <jorge.niedbalski@canonical.com> Fri, 07 Aug 2015 11:53:37 -0300
11+
12+python-keystoneclient (1:1.2.0-0ubuntu1.1) vivid-security; urgency=medium
13+
14+ * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
15+ - debian/patches/CVE-2015-1852.patch: properly parse option in
16+ keystoneclient/middleware/s3_token.py, added test to
17+ keystoneclient/tests/unit/test_s3_token_middleware.py.
18+ - CVE-2015-1852
19+
20+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 16 Jul 2015 14:44:43 -0400
21+
22 python-keystoneclient (1:1.2.0-0ubuntu1) vivid; urgency=medium
23
24 * New upstream release.
25
26=== added file 'debian/patches/CVE-2015-1852.patch'
27--- debian/patches/CVE-2015-1852.patch 1970-01-01 00:00:00 +0000
28+++ debian/patches/CVE-2015-1852.patch 2015-08-07 15:08:21 +0000
29@@ -0,0 +1,79 @@
30+From 85eeecbd3d06e98011def3d0d8329646cc175163 Mon Sep 17 00:00:00 2001
31+From: Brant Knudson <bknudson@us.ibm.com>
32+Date: Tue, 7 Apr 2015 19:38:29 +0000
33+Subject: [PATCH] Fix s3_token middleware parsing insecure option
34+
35+The "insecure" option was being treated as a bool when it was
36+actually provided as a string. The fix is to parse the string to
37+a bool.
38+
39+Closes-Bug: 1411063
40+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
41+---
42+ keystoneclient/middleware/s3_token.py | 3 ++-
43+ .../tests/unit/test_s3_token_middleware.py | 24 +++++++++++++++++++++-
44+ 2 files changed, 25 insertions(+), 2 deletions(-)
45+
46+Index: python-keystoneclient-1.2.0/keystoneclient/middleware/s3_token.py
47+===================================================================
48+--- python-keystoneclient-1.2.0.orig/keystoneclient/middleware/s3_token.py 2015-07-16 14:44:32.325609427 -0400
49++++ python-keystoneclient-1.2.0/keystoneclient/middleware/s3_token.py 2015-07-16 14:44:32.321609377 -0400
50+@@ -34,6 +34,7 @@
51+ import logging
52+
53+ from oslo_serialization import jsonutils
54++from oslo_utils import strutils
55+ import requests
56+ import six
57+ from six.moves import urllib
58+@@ -116,7 +117,7 @@
59+ self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
60+
61+ # SSL
62+- insecure = conf.get('insecure', False)
63++ insecure = strutils.bool_from_string(conf.get('insecure', False))
64+ cert_file = conf.get('certfile')
65+ key_file = conf.get('keyfile')
66+
67+Index: python-keystoneclient-1.2.0/keystoneclient/tests/unit/test_s3_token_middleware.py
68+===================================================================
69+--- python-keystoneclient-1.2.0.orig/keystoneclient/tests/unit/test_s3_token_middleware.py 2015-07-16 14:44:32.325609427 -0400
70++++ python-keystoneclient-1.2.0/keystoneclient/tests/unit/test_s3_token_middleware.py 2015-07-16 14:44:32.325609427 -0400
71+@@ -122,7 +122,7 @@
72+ @mock.patch.object(requests, 'post')
73+ def test_insecure(self, MOCK_REQUEST):
74+ self.middleware = (
75+- s3_token.filter_factory({'insecure': True})(FakeApp()))
76++ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
77+
78+ text_return_value = jsonutils.dumps(GOOD_RESPONSE)
79+ if six.PY3:
80+@@ -140,6 +140,28 @@
81+ mock_args, mock_kwargs = MOCK_REQUEST.call_args
82+ self.assertIs(mock_kwargs['verify'], False)
83+
84++ def test_insecure_option(self):
85++ # insecure is passed as a string.
86++
87++ # Some non-secure values.
88++ true_values = ['true', 'True', '1', 'yes']
89++ for val in true_values:
90++ config = {'insecure': val, 'certfile': 'false_ind'}
91++ middleware = s3_token.filter_factory(config)(FakeApp())
92++ self.assertIs(False, middleware.verify)
93++
94++ # Some "secure" values, including unexpected value.
95++ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
96++ for val in false_values:
97++ config = {'insecure': val, 'certfile': 'false_ind'}
98++ middleware = s3_token.filter_factory(config)(FakeApp())
99++ self.assertEqual('false_ind', middleware.verify)
100++
101++ # Default is secure.
102++ config = {'certfile': 'false_ind'}
103++ middleware = s3_token.filter_factory(config)(FakeApp())
104++ self.assertIs('false_ind', middleware.verify)
105++
106+
107+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
108+ def setUp(self):
109
110=== added file 'debian/patches/fix-1368545.patch'
111--- debian/patches/fix-1368545.patch 1970-01-01 00:00:00 +0000
112+++ debian/patches/fix-1368545.patch 2015-08-07 15:08:21 +0000
113@@ -0,0 +1,25 @@
114+Description: Changing the value type of http_connect_timeout
115+
116+The value type of http_connect_timeout definition
117+is changed from Bool to Int value. Python treats
118+a value more than 1 as True but oslo config defines
119+Boolean values as 'true, '1', 'yes' and 'on'.
120+So http_connect_timeout is only configured 1 or None.
121+
122+Change-Id: I53075cc04d0ccea543f8e657279534208ed03058
123+Closes-bug: #1368545.
124+
125+Origin: upstream, https://review.openstack.org/#/c/126543
126+Bug-Ubuntu: https://bugs.launchpad.net/keystonemiddleware/+bug/1368545
127+
128+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py
129++++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py
130+@@ -212,7 +212,7 @@ opts = [
131+ help='Do not handle authorization requests within the'
132+ ' middleware, but delegate the authorization decision to'
133+ ' downstream WSGI components'),
134+- cfg.BoolOpt('http_connect_timeout',
135++ cfg.IntOpt('http_connect_timeout',
136+ default=None,
137+ help='Request timeout value for communicating with Identity'
138+ ' API server.'),
139
140=== added file 'debian/patches/series'
141--- debian/patches/series 1970-01-01 00:00:00 +0000
142+++ debian/patches/series 2015-08-07 15:08:21 +0000
143@@ -0,0 +1,2 @@
144+CVE-2015-1852.patch
145+fix-1368545.patch

Subscribers

People subscribed via source and target branches