# HG changeset patch
# User Drew Fisher <drew.fisher@oracle.com>
# Date 1490286969 0
# Node ID aa4e61b4b594b4c673a82d68e2e343d9b0586661
# Parent  144cb9bf676b19dcccebe305351c227035595036
25772305 problem in SERVICE/NOVA

diff -r 144cb9bf676b -r aa4e61b4b594 components/openstack/nova/patches/12-cve-2017-7214.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/12-cve-2017-7214.patch	Thu Mar 23 16:36:09 2017 +0000
@@ -0,0 +1,39 @@
+Upstream patch to address CVE-2017-7214.  We assume 'circural' below
+is a typo for 'circular' but we took the comment verbatim from
+upstream.  This patch is modified slightly to work with OpenStack Kilo
+which is EOL'd upstream.
+
+From 305cdb38db47258909ef83d5918c7c85ef9d7a5b Mon Sep 17 00:00:00 2001
+From: Balazs Gibizer <balazs.gibizer@ericsson.com>
+Date: Fri, 17 Mar 2017 11:24:49 +0100
+Subject: [PATCH] do not include context to exception notification
+
+The wrap_exception decorator optionally emited a notification.
+Based on the code comments the original intention was not to include the
+context to that notification due to security reasons. However the
+implementation did included the context to the payload of the legacy
+notification.
+
+Recently we saw circural reference errors during the payload serialization
+of this notification. Based on the logs the only complex data structure
+that could cause circural reference is the context. So this patch
+removes the context from the legacy exception notification.
+
+The versioned exception notification is not affected as it does not
+contain the args of the decorated function.
+
+Closes-Bug: #1673375
+
+--- nova-2015.1.2/nova/exception.py.orig	2017-03-23 16:30:19.897009405 +0000
++++ nova-2015.1.2/nova/exception.py	2017-03-23 16:33:57.530985808 +0000
+@@ -75,6 +75,10 @@ def wrap_exception(notifier=None, get_no
+                         payload = dict(exception=e)
+                         call_dict = safe_utils.getcallargs(f, context,
+                                                            *args, **kw)
++                        # NOTE(gibi) remove context as well as it contains
++                        # sensitive information and it can also contain
++                        # circular references
++                        call_dict.pop('context', None)
+                         cleansed = _cleanse_dict(call_dict)
+                         payload.update({'args': cleansed})
+