[pkg-eucalyptus-commits] r278 - in eucalyptus/trunk/debian: . patches
Brian Thomason
iamfuzz-guest at alioth.debian.org
Fri Oct 5 17:34:38 UTC 2012
Author: iamfuzz-guest
Date: 2012-10-05 17:34:38 +0000 (Fri, 05 Oct 2012)
New Revision: 278
Added:
eucalyptus/trunk/debian/patches/EUCA-1521
eucalyptus/trunk/debian/patches/EUCA-2019
Modified:
eucalyptus/trunk/debian/changelog
eucalyptus/trunk/debian/patches/series
Log:
Added patches to fix CVE-2012-4063, CVE-2012-4064, and CVE-2012-4065
Modified: eucalyptus/trunk/debian/changelog
===================================================================
--- eucalyptus/trunk/debian/changelog 2012-10-05 17:25:37 UTC (rev 277)
+++ eucalyptus/trunk/debian/changelog 2012-10-05 17:34:38 UTC (rev 278)
@@ -1,3 +1,12 @@
+eucalyptus (3.1.0-9) unstable; urgency=low
+
+ * Added following patches (Closes: #689599):
+ - d/patches/EUCA-1521
+ - d/patches/EUCA-2019
+ * Loosened some Conflicts/Breaks that were too tight
+
+ -- Brian Thomason <brian.thomason at eucalyptus.com> Fri, 05 Oct 2012 13:31:56 -0400
+
eucalyptus (3.1.0-8) unstable; urgency=low
* Really fixed lintian error this time
Added: eucalyptus/trunk/debian/patches/EUCA-1521
===================================================================
--- eucalyptus/trunk/debian/patches/EUCA-1521 (rev 0)
+++ eucalyptus/trunk/debian/patches/EUCA-1521 2012-10-05 17:34:38 UTC (rev 278)
@@ -0,0 +1,508 @@
+Description: Fixes CVE-2012-4063
+Author: Steve Jones <steve.jones at eucalyptus.com>
+
+fda3e1d69b2a36197f8cff88ee542da72bdea104
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java b/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
+index 7aa6e9f..f4a914f 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/crypto/util/WSSecurity.java
+@@ -88,6 +88,8 @@ import org.apache.ws.security.message.token.Timestamp;
+ import org.apache.ws.security.message.token.X509Security;
+ import org.apache.ws.security.processor.TimestampProcessor;
+ import org.apache.ws.security.util.WSSecurityUtil;
++import org.apache.xml.security.c14n.Canonicalizer;
++import org.apache.xml.security.c14n.InvalidCanonicalizerException;
+ import org.apache.xml.security.exceptions.XMLSecurityException;
+ import org.apache.xml.security.keys.KeyInfo;
+ import org.apache.xml.security.signature.SignedInfo;
+@@ -110,14 +112,24 @@ import com.eucalyptus.ws.WebServicesException;
+ public class WSSecurity {
+ private static Logger LOG = Logger.getLogger( WSSecurity.class );
+ private static CertificateFactory factory;
+-
++ private static final String SYSTEM_PROPERTY_SKIP_SECURITY_CHECK = "com.eucalyptus.crypto.util.skipWsSecurityConfigurationChecks";
++
+ static {
++ System.setProperty( "org.apache.xml.security.resource.config", "/xml-security-config.xml" );
+ org.apache.xml.security.Init.init( );
++ if ( !acceptXmlSecurityConfiguration() ) {
++ LOG.fatal("XML Security configuration not applied, set system property "+SYSTEM_PROPERTY_SKIP_SECURITY_CHECK+"=true to skip check");
++ throw new RuntimeException("XML Security Configuration not applied");
++ }
+ WSSConfig.getDefaultWSConfig( ).addJceProvider( "BC", BouncyCastleProvider.class.getCanonicalName( ) );
+ WSSConfig.getDefaultWSConfig( ).setTimeStampStrict( true );
+ WSSConfig.getDefaultWSConfig( ).setEnableSignatureConfirmation( true );
+ }
+-
++
++ public static void init() {
++ // currently the static initializer does the work
++ }
++
+ public static CertificateFactory getCertificateFactory( ) {
+ if ( factory == null ) {
+ try {
+@@ -389,5 +401,19 @@ public class WSSecurity {
+ if ( sig.getKeyInfo( ) == null ) throw new WSSecurityException( WSSecurityException.SECURITY_TOKEN_UNAVAILABLE );
+ return sig;
+ }
+-
++
++ private static boolean acceptXmlSecurityConfiguration() {
++ return
++ Boolean.parseBoolean(System.getProperty(SYSTEM_PROPERTY_SKIP_SECURITY_CHECK)) ||
++ isValidXmlSecurityConfiguration();
++ }
++
++ private static boolean isValidXmlSecurityConfiguration() {
++ try {
++ Canonicalizer.getInstance( "http://www.w3.org/2006/12/xml-c14n11" );
++ return false;
++ } catch (InvalidCanonicalizerException e) {
++ return true;
++ }
++ }
+ }
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
+index c406f7f..42b4fa9 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/WsSecHandler.java
+@@ -84,6 +84,7 @@ import org.jboss.netty.channel.MessageEvent;
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
+ import com.eucalyptus.binding.HoldMe;
++import com.eucalyptus.crypto.util.WSSecurity;
+ import com.eucalyptus.http.MappingHttpMessage;
+ import com.eucalyptus.ws.util.CredentialProxy;
+
+@@ -92,6 +93,10 @@ public abstract class WsSecHandler extends MessageStackHandler {
+ private static Logger LOG = Logger.getLogger( WsSecHandler.class );
+ private final CredentialProxy credentials;
+
++ static {
++ WSSecurity.init();
++ }
++
+ public WsSecHandler( final CredentialProxy credentials ) {
+ this.credentials = credentials;
+ }
+diff --git a/clc/modules/msgs/src/main/resources/xml-security-config.xml b/clc/modules/msgs/src/main/resources/xml-security-config.xml
+new file mode 100644
+index 0000000..10cf86e
+--- /dev/null
++++ b/clc/modules/msgs/src/main/resources/xml-security-config.xml
+@@ -0,0 +1,414 @@
++<?xml version="1.0"?>
++<!--
++<!DOCTYPE Configuration SYSTEM "config.dtd">
++-->
++<!-- This configuration file is used for configuration of the org.apache.xml.security package -->
++<Configuration target="org.apache.xml.security" xmlns="http://www.xmlsecurity.org/NS/#configuration">
++ <CanonicalizationMethods>
++ <CanonicalizationMethod URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315OmitComments" />
++ <CanonicalizationMethod URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315WithComments" />
++
++ <CanonicalizationMethod URI="http://www.w3.org/2001/10/xml-exc-c14n#"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments"/>
++ <CanonicalizationMethod URI="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclWithComments"/>
++ <!-- Disabled as the JDK "config.xml" disables this
++ <CanonicalizationMethod URI="http://www.w3.org/2006/12/xml-c14n11"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer11_OmitComments"/> -->
++ <!-- Disabled as the JDK "config.xml" disables this
++ <CanonicalizationMethod URI="http://www.w3.org/2006/12/xml-c14n11#WithComments"
++ JAVACLASS="org.apache.xml.security.c14n.implementations.Canonicalizer11_WithComments"/> -->
++ </CanonicalizationMethods>
++ <TransformAlgorithms>
++ <!-- Base64 -->
++ <!-- Disabled as it facilitates DOS attacks
++ <TransformAlgorithm URI="http://www.w3.org/2000/09/xmldsig#base64"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformBase64Decode" /> -->
++ <!-- c14n omitting comments -->
++ <TransformAlgorithm URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N" />
++ <!-- c14n with comments -->
++ <TransformAlgorithm URI="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NWithComments" />
++ <!-- c14n 1.1 omitting comments -->
++ <!-- Disabled as the JDK "config.xml" disables this
++ <TransformAlgorithm URI="http://www.w3.org/2006/12/xml-c14n11"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N11" /> -->
++ <!-- c14n 1.1 with comments -->
++ <!-- Disabled as the JDK "config.xml" disables this
++ <TransformAlgorithm URI="http://www.w3.org/2006/12/xml-c14n11#WithComments"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14N11_WithComments" /> -->
++ <!-- exclusive c14n omitting comments -->
++ <TransformAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NExclusive" />
++ <!-- exclusive c14n with comments -->
++ <TransformAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformC14NExclusiveWithComments" />
++ <!-- XPath transform -->
++ <!-- Disabled as it facilitates DOS attacks and obscures the signed content
++ <TransformAlgorithm URI="http://www.w3.org/TR/1999/REC-xpath-19991116"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath" /> -->
++ <!-- enveloped signature -->
++ <TransformAlgorithm URI="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature" />
++ <!-- XSLT -->
++ <!-- Disabled as it facilitates DOS attacks and obscures the signed content
++ <TransformAlgorithm URI="http://www.w3.org/TR/1999/REC-xslt-19991116"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXSLT" /> -->
++ <!-- XPath version 2 -->
++ <!-- Disabled as it facilitates DOS attacks and obscures the signed content
++ <TransformAlgorithm URI="http://www.w3.org/2002/04/xmldsig-filter2"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath2Filter" /> -->
++ <!-- XPath version 2b -->
++ <!-- Disabled as it facilitates DOS attacks and obscures the signed content
++ <TransformAlgorithm URI="http://www.w3.org/2002/06/xmldsig-filter2"
++ JAVACLASS="org.apache.xml.security.transforms.implementations.TransformXPath2Filter" /> -->
++ </TransformAlgorithms>
++ <SignatureAlgorithms>
++ <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureDSA" />
++ <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" />
++ <SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#hmac-sha1"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA1" />
++
++ <!-- Disabled as MD5 should no longer be considered secure
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5" /> -->
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1" />
++
++ <!-- Disabled as MD5 should no longer be considered secure
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-md5"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacMD5" /> -->
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacRIPEMD160" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA256" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA384" />
++ <SignatureAlgorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
++ JAVACLASS="org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA512" />
++ </SignatureAlgorithms>
++ <JCEAlgorithmMappings>
++ <Algorithms>
++ <!-- MessageDigest Algorithms -->
++ <!-- Disabled as MD5 should no longer be considered secure
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#md5"
++ Description="MD5 message digest from RFC 1321"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="NOT RECOMMENDED"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="MD5"/> -->
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#ripemd160"
++ Description="RIPEMD-160 message digest"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="OPTIONAL"
++ JCEName="RIPEMD160"/>
++
++ <Algorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"
++ Description="SHA-1 message digest"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="REQUIRED"
++ JCEName="SHA-1"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#sha256"
++ Description="SHA-1 message digest with 256 bit"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="RECOMMENDED"
++ JCEName="SHA-256"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#sha384"
++ Description="SHA message digest with 384 bit"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="SHA-384"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#sha512"
++ Description="SHA-1 message digest with 512 bit"
++ AlgorithmClass="MessageDigest"
++ RequirementLevel="OPTIONAL"
++ JCEName="SHA-512"/>
++
++ <!-- Signature Algorithms -->
++ <Algorithm URI="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
++ Description="Digital Signature Algorithm with SHA-1 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="REQUIRED"
++ JCEName="SHA1withDSA"/>
++
++ <!-- Disabled as MD5 should no longer be considered secure
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"
++ Description="RSA Signature with MD5 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="NOT RECOMMENDED"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="MD5withRSA"/> -->
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
++ Description="RSA Signature with RIPEMD-160 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="RIPEMD160withRSA"/>
++
++ <Algorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
++ Description="RSA Signature with SHA-1 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="RECOMMENDED"
++ JCEName="SHA1withRSA"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
++ Description="RSA Signature with SHA-256 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="SHA256withRSA"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
++ Description="RSA Signature with SHA-384 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="SHA384withRSA"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
++ Description="RSA Signature with SHA-512 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="SHA512withRSA"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
++ Description="ECDSA Signature with SHA-1 message digest"
++ AlgorithmClass="Signature"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="ECDSAwithSHA1"/>
++
++ <!-- MAC Algorithms -->
++ <!-- Disabled as MD5 should no longer be considered secure
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-md5"
++ Description="Message Authentication code using MD5"
++ AlgorithmClass="Mac"
++ RequirementLevel="NOT RECOMMENDED"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="HmacMD5"/> -->
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160"
++ Description="Message Authentication code using RIPEMD-160"
++ AlgorithmClass="Mac"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="HMACRIPEMD160"/>
++
++ <Algorithm URI="http://www.w3.org/2000/09/xmldsig#hmac-sha1"
++ Description="Message Authentication code using SHA1"
++ AlgorithmClass="Mac"
++ RequirementLevel="REQUIRED"
++ JCEName="HmacSHA1"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
++ Description="Message Authentication code using SHA-256"
++ AlgorithmClass="Mac"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="HmacSHA256"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"
++ Description="Message Authentication code using SHA-384"
++ AlgorithmClass="Mac"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="HmacSHA384"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"
++ Description="Message Authentication code using SHA-512"
++ AlgorithmClass="Mac"
++ RequirementLevel="OPTIONAL"
++ SpecificationURL="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt"
++ JCEName="HmacSHA512"/>
++
++ <!-- Block encryption Algorithms -->
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
++ Description="Block encryption using Triple-DES"
++ AlgorithmClass="BlockEncryption"
++ RequirementLevel="REQUIRED"
++ KeyLength="192"
++ RequiredKey="DESede"
++ JCEName="DESede/CBC/ISO10126Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
++ Description="Block encryption using AES with a key length of 128 bit"
++ AlgorithmClass="BlockEncryption"
++ RequirementLevel="REQUIRED"
++ KeyLength="128"
++ RequiredKey="AES"
++ JCEName="AES/CBC/ISO10126Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes192-cbc"
++ Description="Block encryption using AES with a key length of 192 bit"
++ AlgorithmClass="BlockEncryption"
++ RequirementLevel="OPTIONAL"
++ KeyLength="192"
++ RequiredKey="AES"
++ JCEName="AES/CBC/ISO10126Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
++ Description="Block encryption using AES with a key length of 256 bit"
++ AlgorithmClass="BlockEncryption"
++ RequirementLevel="REQUIRED"
++ KeyLength="256"
++ RequiredKey="AES"
++ JCEName="AES/CBC/ISO10126Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
++ Description="Key Transport RSA-v1.5"
++ AlgorithmClass="KeyTransport"
++ RequirementLevel="REQUIRED"
++ RequiredKey="RSA"
++ JCEName="RSA/ECB/PKCS1Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
++ Description="Key Transport RSA-OAEP"
++ AlgorithmClass="KeyTransport"
++ RequirementLevel="REQUIRED"
++ RequiredKey="RSA"
++ JCEName="RSA/ECB/OAEPWithSHA1AndMGF1Padding"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#dh"
++ Description="Key Agreement Diffie-Hellman"
++ AlgorithmClass="KeyAgreement"
++ RequirementLevel="OPTIONAL"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-tripledes"
++ Description="Symmetric Key Wrap using Triple DES"
++ AlgorithmClass="SymmetricKeyWrap"
++ RequirementLevel="REQUIRED"
++ KeyLength="192"
++ RequiredKey="DESede"
++ JCEName="DESedeWrap"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes128"
++ Description="Symmetric Key Wrap using AES with a key length of 128 bit"
++ AlgorithmClass="SymmetricKeyWrap"
++ RequirementLevel="REQUIRED"
++ KeyLength="128"
++ RequiredKey="AES"
++ JCEName="AESWrap"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes192"
++ Description="Symmetric Key Wrap using AES with a key length of 192 bit"
++ AlgorithmClass="SymmetricKeyWrap"
++ RequirementLevel="OPTIONAL"
++ KeyLength="192"
++ RequiredKey="AES"
++ JCEName="AESWrap"/>
++
++ <Algorithm URI="http://www.w3.org/2001/04/xmlenc#kw-aes256"
++ Description="Symmetric Key Wrap using AES with a key length of 256 bit"
++ AlgorithmClass="SymmetricKeyWrap"
++ RequirementLevel="REQUIRED"
++ KeyLength="256"
++ RequiredKey="AES"
++ JCEName="AESWrap"/>
++
++ </Algorithms>
++ </JCEAlgorithmMappings>
++ <ResourceBundles defaultLanguageCode="en" defaultCountryCode="US">
++ <ResourceBundle LanguageCode="en"
++ CountryCode="US"
++ LOCATION="org.apache.xml.security/resource/xmlsecurity_en.properties" />
++ <ResourceBundle LanguageCode="de"
++ CountryCode="DE"
++ LOCATION="org.apache.xml.security/resource/xmlsecurity_de.properties" />
++ </ResourceBundles>
++ <ResourceResolvers>
++ <!-- Disabled to prevent HTTP references
++ <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP"
++ DESCRIPTION="A simple resolver for requests to HTTP space" /> -->
++ <!-- Disabled to prevent filesystem references
++ <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem"
++ DESCRIPTION="A simple resolver for requests to the local file system" /> -->
++ <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverFragment"
++ DESCRIPTION="A simple resolver for requests of same-document URIs" />
++ <Resolver JAVACLASS="org.apache.xml.security.utils.resolver.implementations.ResolverXPointer"
++ DESCRIPTION="A simple resolver for requests of XPointer fragents" />
++</ResourceResolvers>
++<!-- <defaultLocale languageCode="en" countryCode="US" /> -->
++ <KeyInfo>
++ <ContentHandler LOCALNAME="KeyName"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.KeyName" />
++ <ContentHandler LOCALNAME="KeyValue"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.KeyValue" />
++ <ContentHandler LOCALNAME="RetrievalMethod"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.RetrievalMethod" />
++ <ContentHandler LOCALNAME="X509Data"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.X509Data" />
++ <ContentHandler LOCALNAME="PGPData"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.PGPData" />
++ <ContentHandler LOCALNAME="SPKIData"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.SPKIData" />
++ <ContentHandler LOCALNAME="MgmtData"
++ NAMESPACE="http://www.w3.org/2000/09/xmldsig#"
++ JAVACLASS="org.apache.xml.security.keys.content.MgmtData" />
++ </KeyInfo>
++ <KeyResolver>
++ <!-- This section contains a list of KeyResolvers that are available in
++ every KeyInfo object -->
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver"
++ DESCRIPTION="Can extract RSA public keys" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.DSAKeyValueResolver"
++ DESCRIPTION="Can extract DSA public keys" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver"
++ DESCRIPTION="Can extract public keys from X509 certificates" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver"
++ DESCRIPTION="Uses an X509v3 SubjectKeyIdentifier extension to retrieve a certificate from the storages" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.RetrievalMethodResolver"
++ DESCRIPTION="Resolves keys and certificates using ResourceResolvers" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver"
++ DESCRIPTION="Uses an X509 SubjectName to retrieve a certificate from the storages" />
++ <Resolver JAVACLASS="org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver"
++ DESCRIPTION="Uses an X509 IssuerName and IssuerSerial to retrieve a certificate from the storages" />
++ </KeyResolver>
++
++ <PrefixMappings>
++ <!-- Many classes create Elements which are in a specific namespace;
++ here, the prefixes for these namespaces are defined. But this
++ can also be overwritten using the ElementProxy#setDefaultPrefix()
++ method. You can even set all prefixes to "" so that the corresponding
++ elements are created using the default namespace -->
++ <PrefixMapping namespace="http://www.w3.org/2000/09/xmldsig#"
++ prefix="ds" />
++ <PrefixMapping namespace="http://www.w3.org/2001/04/xmlenc#"
++ prefix="xenc" />
++ <PrefixMapping namespace="http://www.xmlsecurity.org/experimental#"
++ prefix="experimental" />
++ <PrefixMapping namespace="http://www.w3.org/2002/04/xmldsig-filter2"
++ prefix="dsig-xpath-old" />
++ <PrefixMapping namespace="http://www.w3.org/2002/06/xmldsig-filter2"
++ prefix="dsig-xpath" />
++ <PrefixMapping namespace="http://www.w3.org/2001/10/xml-exc-c14n#"
++ prefix="ec" />
++ <PrefixMapping namespace="http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter"
++ prefix="xx" />
++ </PrefixMappings>
++</Configuration>
Added: eucalyptus/trunk/debian/patches/EUCA-2019
===================================================================
--- eucalyptus/trunk/debian/patches/EUCA-2019 (rev 0)
+++ eucalyptus/trunk/debian/patches/EUCA-2019 2012-10-05 17:34:38 UTC (rev 278)
@@ -0,0 +1,280 @@
+Description: Fixes CVE-2012-4064,CVE-2012-4065
+Author: Steve Jones <steve.jones at eucalyptus.com>
+
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/context/Context.java b/clc/modules/msgs/src/main/java/com/eucalyptus/context/Context.java
+index d0e4e9a..06d3dd0 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/context/Context.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/context/Context.java
+@@ -115,31 +115,8 @@ public class Context {
+ return UserFullName.getInstance( this.getUser( ) );
+ }
+
+- public OwnerFullName getEffectiveUserFullName( ) {
+- String effectiveUserId = this.getRequest( ).getEffectiveUserId( );
+- if ( this.getRequest( ) != null && Principals.systemFullName( ).getUserName( ).equals( effectiveUserId ) ) {
+- return Principals.systemFullName( );
+- /** system **/
+- } else if ( this.getRequest( ) == null || effectiveUserId == null ) {
+- return Principals.nobodyFullName( );
+- /** unset **/
+- } else if ( !effectiveUserId.equals( this.getUserFullName( ).getUserName( ) ) ) {
+- try {
+- return UserFullName.getInstance( Accounts.lookupUserByName( effectiveUserId ) );
+- } catch ( RuntimeException ex ) {
+- LOG.error( ex );
+- return UserFullName.getInstance( this.getUser( ) );
+- } catch ( AuthException ex ) {
+- LOG.error( ex, ex );
+- return UserFullName.getInstance( this.getUser( ) );
+- }
+- } else {
+- return UserFullName.getInstance( this.getUser( ) );
+- }
+- }
+-
+ public boolean hasAdministrativePrivileges( ) {
+- return Principals.systemFullName().equals( this.getEffectiveUserFullName( ) ) || this.getUser( ).isSystemAdmin( );
++ return this.getUser( ).isSystemAdmin( );
+ }
+
+ public User getUser( ) {
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/Handlers.java b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/Handlers.java
+index 2fbe7ad..d2a9f91 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/Handlers.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/Handlers.java
+@@ -63,6 +63,8 @@
+
+ package com.eucalyptus.ws;
+
++import static com.eucalyptus.component.ComponentId.ComponentMessage;
++import static com.eucalyptus.component.ComponentId.ComponentPart;
+ import java.net.URI;
+ import java.util.HashMap;
+ import java.util.List;
+@@ -71,6 +73,7 @@ import java.util.NoSuchElementException;
+ import java.util.concurrent.ConcurrentMap;
+ import java.util.concurrent.TimeUnit;
+ import java.util.concurrent.atomic.AtomicBoolean;
++import javax.annotation.Nullable;
+ import org.apache.log4j.Logger;
+ import org.jboss.netty.buffer.ChannelBuffer;
+ import org.jboss.netty.buffer.ChannelBuffers;
+@@ -123,6 +126,7 @@ import com.eucalyptus.http.MappingHttpMessage;
+ import com.eucalyptus.http.MappingHttpRequest;
+ import com.eucalyptus.http.MappingHttpResponse;
+ import com.eucalyptus.records.Logs;
++import com.eucalyptus.system.Ats;
+ import com.eucalyptus.util.Exceptions;
+ import com.eucalyptus.ws.handlers.BindingHandler;
+ import com.eucalyptus.ws.handlers.InternalWsSecHandler;
+@@ -416,7 +420,43 @@ public class Handlers {
+ };
+
+ }
+-
++
++ @ChannelPipelineCoverage( "one" )
++ private static final class ComponentMessageCheckHandler implements ChannelUpstreamHandler {
++ @Nullable
++ private final Class<? extends ComponentId> componentIdClass;
++
++ private ComponentMessageCheckHandler( final Class<? extends ComponentId> componentIdClass ) {
++ this.componentIdClass = componentIdClass;
++ }
++
++ @Override
++ public void handleUpstream( final ChannelHandlerContext channelHandlerContext,
++ final ChannelEvent channelEvent ) throws Exception {
++ if ( channelEvent instanceof MessageEvent && componentIdClass != null ) {
++ final BaseMessage message = BaseMessage.extractMessage( channelEvent );
++ final ComponentMessage componentMessage = message==null ? null :
++ Ats.inClassHierarchy( message ).get( ComponentMessage.class );
++ if ( message != null && (componentMessage == null || !componentIdClass.equals( componentMessage.value() ) ) ) {
++ LOG.warn( String.format("Message %s does not match pipeline component %s",
++ message.getClass(),
++ componentIdClass.getSimpleName() ) );
++
++ final MappingHttpMessage mappingHttpMessage = MappingHttpMessage.extractMessage( channelEvent );
++ final BaseMessage baseMessage = BaseMessage.extractMessage( channelEvent );
++ if ( baseMessage != null ) {
++ Contexts.clear( Contexts.lookup( baseMessage.getCorrelationId()) );
++ }
++ channelHandlerContext.getChannel( ).write( new MappingHttpResponse(
++ mappingHttpMessage==null ? HttpVersion.HTTP_1_1 : mappingHttpMessage.getProtocolVersion( ),
++ HttpResponseStatus.BAD_REQUEST ) );
++ return;
++ }
++ }
++ channelHandlerContext.sendUpstream( channelEvent );
++ }
++ }
++
+ static void sendRedirect( final ChannelHandlerContext ctx, final ChannelEvent e, final Class<? extends ComponentId> compClass, final MappingHttpRequest request ) {
+ e.getFuture( ).cancel( );
+ String redirectUri = null;
+@@ -478,7 +518,12 @@ public class Handlers {
+ }
+
+ }
+-
++
++ public static void addComponentHandlers( final Class<? extends ComponentId> componentIdClass,
++ final ChannelPipeline pipeline ) {
++ pipeline.addLast( "msg-component-check", new ComponentMessageCheckHandler( componentIdClass ) );
++ }
++
+ public static void addSystemHandlers( final ChannelPipeline pipeline ) {
+ pipeline.addLast( "service-state-check", internalServiceStateHandler( ) );
+ pipeline.addLast( "service-specific-mangling", ServiceHackeryHandler.INSTANCE );
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/BindingHandler.java b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/BindingHandler.java
+index 40e70f7..2e9abc6 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/BindingHandler.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/handlers/BindingHandler.java
+@@ -63,6 +63,7 @@
+ */
+ package com.eucalyptus.ws.handlers;
+
++import java.util.regex.Pattern;
+ import org.apache.axiom.om.OMElement;
+ import org.apache.axiom.om.OMNamespace;
+ import org.apache.log4j.Logger;
+@@ -89,19 +90,27 @@ public class BindingHandler extends MessageStackHandler {
+ private Binding binding;
+ private String namespace;
+ private final Binding defaultBinding;
++ private final Pattern namespacePattern;
+
+ public BindingHandler( ) {
+ super( );
+ this.defaultBinding = null;
+- this.namespace = null;
++ this.namespacePattern = null;
+ }
+
+ public BindingHandler( final Binding binding ) {
+ this.binding = binding;
+ this.defaultBinding = binding;
+- this.namespace = null;
++ this.namespacePattern = null;
+ }
+-
++
++ public BindingHandler( final Binding binding,
++ final Pattern namespacePattern ) {
++ this.binding = binding;
++ this.defaultBinding = binding;
++ this.namespacePattern = namespacePattern;
++ }
++
+ @Override
+ public void incomingMessage( final MessageEvent event ) throws Exception {
+ if ( event.getMessage( ) instanceof MappingHttpMessage ) {
+@@ -113,6 +122,9 @@ public class BindingHandler extends MessageStackHandler {
+ OMElement elem = httpMessage.getOmMessage( );
+ OMNamespace omNs = elem.getNamespace( );
+ namespace = omNs.getNamespaceURI( );
++ if ( namespacePattern != null && !namespacePattern.matcher( namespace ).matches() ) {
++ throw new WebServicesException( "Invalid request" );
++ }
+ this.binding = BindingManager.getBinding( BindingManager.sanitizeNamespace( namespace ) );
+ msgType = this.binding.getElementClass( httpMessage.getOmMessage( ).getLocalName( ) );
+ } catch ( BindingException ex ) {
+diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/server/NioServerHandler.java b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/server/NioServerHandler.java
+index 68cd786..bb6c422 100644
+--- a/clc/modules/msgs/src/main/java/com/eucalyptus/ws/server/NioServerHandler.java
++++ b/clc/modules/msgs/src/main/java/com/eucalyptus/ws/server/NioServerHandler.java
+@@ -63,6 +63,7 @@
+ */
+ package com.eucalyptus.ws.server;
+
++import static com.eucalyptus.component.ComponentId.ComponentPart;
+ import java.util.concurrent.Callable;
+ import java.util.concurrent.atomic.AtomicReference;
+ import javax.security.auth.login.LoginException;
+@@ -93,9 +94,9 @@ import com.eucalyptus.context.Contexts;
+ import com.eucalyptus.http.MappingHttpMessage;
+ import com.eucalyptus.http.MappingHttpRequest;
+ import com.eucalyptus.records.Logs;
++import com.eucalyptus.system.Ats;
+ import com.eucalyptus.util.Exceptions;
+ import com.eucalyptus.ws.Handlers;
+-import com.eucalyptus.ws.StackConfiguration;
+ import com.eucalyptus.ws.WebServicesException;
+
+ @ChannelPipelineCoverage( "one" )
+@@ -146,9 +147,13 @@ public class NioServerHandler extends SimpleChannelUpstreamHandler {//TODO:GRZE:
+ if ( Logs.isExtrrreeeme( ) && request instanceof MappingHttpMessage ) {
+ Logs.extreme( ).trace( ( ( MappingHttpMessage ) request ).logMessage( ) );
+ }
+- FilteredPipeline filteredPipeline = Pipelines.find( request );
++ final FilteredPipeline filteredPipeline = Pipelines.find( request );
+ if ( this.pipeline.compareAndSet( null, filteredPipeline ) ) {
+ this.pipeline.get( ).unroll( ctx.getPipeline( ) );
++ final Ats ats = Ats.inClassHierarchy( filteredPipeline );
++ Handlers.addComponentHandlers(
++ ats.has(ComponentPart.class) ? ats.get(ComponentPart.class).value() : null,
++ ctx.getPipeline() );
+ Handlers.addSystemHandlers( ctx.getPipeline( ) );
+ }
+ } catch ( DuplicatePipelineException e1 ) {
+diff --git a/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/EucalyptusSoapPipeline.java b/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/EucalyptusSoapPipeline.java
+index c3dd2e4..bb23612 100644
+--- a/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/EucalyptusSoapPipeline.java
++++ b/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/EucalyptusSoapPipeline.java
+@@ -63,6 +63,7 @@
+ */
+ package com.eucalyptus.ws.server;
+
++import java.util.regex.Pattern;
+ import org.jboss.netty.channel.ChannelPipeline;
+ import org.jboss.netty.handler.codec.http.HttpRequest;
+ import com.eucalyptus.binding.BindingManager;
+@@ -90,7 +91,11 @@ public class EucalyptusSoapPipeline extends FilteredPipeline {
+ @Override
+ public ChannelPipeline addHandlers( ChannelPipeline pipeline ) {
+ auth.unrollStage( pipeline );
+- pipeline.addLast( "binding", new BindingHandler( BindingManager.getBinding( DEFAULT_EC2_SOAP_NAMESPACE ) ) );
++ pipeline.addLast( "binding",
++ new BindingHandler(
++ BindingManager.getBinding( DEFAULT_EC2_SOAP_NAMESPACE ),
++ Pattern.compile( "http://ec2.amazonaws.com/doc/\\d\\d\\d\\d-\\d\\d-\\d\\d/" ) )
++ );
+ return pipeline;
+ }
+ }
+diff --git a/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/WalrusSoapPipeline.java b/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/WalrusSoapPipeline.java
+index b5efee4..4495594 100644
+--- a/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/WalrusSoapPipeline.java
++++ b/clc/modules/wsstack/src/main/java/com/eucalyptus/ws/server/WalrusSoapPipeline.java
+@@ -64,8 +64,10 @@
+
+ package com.eucalyptus.ws.server;
+
++import java.util.regex.Pattern;
+ import org.jboss.netty.channel.ChannelPipeline;
+ import org.jboss.netty.handler.codec.http.HttpRequest;
++import com.eucalyptus.binding.BindingManager;
+ import com.eucalyptus.component.ComponentId.ComponentPart;
+ import com.eucalyptus.component.id.Walrus;
+ import com.eucalyptus.ws.handlers.BindingHandler;
+@@ -74,6 +76,8 @@ import com.eucalyptus.ws.stages.WalrusSoapUserAuthenticationStage;
+
+ @ComponentPart( Walrus.class )
+ public class WalrusSoapPipeline extends FilteredPipeline {
++ private static final String DEFAULT_S3_SOAP_NAMESPACE = "http://s3.amazonaws.com/doc/2006-03-01/"; //TODO: @Configurable
++
+ private final UnrollableStage auth = new WalrusSoapUserAuthenticationStage( );
+
+ @Override
+@@ -89,7 +93,10 @@ public class WalrusSoapPipeline extends FilteredPipeline {
+ @Override
+ public ChannelPipeline addHandlers( ChannelPipeline pipeline ) {
+ auth.unrollStage( pipeline );
+- pipeline.addLast( "binding", new BindingHandler( ) );
++ pipeline.addLast( "binding",
++ new BindingHandler(
++ BindingManager.getBinding(DEFAULT_S3_SOAP_NAMESPACE),
++ Pattern.compile("http://s3.amazonaws.com/doc/\\d\\d\\d\\d-\\d\\d-\\d\\d/") ) );
+ return pipeline;
+ }
+
Modified: eucalyptus/trunk/debian/patches/series
===================================================================
--- eucalyptus/trunk/debian/patches/series 2012-10-05 17:25:37 UTC (rev 277)
+++ eucalyptus/trunk/debian/patches/series 2012-10-05 17:34:38 UTC (rev 278)
@@ -8,3 +8,5 @@
build-against-new-guava.patch
fix-postgres-hibernate-issue.patch
modify-clc-build-file.patch
+EUCA-1521
+EUCA-2019
More information about the pkg-eucalyptus-commits
mailing list