--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/12-cve-2017-7214.patch Thu Mar 23 16:36:09 2017 +0000
@@ -0,0 +1,39 @@
+Upstream patch to address CVE-2017-7214. We assume 'circural' below
+is a typo for 'circular' but we took the comment verbatim from
+upstream. This patch is modified slightly to work with OpenStack Kilo
+which is EOL'd upstream.
+
+From 305cdb38db47258909ef83d5918c7c85ef9d7a5b Mon Sep 17 00:00:00 2001
+From: Balazs Gibizer <[email protected]>
+Date: Fri, 17 Mar 2017 11:24:49 +0100
+Subject: [PATCH] do not include context to exception notification
+
+The wrap_exception decorator optionally emited a notification.
+Based on the code comments the original intention was not to include the
+context to that notification due to security reasons. However the
+implementation did included the context to the payload of the legacy
+notification.
+
+Recently we saw circural reference errors during the payload serialization
+of this notification. Based on the logs the only complex data structure
+that could cause circural reference is the context. So this patch
+removes the context from the legacy exception notification.
+
+The versioned exception notification is not affected as it does not
+contain the args of the decorated function.
+
+Closes-Bug: #1673375
+
+--- nova-2015.1.2/nova/exception.py.orig 2017-03-23 16:30:19.897009405 +0000
++++ nova-2015.1.2/nova/exception.py 2017-03-23 16:33:57.530985808 +0000
+@@ -75,6 +75,10 @@ def wrap_exception(notifier=None, get_no
+ payload = dict(exception=e)
+ call_dict = safe_utils.getcallargs(f, context,
+ *args, **kw)
++ # NOTE(gibi) remove context as well as it contains
++ # sensitive information and it can also contain
++ # circular references
++ call_dict.pop('context', None)
+ cleansed = _cleanse_dict(call_dict)
+ payload.update({'args': cleansed})
+