PSARC/2014/207 OpenStack Glance Update to Havana
PSARC/2014/208 OpenStack Cinder Update to Havana
PSARC/2014/209 OpenStack Keystone Update to Havana
PSARC/2014/210 OpenStack Nova Update to Havana
18416146 Neutron agents (L3 and DHCP) should cleanup resources when they are disabled
18562372 Failed to create a new project under Horizon
18645763 ZFSSA Cinder Driver support
18686327 evs agent silently ignores user-specified pool allocation ranges
18702697 fibre channel volumes should be supported in the cinder volume driver
18734289 nova won't terminate failed kz deployments
18738371 cinder-volume:setup should account for commented-out zfs_volume_base
18738374 cinder-volume:setup should check for existence of configuration file
18826190 nova-compute fails due to nova.utils.to_bytes
18855698 Update OpenStack to Havana 2013.2.3
18855710 Update python-cinderclient to 1.0.9
18855743 Update python-keystoneclient to 0.8.0
18855754 Update python-neutronclient to 2.3.4
18855764 Update python-novaclient to 2.17.0
18855793 Update python-swiftclient to 2.1.0
18856992 External networks can be deleted even when floating IP addresses are in use
18857784 bake in some more openstack configuration
18884923 Incorrect locale facets in python modules for openstack
18913890 the error in _get_view_and_lun may cause the failure of deleting volumes
18943044 Disable 'Security Groups' tab in Horizon dashboard
This proposed upstream patch addresses CVE-2014-0006 and is tracked
under Launchpad bug 1265665. Although it's been addressed in 1.12.0,
the patch below is still not yet released for 1.10.0.
commit b2c61375b3255486adb2900922a894dc7dad3c6d
Author: Samuel Merritt <[email protected]>
Date: Thu Jan 16 13:44:23 2014 +0100
Use constant time comparison in tempURL
Use constant time comparison when evaluating tempURL to avoid timing
attacks (CVE-2014-0006). This is the havana backport of the master
patch.
Fixes bug 1265665
Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48
diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py
index ffc1431..ae2f4a1 100644
--- a/swift/common/middleware/tempurl.py
+++ b/swift/common/middleware/tempurl.py
@@ -98,7 +98,7 @@ from urlparse import parse_qs
from swift.proxy.controllers.base import get_account_info
from swift.common.swob import HeaderKeyDict
-from swift.common.utils import split_path
+from swift.common.utils import split_path, streq_const_time
#: Default headers to remove from incoming requests. Simply a whitespace
@@ -267,17 +267,20 @@ class TempURL(object):
if not keys:
return self._invalid(env, start_response)
if env['REQUEST_METHOD'] == 'HEAD':
- hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
- request_method='GET')
- if temp_url_sig not in hmac_vals:
- hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
- request_method='PUT')
- if temp_url_sig not in hmac_vals:
- return self._invalid(env, start_response)
+ hmac_vals = (self._get_hmacs(env, temp_url_expires, keys,
+ request_method='GET') +
+ self._get_hmacs(env, temp_url_expires, keys,
+ request_method='PUT'))
else:
hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
- if temp_url_sig not in hmac_vals:
- return self._invalid(env, start_response)
+
+ # While it's true that any() will short-circuit, this doesn't affect
+ # the timing-attack resistance since the only way this will
+ # short-circuit is when a valid signature is passed in.
+ is_valid_hmac = any(streq_const_time(temp_url_sig, h)
+ for h in hmac_vals)
+ if not is_valid_hmac:
+ return self._invalid(env, start_response)
self._clean_incoming_headers(env)
env['swift.authorize'] = lambda req: None
env['swift.authorize_override'] = True