--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/06-CVE-2013-6419.patch	Mon Mar 31 16:44:02 2014 -0700
@@ -0,0 +1,133 @@
+Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2.1, Icehouse
+
+commit 07006be9165d1008ca0382b6f0ad25b13a676a55
+Author: Aaron Rosen <[email protected]>
+Date:   Mon Oct 7 13:33:31 2013 -0700
+
+    Prevent spoofing instance_id from neutron to nova
+    
+    Previously, one could update a port's device_id in neutron to be
+    that of another tenant's instance_id and then be able to retrieve
+    that instance's metadata. This patch prevents this from occurring by
+    checking that X-Tenant-ID received from the metadata request matches
+    the tenant_id in the nova database.
+    
+    DocImpact - This patch is dependent on another patch in neutron
+                which adds X-Tenant-ID to the request. Therefore to
+                minimize downtime one should upgrade Neutron first (then
+                restart neutron-metadata-agent) and lastly update nova.
+    
+    Change-Id: I93bf662797c3986324ca2099b403833c2e990fb4
+    Closes-Bug: #1235450
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index bbaeba5..2b7f659 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -144,6 +144,7 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+     def _handle_instance_id_request(self, req):
+         instance_id = req.headers.get('X-Instance-ID')
++        tenant_id = req.headers.get('X-Tenant-ID')
+         signature = req.headers.get('X-Instance-ID-Signature')
+         remote_address = req.headers.get('X-Forwarded-For')
+ 
+@@ -151,8 +152,12 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+         if instance_id is None:
+             msg = _('X-Instance-ID header is missing from request.')
++        elif tenant_id is None:
++            msg = _('X-Tenant-ID header is missing from request.')
+         elif not isinstance(instance_id, basestring):
+             msg = _('Multiple X-Instance-ID headers found within request.')
++        elif not isinstance(tenant_id, basestring):
++            msg = _('Multiple X-Tenant-ID headers found within request.')
+         else:
+             msg = None
+ 
+@@ -188,4 +193,12 @@ class MetadataRequestHandler(wsgi.Application):
+             LOG.error(_('Failed to get metadata for instance id: %s'),
+                       instance_id)
+ 
++        if meta_data.instance['project_id'] != tenant_id:
++            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
++                          "of instance %(instance_id)s."),
++                        {'tenant_id': tenant_id,
++                         'instance_id': instance_id})
++            # causes a 404 to be raised
++            meta_data = None
++
+         return meta_data
+diff --git a/nova/tests/test_metadata.py b/nova/tests/test_metadata.py
+index 01f274f..51b6f72 100644
+--- a/nova/tests/test_metadata.py
++++ b/nova/tests/test_metadata.py
+@@ -510,6 +510,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 200)
+ 
+@@ -522,6 +523,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 200)
+@@ -536,10 +538,36 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': ''})
+ 
+         self.assertEqual(response.status_int, 403)
+ 
++        # missing X-Tenant-ID from request
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 400)
++
++        # mismatched X-Tenant-ID
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'FAKE',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 404)
++
+         # without X-Forwarded-For
+         response = fake_request(
+             self.stubs, self.mdinst,
+@@ -547,6 +575,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 500)
+@@ -564,6 +593,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'z-z-z-z',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 500)
+