This patch addresses CVE-2014-7821 and is tracked under Launchpad bug
1378450. It is addressed in the stable/Juno and stable/Icehouse. There
is no patch for Havana since it is EOL'ed by upstream. Therefore, this
patch is derived from the patch for stable/Icehouse
commit ab7ea069de5cecf1c26af50996a26e1a7f86def4
Author: John Perkins <email address hidden>
Date: Mon Oct 6 16:24:57 2014 -0500
Fix hostname regex pattern
Current hostname_pattern regex complexity grows exponentially
when given a string of just digits, which can be exploited to
cause neutron-server to freeze.
Change-Id: I886c6d883a9cb0acd9908495eec50bf0411d8ba8
Closes-bug: #1378450
*** neutron-2013.2.3/neutron/api/v2/attributes.py 2014-04-03 11:49:01.000000000 -0700
--- NEW/neutron/api/v2/attributes.py 2014-11-19 22:04:06.880132434 -0800
***************
*** 494,501 ****
return [data]
! HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]"
! "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)")
HEX_ELEM = '[0-9A-Fa-f]'
UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
--- 494,501 ----
return [data]
! HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}"
! "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)")
HEX_ELEM = '[0-9A-Fa-f]'
UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
*** neutron-2013.2.3/neutron/tests/unit/test_attributes.py 2014-04-03 11:49:01.000000000 -0700
--- NEW/neutron/tests/unit/test_attributes.py 2014-11-19 22:15:26.539566055 -0800
***************
*** 246,251 ****
--- 246,252 ----
['www.hostname.com', 'www.hostname.com'],
['77.hostname.com'],
['1000.0.0.1'],
+ ['111111111111111111111111111111111111111111111111111111111111'], # noqa
None]
for ns in ns_pools: