Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, CVE-2019-9735 was discovered against Neutron. I've applied the upstream patch and rebuilt the package. The debdiff is attached. It also includes a quick fix for the compatibility with SQLAlchemy 1.3.1, which Piotr would like to upload and see migrate to Buster. Debdiff is attached. Please unblock neutron/13.0.2-13 ASAP to fix this CVE bug. Cheers, Thomas Goirand (zigo)
diff -Nru neutron-13.0.2/debian/changelog neutron-13.0.2/debian/changelog --- neutron-13.0.2/debian/changelog 2019-02-01 09:35:46.000000000 +0100 +++ neutron-13.0.2/debian/changelog 2019-03-14 00:13:45.000000000 +0100 @@ -1,3 +1,19 @@ +neutron (2:13.0.2-13) unstable; urgency=high + + * CVE-2019-9735: it's possible to add a security group rule for VRRP with a + dport. Apply upstream patch: When converting sg rules to iptables, do not + emit dport if not supported. (Closes: #924508). + + -- Thomas Goirand <z...@debian.org> Thu, 14 Mar 2019 00:13:45 +0100 + +neutron (2:13.0.2-12) unstable; urgency=medium + + * Fix rootwrap patch to work against Python 3.7. + * Add Join_on_explcit_relationship_paths.patch, which adds compatibility + with SQLAlchemy >= 1.3.x (previously, adding a floating IP would fail). + + -- Thomas Goirand <z...@debian.org> Wed, 13 Mar 2019 13:49:34 +0100 + neutron (2:13.0.2-10) unstable; urgency=medium * Fix reading [nova]/auth_url in config script. diff -Nru neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch --- neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch 1970-01-01 01:00:00.000000000 +0100 +++ neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch 2019-03-14 00:13:45.000000000 +0100 @@ -0,0 +1,81 @@ +Description: CVE-2019-9735: When converting sg rules to iptables, do not emit dport if not supported + Since iptables-restore doesn't support --dport with protocol vrrp, + it errors out setting the security groups on the hypervisor. + . + Marking this a partial fix, since we need a change to prevent + adding those incompatible rules in the first place, but this + patch will stop the bleeding. +From: Doug Wiegley <dwieg...@salesforce.com> +Date: Sat, 2 Mar 2019 22:35:52 -0700 +Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f +Bug-Debian: https://bugs.debian.org/924508 +Bug-Ubuntu: https://bugs.launchpad.net/neutron/+bug/1818385 +Origin: upstream, https://review.openstack.org/#/c/640685/ +Last-Update: 2019-03-15 + +diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py +index 496376d..5fb9740 100644 +--- a/neutron/agent/linux/iptables_firewall.py ++++ b/neutron/agent/linux/iptables_firewall.py +@@ -46,6 +46,15 @@ IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src', + comment_rule = iptables_manager.comment_rule + libc = ctypes.CDLL(util.find_library('libc.so.6')) + ++# iptables protocols that support --dport and --sport ++IPTABLES_PORT_PROTOCOLS = [ ++ constants.PROTO_NAME_DCCP, ++ constants.PROTO_NAME_SCTP, ++ constants.PROTO_NAME_TCP, ++ constants.PROTO_NAME_UDP, ++ constants.PROTO_NAME_UDPLITE ++] ++ + + def get_hybrid_port_name(port_name): + return (constants.TAP_DEVICE_PREFIX + port_name)[:n_const.LINUX_DEV_LEN] +@@ -731,11 +740,12 @@ class IptablesFirewallDriver(firewall.FirewallDriver): + # icmp code can be 0 so we cannot use "if port_range_max" here + if port_range_max is not None: + args[-1] += '/%s' % port_range_max +- elif port_range_min == port_range_max: +- args += ['--%s' % direction, '%s' % (port_range_min,)] +- else: +- args += ['-m', 'multiport', '--%ss' % direction, +- '%s:%s' % (port_range_min, port_range_max)] ++ elif protocol in IPTABLES_PORT_PROTOCOLS: ++ if port_range_min == port_range_max: ++ args += ['--%s' % direction, '%s' % (port_range_min,)] ++ else: ++ args += ['-m', 'multiport', '--%ss' % direction, ++ '%s:%s' % (port_range_min, port_range_max)] + return args + + def _ip_prefix_arg(self, direction, ip_prefix): +diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py +index d7268bc..7ab8a0a 100644 +--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py ++++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py +@@ -276,6 +276,20 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): + egress = None + self._test_prepare_port_filter(rule, ingress, egress) + ++ def test_filter_bad_vrrp_with_dport(self): ++ rule = {'ethertype': 'IPv4', ++ 'direction': 'ingress', ++ 'protocol': 'vrrp', ++ 'port_range_min': 10, ++ 'port_range_max': 10} ++ # Dest port isn't support with VRRP, so don't send it ++ # down to iptables. ++ ingress = mock.call.add_rule('ifake_dev', ++ '-p vrrp -j RETURN', ++ top=False, comment=None) ++ egress = None ++ self._test_prepare_port_filter(rule, ingress, egress) ++ + def test_filter_ipv4_ingress_tcp_port_by_num(self): + rule = {'ethertype': 'IPv4', + 'direction': 'ingress', +-- +cgit v1.1 + diff -Nru neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch --- neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch 1970-01-01 01:00:00.000000000 +0100 +++ neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch 2019-03-14 00:13:45.000000000 +0100 @@ -0,0 +1,25 @@ +From: Mike Bayer <mike...@zzzcomputing.com> +Subject: Join on explcit relationship paths + The join() in get_router_for_floatingip() is joining from entity + to entity without an explicit ON clause which creates an ambiguous + situation. SQLAlchemy 1.3 guards against this now, so use the + real relationship-bound path so that the ORM does not need to guess. +Date: Fri, 8 Mar 2019 14:09:14 -0500 +Closes-bug: #1819260 +Change-Id: Ia377a9d1a32a78abdaee74c79e395acd77e486ef +Origin: upstream, https://review.openstack.org/#/c/642117/ +Last-Update: 2019-03-13 + +Index: neutron/neutron/db/l3_db.py +=================================================================== +--- neutron.orig/neutron/db/l3_db.py ++++ neutron/neutron/db/l3_db.py +@@ -1137,7 +1137,7 @@ class L3_NAT_dbonly_mixin(l3.RouterPlugi + # TODO(lujinluo): Need IPAllocation and Port object + routerport_qry = context.session.query( + RouterPort.router_id, models_v2.IPAllocation.ip_address).join( +- models_v2.Port, models_v2.IPAllocation).filter( ++ RouterPort.port, models_v2.Port.fixed_ips).filter( + models_v2.Port.network_id == internal_port['network_id'], + RouterPort.port_type.in_(constants.ROUTER_INTERFACE_OWNERS), + models_v2.IPAllocation.subnet_id == internal_subnet['id'] diff -Nru neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch --- neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch 2019-02-01 09:35:46.000000000 +0100 +++ neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch 2019-03-14 00:13:45.000000000 +0100 @@ -11,4 +11,4 @@ keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root + +# Added by Debian package maintainer, needed for neutron-fwaas -+kill_keepalived_state_change: KillFilter, root, python3.6, -15, -9, -HUP ++kill_keepalived_state_change: KillFilter, root, python3.7, -15, -9, -HUP diff -Nru neutron-13.0.2/debian/patches/series neutron-13.0.2/debian/patches/series --- neutron-13.0.2/debian/patches/series 2019-02-01 09:35:46.000000000 +0100 +++ neutron-13.0.2/debian/patches/series 2019-03-14 00:13:45.000000000 +0100 @@ -1,3 +1,5 @@ flake8-legacy.patch #remove-test_start_random_port_with_ipv6.patch rootwrap-fix-for-neutron-fwaas.patch +Join_on_explcit_relationship_paths.patch +CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
