[Pkg-ganeti-devel] [ganeti] 01/05: Redact the DRBD secret in instance queries (CVE-2015-7945)
Apollon Oikonomopoulos
apoikos at moszumanska.debian.org
Sat Jan 2 13:13:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
apoikos pushed a commit to branch debian/stable/jessie
in repository ganeti.
commit 71b3fa8aef37dd455393eadf29369d3f36fbb517
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date: Tue Dec 22 23:08:36 2015 +0200
Redact the DRBD secret in instance queries (CVE-2015-7945)
---
debian/patches/CVE-2015-7945 | 44 ++++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 45 insertions(+)
diff --git a/debian/patches/CVE-2015-7945 b/debian/patches/CVE-2015-7945
new file mode 100644
index 0000000..b807a3e
--- /dev/null
+++ b/debian/patches/CVE-2015-7945
@@ -0,0 +1,44 @@
+commit 535c49a2e28ef129da8bd76b2b79e7c89c04a18c
+Author: Hrvoje Ribicic <riba at google.com>
+Date: Tue Dec 22 18:01:29 2015 +0000
+
+ Redact the DRBD secret in instance queries
+
+ This patch is a modified version of 6e94ad764469.
+
+ As the DRBD secret should be used only by Ganeti internals, replacing
+ the actual secret with None does not hamper Ganeti's work, while
+ preventing the secret from being leaked.
+
+ Signed-off-by: Hrvoje Ribicic <riba at google.com>
+ Reviewed-by: Klaus Aehlig <aehlig at google.com>
+
+--- a/lib/cmdlib/instance_query.py
++++ b/lib/cmdlib/instance_query.py
+@@ -164,6 +164,7 @@
+
+ """
+ drbd_info = None
++ output_logical_id = dev.logical_id
+ if dev.dev_type in constants.DTS_DRBD:
+ # we change the snode then (otherwise we use the one passed in)
+ if dev.logical_id[0] == instance.primary_node:
+@@ -180,8 +181,8 @@
+ "secondary_node": node_uuid2name_fn(snode_uuid),
+ "secondary_minor": snode_minor,
+ "port": dev.logical_id[2],
+- "secret": dev.logical_id[5],
+ }
++ output_logical_id = dev.logical_id[:-1] + (None,)
+
+ dev_pstatus = self._ComputeBlockdevStatus(instance.primary_node,
+ instance, dev)
+@@ -198,7 +199,7 @@
+ return {
+ "iv_name": dev.iv_name,
+ "dev_type": dev.dev_type,
+- "logical_id": dev.logical_id,
++ "logical_id": output_logical_id,
+ "drbd_info": drbd_info,
+ "pstatus": dev_pstatus,
+ "sstatus": dev_sstatus,
diff --git a/debian/patches/series b/debian/patches/series
index 71e520b..65bfa69 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-startup-with-old-config.patch
cfgupgrade12-remove-old-ssconf.patch
0003-Disable-local-checks-during-build.patch
do-not-backup-export-dir.patch
+CVE-2015-7945
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git
More information about the Pkg-ganeti-devel
mailing list