diff --git a/debian/changelog b/debian/changelog index 2c74e8b00..52b6b550f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,13 @@ -heat (1:7.0.0-2) UNRELEASED; urgency=medium +heat (1:7.0.0-2) unstable; urgency=medium + [ Ondřej Nový ] * Bumped debhelper compat version to 10 - -- Ondřej Nový Wed, 23 Nov 2016 23:58:51 +0100 + [ Thomas Goirand ] + * CVE-2016-9185: template source URL allows network port scan: applied + upstream patch (Closes: #843232). + + -- Thomas Goirand Mon, 26 Dec 2016 17:36:59 +0100 heat (1:7.0.0-1) unstable; urgency=medium diff --git a/debian/patches/CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch b/debian/patches/CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch new file mode 100644 index 000000000..201031a6f --- /dev/null +++ b/debian/patches/CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch @@ -0,0 +1,48 @@ +Author: Daniel Gonzalez +Date: Mon, 17 Oct 2016 08:22:42 +0000 (+0200) +Description: CVE-2016-9185: Prevent template validate from scanning ports + Prevent template validate from scanning ports + . + The template validation method in the heat API allows to specify the + template to validate using a URL with the 'template_url,' parameter. + . + By entering invalid http URLs, like 'http://localhost:22' it is + possible to scan ports by evaluating the error message of the request. + . + For example, the request + . + curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ + -X POST -d '{"template_url": "http://localhost:22"}' \ + http://127.0.0.1:8004/v1//validate + . + causes the following error message to be returned to the user: + . + "Could not retrieve template: Failed to retrieve template: + ('Connection aborted.', + BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" + . + This could be misused by tenants to gain knowledge about the internal + network the heat API runs in. + . + To prevent this information leak, this patch alters the error message + to not include such details when the url scheme is not 'file'. + . + SecurityImpact + . +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fheat.git;a=commitdiff_plain;h=02dfb1a64f8a545a6dfed15245ac54c8ea835b81 +Bug-Ubuntu: https://bugs.launchpad.net/ossa/+bug/1606500 +Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 +Origin: uptream, https://review.openstack.org/393147 +Last-Update: 2016-10-06 + +diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py +index 7efd968..8a7deae 100644 +--- a/heat/common/urlfetch.py ++++ b/heat/common/urlfetch.py +@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): + return result + + except exceptions.RequestException as ex: +- raise URLFetchError(_('Failed to retrieve template: %s') % ex) ++ LOG.info(_LI('Failed to retrieve template: %s') % ex) ++ raise URLFetchError(_('Failed to retrieve template from %s') % url) diff --git a/debian/patches/series b/debian/patches/series index 2986d079e..c2909fb64 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ only-run-tests-in-heat.tests.patch fix-requirements.txt.patch +CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch