[Pkg-ganeti-devel] [ganeti] 01/05: Redact the DRBD secret in instance queries (CVE-2015-7945)

Apollon Oikonomopoulos apoikos at moszumanska.debian.org
Sat Jan 2 13:13:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch debian/stable/jessie
in repository ganeti.

commit 71b3fa8aef37dd455393eadf29369d3f36fbb517
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date:   Tue Dec 22 23:08:36 2015 +0200

    Redact the DRBD secret in instance queries (CVE-2015-7945)
---
 debian/patches/CVE-2015-7945 | 44 ++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series        |  1 +
 2 files changed, 45 insertions(+)

diff --git a/debian/patches/CVE-2015-7945 b/debian/patches/CVE-2015-7945
new file mode 100644
index 0000000..b807a3e
--- /dev/null
+++ b/debian/patches/CVE-2015-7945
@@ -0,0 +1,44 @@
+commit 535c49a2e28ef129da8bd76b2b79e7c89c04a18c
+Author: Hrvoje Ribicic <riba at google.com>
+Date:   Tue Dec 22 18:01:29 2015 +0000
+
+    Redact the DRBD secret in instance queries
+    
+    This patch is a modified version of 6e94ad764469.
+    
+    As the DRBD secret should be used only by Ganeti internals, replacing
+    the actual secret with None does not hamper Ganeti's work, while
+    preventing the secret from being leaked.
+    
+    Signed-off-by: Hrvoje Ribicic <riba at google.com>
+    Reviewed-by: Klaus Aehlig <aehlig at google.com>
+
+--- a/lib/cmdlib/instance_query.py
++++ b/lib/cmdlib/instance_query.py
+@@ -164,6 +164,7 @@
+ 
+     """
+     drbd_info = None
++    output_logical_id = dev.logical_id
+     if dev.dev_type in constants.DTS_DRBD:
+       # we change the snode then (otherwise we use the one passed in)
+       if dev.logical_id[0] == instance.primary_node:
+@@ -180,8 +181,8 @@
+         "secondary_node": node_uuid2name_fn(snode_uuid),
+         "secondary_minor": snode_minor,
+         "port": dev.logical_id[2],
+-        "secret": dev.logical_id[5],
+       }
++      output_logical_id = dev.logical_id[:-1] + (None,)
+ 
+     dev_pstatus = self._ComputeBlockdevStatus(instance.primary_node,
+                                               instance, dev)
+@@ -198,7 +199,7 @@
+     return {
+       "iv_name": dev.iv_name,
+       "dev_type": dev.dev_type,
+-      "logical_id": dev.logical_id,
++      "logical_id": output_logical_id,
+       "drbd_info": drbd_info,
+       "pstatus": dev_pstatus,
+       "sstatus": dev_sstatus,
diff --git a/debian/patches/series b/debian/patches/series
index 71e520b..65bfa69 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-startup-with-old-config.patch
 cfgupgrade12-remove-old-ssconf.patch
 0003-Disable-local-checks-during-build.patch
 do-not-backup-export-dir.patch
+CVE-2015-7945

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git

More information about the Pkg-ganeti-devel mailing list