diff -Nru glance-2012.2.1/AUTHORS glance-2012.2.3/AUTHORS --- glance-2012.2.1/AUTHORS 2012-12-03 22:28:21.000000000 +0000 +++ glance-2012.2.3/AUTHORS 2013-01-29 16:12:59.000000000 +0000 @@ -19,6 +19,7 @@ Clark Boylan Cory Wright Dan Prince +David Ripton Dean Troyer Derek Higgins Donal Lafferty diff -Nru glance-2012.2.1/ChangeLog glance-2012.2.3/ChangeLog --- glance-2012.2.1/ChangeLog 2012-12-03 22:28:21.000000000 +0000 +++ glance-2012.2.3/ChangeLog 2013-01-29 16:12:59.000000000 +0000 @@ -1,3 +1,149 @@ +commit a5b0f4eb81a1f5d8e89713ff7b3ccc6155762628 +Merge: 0e4e7a7 96a470b +Author: Jenkins +Date: Tue Jan 29 15:57:58 2013 +0000 + + Merge "Remove Swift location/password from messages." into stable/folsom + +commit 0e4e7a7312cf9b49f4e8e200341e65e2394990ac +Merge: fd04efb 4c96080 +Author: Jenkins +Date: Fri Jan 25 17:55:20 2013 +0000 + + Merge "Change useexisting to extend_existing to fix deprecation warnings." into stable/folsom + +commit 4c96080375553f5ffaaaa4b1470160464bcfb910 +Author: David Ripton +Date: Mon Oct 8 15:24:45 2012 -0400 + + Change useexisting to extend_existing to fix deprecation warnings. + + This squelches a deprecation warning during installation. + + We're already using extend_existing in other places, so I don't + think this causes any new version compatibility issues. + + Fixes bug 925609. (Already marked fixed, but this hits more cases.) + + Includes some merges with a whitespace-cleanup fix. + + Change-Id: Ia166e9184ed3e13753c5669a1006a3711738319a + + .../migrate_repo/versions/003_add_disk_format.py | 2 +- + .../migrate_repo/versions/005_size_big_integer.py | 2 +- + .../migrate_repo/versions/006_key_to_name.py | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +commit 96a470be64adcef97f235ca96ed3c59ed954a4c1 +Author: Dan Prince +Date: Sat Jan 12 15:38:09 2013 -0500 + + Remove Swift location/password from messages. + + Updates several exceptions and log messages in the Swift backend + so that they don't include Swift location URI's which may contain + passwords when used in Swift single tenant mode. + + Fixes LP Bug #1098962 (for Folsom). + + Change-Id: Ia97a95ce6ed5d98a76515eea8817e309bcf0889a + + glance/store/swift.py | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +commit fd04efb679a4521a2105ecb6645e40a60dfa3aeb +Merge: 3c56950 bca6e26 +Author: Jenkins +Date: Wed Jan 16 17:41:03 2013 +0000 + + Merge "wsgi.Middleware forward-compatibility with webob 1.2b1 or later" into stable/folsom + +commit 3c569509c999d377ca3ff470d03e0b294850508c +Merge: 514b4b4 5e5e722 +Author: Jenkins +Date: Thu Jan 10 01:12:44 2013 +0000 + + Merge "Verify size in addition to checksum of uploaded image" into stable/folsom + +commit 514b4b49fdba873518f8736b280d6691f34d3426 +Author: Eoghan Glynn +Date: Thu Jan 3 14:11:45 2013 +0000 + + Log error on failure to load paste deploy app. + + Fixes bug 1091294 + + Avoids possible silent failure of service launch when say a + dependency such as keystone is missing (but required by the + configured paste_deploy flavor). + + Change-Id: I9a63d24bcf0a93277829d24073268210d2c063d3 + + glance/common/config.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +commit 5e5e722d353e0670d2aa06cbac8e138617c10806 +Author: Eoghan Glynn +Date: Thu Dec 20 15:33:56 2012 +0000 + + Verify size in addition to checksum of uploaded image + + Fixes bug 1092584 + + Previously only the supplied checksum was verified against the actual + checksum calculated by the backend store, with the image being killed + on mismatch. + + Now we also similarly verify the supplied image size, if provided. + + Change-Id: I87fa3ff77715111f1095f3ebe64cd699776ec27e + + glance/api/v1/images.py | 28 ++++++++++++++++------------ + glance/tests/functional/v1/test_api.py | 19 +++++++++++++++++++ + glance/tests/unit/v1/test_api.py | 24 +++++++++++++++++++++--- + 3 files changed, 56 insertions(+), 15 deletions(-) + +commit 35260a7f0b9336d65aac9ffb0aa4b099a35a54aa +Author: Mark McLoughlin +Date: Thu Nov 29 21:28:17 2012 +0000 + + Bump next version to 2012.2.3 + + 2012.2.2 has been released without Glance, so prepare for 2012.2.3. + + Change-Id: I3a6221b579f612418ffce5fd9ba89720699f2e06 + + glance/version.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit bca6e2661f44b4d27cba7431903ee1ce67205372 +Author: Sascha Peilicke +Date: Mon Dec 10 19:20:26 2012 +0100 + + wsgi.Middleware forward-compatibility with webob 1.2b1 or later + + Response.request is None by default + (http://docs.webob.org/en/latest/news.html#b1), but is used in the + CacheFilter WSGI middleware. + + Backport of https://review.openstack.org/#/c/17794/ + + Change-Id: I28f5ca92fe517f4f56af934799db32650e079ba7 + + glance/common/wsgi.py | 1 + + 1 file changed, 1 insertion(+) + +commit 199783cec5d42203740c8fe2272b7037315ce941 +Author: Mark McLoughlin +Date: Thu Nov 29 21:28:17 2012 +0000 + + Bump next version to 2012.2.2 + + Change-Id: I3375a323b0c9fb3f9b6350b9a6163a08beb0f083 + + glance/version.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + commit a4062940b804f524ada38df3c62c14b9c98f82bc Merge: 91aaa48 49408e9 Author: Jenkins @@ -1546,7 +1692,7 @@ Change-Id: I6dc2afa735fb2f82df71d58b10c1e1530fce2f89 - .../sqlalchemy/migrate_repo/versions/014_add_image_tags_table.py | 5 +++++ + .../versions/014_add_image_tags_table.py | 5 +++++ 1 file changed, 5 insertions(+) commit 80c099e0b41b3f2f9684b06f1f4eee8e2776969e @@ -4347,48 +4493,48 @@ Change-Id: Ia1a7b5062e7f882971f2061274f6a4a44cfc8ced - glance/api/middleware/cache.py | 2 +- - glance/api/middleware/cache_manage.py | 3 +-- - glance/api/middleware/context.py | 3 ++- - glance/api/middleware/version_negotiation.py | 3 +-- - glance/api/policy.py | 2 +- - glance/api/v1/controller.py | 3 +-- - glance/api/v1/images.py | 2 +- - glance/api/v1/members.py | 3 +-- - glance/api/v2/images.py | 2 +- - glance/common/auth.py | 2 +- - glance/common/client.py | 2 +- - glance/common/utils.py | 2 +- - glance/common/wsgi.py | 3 ++- - glance/db/simple/api.py | 2 +- - glance/db/sqlalchemy/api.py | 3 ++- - glance/db/sqlalchemy/migrate_repo/schema.py | 4 ++-- - .../migrate_repo/versions/015_quote_swift_credentials.py | 2 +- - glance/db/sqlalchemy/migration.py | 2 +- - glance/image_cache/__init__.py | 3 +-- - glance/image_cache/drivers/base.py | 2 +- - glance/image_cache/drivers/sqlite.py | 2 +- - glance/image_cache/drivers/xattr.py | 2 +- - glance/image_cache/prefetcher.py | 3 +-- - glance/notifier/__init__.py | 2 +- - glance/notifier/notify_kombu.py | 2 +- - glance/notifier/notify_log.py | 4 +--- - glance/notifier/notify_qpid.py | 2 +- - glance/registry/__init__.py | 2 +- - glance/registry/api/v1/images.py | 3 +-- - glance/registry/api/v1/members.py | 3 +-- - glance/store/__init__.py | 2 +- - glance/store/base.py | 3 +-- - glance/store/filesystem.py | 2 +- - glance/store/http.py | 2 +- - glance/store/location.py | 2 +- - glance/store/rbd.py | 2 +- - glance/store/s3.py | 2 +- - glance/store/scrubber.py | 2 +- - glance/store/swift.py | 2 +- - glance/tests/unit/test_notifier.py | 3 +-- - glance/tests/unit/utils.py | 3 +-- - tools/migrate_image_owners.py | 2 +- + glance/api/middleware/cache.py | 2 +- + glance/api/middleware/cache_manage.py | 3 +-- + glance/api/middleware/context.py | 3 ++- + glance/api/middleware/version_negotiation.py | 3 +-- + glance/api/policy.py | 2 +- + glance/api/v1/controller.py | 3 +-- + glance/api/v1/images.py | 2 +- + glance/api/v1/members.py | 3 +-- + glance/api/v2/images.py | 2 +- + glance/common/auth.py | 2 +- + glance/common/client.py | 2 +- + glance/common/utils.py | 2 +- + glance/common/wsgi.py | 3 ++- + glance/db/simple/api.py | 2 +- + glance/db/sqlalchemy/api.py | 3 ++- + glance/db/sqlalchemy/migrate_repo/schema.py | 4 ++-- + .../versions/015_quote_swift_credentials.py | 2 +- + glance/db/sqlalchemy/migration.py | 2 +- + glance/image_cache/__init__.py | 3 +-- + glance/image_cache/drivers/base.py | 2 +- + glance/image_cache/drivers/sqlite.py | 2 +- + glance/image_cache/drivers/xattr.py | 2 +- + glance/image_cache/prefetcher.py | 3 +-- + glance/notifier/__init__.py | 2 +- + glance/notifier/notify_kombu.py | 2 +- + glance/notifier/notify_log.py | 4 +--- + glance/notifier/notify_qpid.py | 2 +- + glance/registry/__init__.py | 2 +- + glance/registry/api/v1/images.py | 3 +-- + glance/registry/api/v1/members.py | 3 +-- + glance/store/__init__.py | 2 +- + glance/store/base.py | 3 +-- + glance/store/filesystem.py | 2 +- + glance/store/http.py | 2 +- + glance/store/location.py | 2 +- + glance/store/rbd.py | 2 +- + glance/store/s3.py | 2 +- + glance/store/scrubber.py | 2 +- + glance/store/swift.py | 2 +- + glance/tests/unit/test_notifier.py | 3 +-- + glance/tests/unit/utils.py | 3 +-- + tools/migrate_image_owners.py | 2 +- 42 files changed, 46 insertions(+), 56 deletions(-) commit 69d3cd58b755ac6c50b1aef31131819c911e41f6 @@ -5615,13 +5761,13 @@ Change-Id: I10c677cfd5186edce3ca96495eafc732168cac86 - glance/db/sqlalchemy/migrate_repo/versions/003_add_disk_format.py | 1 - - glance/db/sqlalchemy/migrate_repo/versions/004_add_checksum.py | 1 - - glance/db/sqlalchemy/migrate_repo/versions/006_key_to_name.py | 1 - - glance/db/sqlalchemy/migrate_repo/versions/007_add_owner.py | 1 - - .../migrate_repo/versions/008_add_image_members_table.py | 4 ++-- - .../sqlalchemy/migrate_repo/versions/009_add_mindisk_and_minram.py | 1 - - glance/db/sqlalchemy/migrate_repo/versions/012_id_to_uuid.py | 1 - + .../migrate_repo/versions/003_add_disk_format.py | 1 - + .../migrate_repo/versions/004_add_checksum.py | 1 - + .../migrate_repo/versions/006_key_to_name.py | 1 - + .../migrate_repo/versions/007_add_owner.py | 1 - + .../versions/008_add_image_members_table.py | 4 ++-- + .../versions/009_add_mindisk_and_minram.py | 1 - + .../migrate_repo/versions/012_id_to_uuid.py | 1 - 7 files changed, 2 insertions(+), 8 deletions(-) commit 9c8c630d53877c5a9b0dda856b207468fdb4062c @@ -5745,13 +5891,13 @@ Change-Id: I3c4d98c81dee6676916c60e71a749037ae1edc81 - glance/common/exception.py | 2 +- - .../versions/015_quote_swift_credentials.py | 15 +++++++++++---- - glance/store/filesystem.py | 5 +++-- - glance/store/http.py | 9 +++++++-- - glance/store/rbd.py | 5 +++-- - glance/store/s3.py | 13 ++++++++----- - glance/store/swift.py | 14 +++++++++----- + glance/common/exception.py | 2 +- + .../versions/015_quote_swift_credentials.py | 15 +++++++++++---- + glance/store/filesystem.py | 5 +++-- + glance/store/http.py | 9 +++++++-- + glance/store/rbd.py | 5 +++-- + glance/store/s3.py | 13 ++++++++----- + glance/store/swift.py | 14 +++++++++----- 7 files changed, 42 insertions(+), 21 deletions(-) commit b3b4d64ae23fd3a662e6ebc98642c42fe6631cad @@ -5775,13 +5921,13 @@ Change-Id: I68c6f1735e5001641994ed4f84ad879397ba8713 - glance/tests/functional/store_utils.py | 3 ++- - glance/tests/functional/test_bin_glance.py | 10 +++++++--- - glance/tests/functional/v1/test_cache_middleware.py | 4 +++- - glance/tests/functional/v1/test_copy_to_file.py | 4 +++- - glance/tests/functional/v1/test_s3.py | 4 +++- - glance/tests/functional/v1/test_swift.py | 4 +++- - glance/tests/utils.py | 5 +++-- + glance/tests/functional/store_utils.py | 3 ++- + glance/tests/functional/test_bin_glance.py | 10 +++++++--- + .../tests/functional/v1/test_cache_middleware.py | 4 +++- + glance/tests/functional/v1/test_copy_to_file.py | 4 +++- + glance/tests/functional/v1/test_s3.py | 4 +++- + glance/tests/functional/v1/test_swift.py | 4 +++- + glance/tests/utils.py | 5 +++-- 7 files changed, 24 insertions(+), 10 deletions(-) commit c44e16a538113293c7e73eea22c2ebc0f84c365f @@ -8501,9 +8647,9 @@ Change-Id: Ie4f4c13846de727647abe168aeb193a93f03e0bf - glance/tests/functional/test_bin_glance.py | 1 + - glance/tests/functional/v1/test_bin_glance_cache_manage.py | 1 + - glance/tests/functional/v1/test_misc.py | 10 ++++++++++ + glance/tests/functional/test_bin_glance.py | 1 + + .../functional/v1/test_bin_glance_cache_manage.py | 1 + + glance/tests/functional/v1/test_misc.py | 10 ++++++++++ 3 files changed, 12 insertions(+) commit ca84ec7d5550c0978ac80fad7972e77c1c971107 @@ -8835,21 +8981,21 @@ Change-Id: I9d602ed429caff8ffb00e40f623c473c5425e1cc - glance/tests/functional/test_logging.py | 2 -- - glance/tests/functional/test_respawn.py | 2 +- - glance/tests/functional/test_scrubber.py | 3 --- - glance/tests/functional/v1/test_bin_glance_cache_manage.py | 4 ---- - glance/tests/functional/v1/test_cache_middleware.py | 1 - - glance/tests/functional/v1/test_s3.py | 5 +---- - glance/tests/functional/v1/test_ssl.py | 6 +----- - glance/tests/functional/v1/test_swift.py | 1 - - glance/tests/stubs.py | 2 -- - glance/tests/unit/test_clients.py | 8 -------- - glance/tests/unit/test_context.py | 2 -- - glance/tests/unit/test_db.py | 1 - - glance/tests/unit/test_filesystem_store.py | 3 --- - glance/tests/unit/test_image_cache.py | 1 - - glance/tests/unit/test_s3_store.py | 5 +---- + glance/tests/functional/test_logging.py | 2 -- + glance/tests/functional/test_respawn.py | 2 +- + glance/tests/functional/test_scrubber.py | 3 --- + .../functional/v1/test_bin_glance_cache_manage.py | 4 ---- + .../tests/functional/v1/test_cache_middleware.py | 1 - + glance/tests/functional/v1/test_s3.py | 5 +---- + glance/tests/functional/v1/test_ssl.py | 6 +----- + glance/tests/functional/v1/test_swift.py | 1 - + glance/tests/stubs.py | 2 -- + glance/tests/unit/test_clients.py | 8 -------- + glance/tests/unit/test_context.py | 2 -- + glance/tests/unit/test_db.py | 1 - + glance/tests/unit/test_filesystem_store.py | 3 --- + glance/tests/unit/test_image_cache.py | 1 - + glance/tests/unit/test_s3_store.py | 5 +---- 15 files changed, 4 insertions(+), 42 deletions(-) commit 35ed3105552cf6c182c76b6f13f719bfe7eb596b @@ -8980,8 +9126,8 @@ Change-Id: Iab80a65464a591b732ecce4c00d04df50624e912 - Authors | 1 + - glance/registry/db/migrate_repo/versions/006_key_to_name.py | 2 +- + Authors | 1 + + .../db/migrate_repo/versions/006_key_to_name.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit 257be28b8c77bd1fa3e402d2bd2f5ee67ac4e60e @@ -10575,12 +10721,12 @@ Change-Id: I5ad5042dbc9785829694553f2657df3eb6e3ef20 Signed-off-by: Chuck Short - glance/registry/db/migrate_repo/versions/001_add_images_table.py | 2 +- - .../db/migrate_repo/versions/002_add_image_properties_table.py | 2 +- - glance/registry/db/migrate_repo/versions/004_add_checksum.py | 2 +- - glance/registry/db/migrate_repo/versions/007_add_owner.py | 2 +- - .../registry/db/migrate_repo/versions/008_add_image_members_table.py | 2 +- - .../registry/db/migrate_repo/versions/009_add_mindisk_and_minram.py | 2 +- + .../migrate_repo/versions/001_add_images_table.py | 2 +- + .../versions/002_add_image_properties_table.py | 2 +- + .../db/migrate_repo/versions/004_add_checksum.py | 2 +- + .../db/migrate_repo/versions/007_add_owner.py | 2 +- + .../versions/008_add_image_members_table.py | 2 +- + .../versions/009_add_mindisk_and_minram.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) commit 3b229c394521e5b1b81e4629c6ff9c09e3b866c9 @@ -11264,8 +11410,8 @@ Change-Id: Ic248fdfe3933437928f0b393d8cde993b96bf2cb - .mailmap | 1 + - glance/registry/db/migrate_repo/versions/003_add_disk_format.py | 2 +- + .mailmap | 1 + + .../migrate_repo/versions/003_add_disk_format.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit 59ca8b0b44bbb2276d7e5903bfe9d14a6a26d901 @@ -11625,7 +11771,7 @@ Change-Id: Iab1c3e7a52d739a445cf52eb9a67f61a69075026 - glance/registry/db/migrate_repo/versions/012_id_to_uuid.py | 8 ++------ + .../db/migrate_repo/versions/012_id_to_uuid.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit 300d4031a94b85539a30bde726131231008c80a6 @@ -14013,7 +14159,7 @@ Change-Id: I66307cb355120b992913c8a1d8d5855b30f70504 - glance/registry/db/migrate_repo/versions/012_id_to_uuid.py | 4 ++-- + .../db/migrate_repo/versions/012_id_to_uuid.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 94dcf3acd0b3ef7adcb61b90bf4bdcc733cf61ac @@ -21376,8 +21522,8 @@ Add migration scripts for revising the datatype of the 'size' column in the images table. - glance/registry/db/migrate_repo/versions/006_mysql_downgrade.sql | 2 ++ - glance/registry/db/migrate_repo/versions/006_mysql_upgrade.sql | 2 ++ + .../migrate_repo/versions/006_mysql_downgrade.sql | 2 ++ + .../db/migrate_repo/versions/006_mysql_upgrade.sql | 2 ++ 2 files changed, 4 insertions(+) commit 84051230f523294a1ea57bcdb3560bcdb4fda84e @@ -23356,8 +23502,8 @@ Creating indexes - .../db/migrate_repo/versions/001_add_images_table.py | 9 +++++---- - .../versions/002_add_image_properties_table.py | 14 +++++++++----- + .../migrate_repo/versions/001_add_images_table.py | 9 +++++---- + .../versions/002_add_image_properties_table.py | 14 +++++++++----- 2 files changed, 14 insertions(+), 9 deletions(-) commit d060da4993312aa803371464d876a63ded7afba3 @@ -23387,8 +23533,8 @@ Small cleanups - .../db/migrate_repo/versions/001_add_images_table.py | 12 +++--------- - .../versions/002_add_image_properties_table.py | 12 +++--------- + .../migrate_repo/versions/001_add_images_table.py | 12 +++--------- + .../versions/002_add_image_properties_table.py | 12 +++--------- 2 files changed, 6 insertions(+), 18 deletions(-) commit a436b433ca746864aed9fdec8bbe345c3bf147a7 @@ -23493,9 +23639,9 @@ Better logging - glance/registry/db/migrate_repo/schema.py | 19 +++++++++++++++++++ - .../migrate_repo/versions/001_add_images_table.py | 12 ++++++------ - .../versions/002_add_image_properties_table.py | 13 ++++++------- + glance/registry/db/migrate_repo/schema.py | 19 +++++++++++++++++++ + .../migrate_repo/versions/001_add_images_table.py | 12 ++++++------ + .../versions/002_add_image_properties_table.py | 13 ++++++------- 3 files changed, 31 insertions(+), 13 deletions(-) commit d923a0417537552f672fd5b38b63f40c695f5cd5 diff -Nru glance-2012.2.1/PKG-INFO glance-2012.2.3/PKG-INFO --- glance-2012.2.1/PKG-INFO 2012-12-03 22:28:21.000000000 +0000 +++ glance-2012.2.3/PKG-INFO 2013-01-29 16:13:00.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: glance -Version: 2012.2.1 +Version: 2012.2.3 Summary: The Glance project provides services for discovering, registering, and retrieving virtual machine images Home-page: http://glance.openstack.org/ Author: OpenStack diff -Nru glance-2012.2.1/debian/changelog glance-2012.2.3/debian/changelog --- glance-2012.2.1/debian/changelog 2013-03-13 20:41:17.000000000 +0000 +++ glance-2012.2.3/debian/changelog 2013-03-22 11:49:31.000000000 +0000 @@ -1,3 +1,27 @@ +glance (2012.2.3-0ubuntu2) quantal-proposed; urgency=low + + * Resync with latest security update. + * SECURITY UPDATE: fix information disclosure via Glance v1 API + - debian/patches/CVE-2013-1840.patch: adjust api/middleware/cache.py to + not show image_meta['location'] + - CVE-2013-1840 + + -- James Page Fri, 22 Mar 2013 11:48:52 +0000 + +glance (2012.2.3-0ubuntu1) quantal-proposed; urgency=low + + * Dropped patches, applied upstream: + - debian/patches/CVE-2013-0212.patch: [96a470b] + * Resynchronize with stable/folsom (98d9928a) (LP: #1116671): + - [96a470b] glance image-download can display backend Swift password + - [4c96080] install throws errors about SADeprecationWarning LP: 925609 + - [bca6e26] wsgi.Middleware forward-compatibility with webob 1.2b1 or later + - [5e5e722] Supplied image size should be verified against actual size + LP: 1092584 + - [514b4b4] silent failure when loading the paste deploy app LP: 1091294 + + -- Adam Gandelman Tue, 05 Feb 2013 14:02:33 -0400 + glance (2012.2.1-0ubuntu1.2) quantal-security; urgency=low * SECURITY UPDATE: fix information disclosure via Glance v1 API diff -Nru glance-2012.2.1/debian/patches/CVE-2013-0212.patch glance-2012.2.3/debian/patches/CVE-2013-0212.patch --- glance-2012.2.1/debian/patches/CVE-2013-0212.patch 2013-01-29 15:12:40.000000000 +0000 +++ glance-2012.2.3/debian/patches/CVE-2013-0212.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -Origin: supplied by upstream via pre-disclosure -Description: information leak via error message when using swift -Bug: https://bugs.launchpad.net/bugs/1098962 - -Index: glance-2012.2/glance/store/swift.py -=================================================================== ---- glance-2012.2.orig/glance/store/swift.py 2013-01-28 13:38:04.000000000 -0600 -+++ glance-2012.2/glance/store/swift.py 2013-01-28 13:46:26.000000000 -0600 -@@ -136,7 +136,7 @@ - "like so: " - "swift+http://user:pass@authurl.com/v1/container/obj" - ) -- LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals()) -+ LOG.error(_("Invalid store URI: %(reason)s") % locals()) - raise exception.BadStoreUri(message=reason) - - pieces = urlparse.urlparse(uri) -@@ -162,8 +162,7 @@ - if creds: - cred_parts = creds.split(':') - if len(cred_parts) != 2: -- reason = (_("Badly formed credentials '%(creds)s' in Swift " -- "URI") % locals()) -+ reason = (_("Badly formed credentials in Swift URI.")) - LOG.error(reason) - raise exception.BadStoreUri() - user, key = cred_parts -@@ -181,7 +180,7 @@ - path_parts.insert(0, netloc) - self.auth_or_store_url = '/'.join(path_parts) - except IndexError: -- reason = _("Badly formed Swift URI: %s") % uri -+ reason = _("Badly formed Swift URI.") - LOG.error(reason) - raise exception.BadStoreUri() - -@@ -293,8 +292,8 @@ - except swiftclient.ClientException, e: - if e.http_status == httplib.NOT_FOUND: - uri = location.get_store_uri() -- raise exception.NotFound(_("Swift could not find image at " -- "uri %(uri)s") % locals()) -+ msg = _("Swift could not find image at URI.") -+ raise exception.NotFound(msg) - else: - raise - -@@ -543,7 +542,7 @@ - except swiftclient.ClientException, e: - if e.http_status == httplib.CONFLICT: - raise exception.Duplicate(_("Swift already has an image at " -- "location %s") % location.get_uri()) -+ "this location.")) - msg = (_("Failed to add object to Swift.\n" - "Got error from Swift: %(e)s") % locals()) - LOG.error(msg) -@@ -596,8 +595,8 @@ - except swiftclient.ClientException, e: - if e.http_status == httplib.NOT_FOUND: - uri = location.get_store_uri() -- raise exception.NotFound(_("Swift could not find image at " -- "uri %(uri)s") % locals()) -+ msg = _("Swift could not find image at URI.") -+ raise exception.NotFound(msg) - else: - raise - -@@ -637,8 +636,8 @@ - except swiftclient.ClientException, e: - if e.http_status == httplib.NOT_FOUND: - uri = location.get_store_uri() -- raise exception.NotFound(_("Swift could not find image at " -- "uri %(uri)s") % locals()) -+ msg = _("Swift could not find image at URI.") -+ raise exception.NotFound(msg) - else: - raise - diff -Nru glance-2012.2.1/debian/patches/series glance-2012.2.3/debian/patches/series --- glance-2012.2.1/debian/patches/series 2013-03-13 20:38:08.000000000 +0000 +++ glance-2012.2.3/debian/patches/series 2013-03-22 11:48:43.000000000 +0000 @@ -1,5 +1,4 @@ sql_conn.patch disable-swift-tests.patch disable-network-for-docs.patch -CVE-2013-0212.patch CVE-2013-1840.patch diff -Nru glance-2012.2.1/glance/api/v1/images.py glance-2012.2.3/glance/api/v1/images.py --- glance-2012.2.1/glance/api/v1/images.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/api/v1/images.py 2013-01-29 16:09:35.000000000 +0000 @@ -436,19 +436,23 @@ utils.CooperativeReader(image_data), image_meta['size']) - # Verify any supplied checksum value matches checksum + def _kill_mismatched(image_meta, attr, actual): + supplied = image_meta.get(attr) + if supplied and supplied != actual: + msg = _("Supplied %(attr)s (%(supplied)s) and " + "%(attr)s generated from uploaded image " + "(%(actual)s) did not match. Setting image " + "status to 'killed'.") % locals() + LOG.error(msg) + self._safe_kill(req, image_id) + raise HTTPBadRequest(explanation=msg, + content_type="text/plain", + request=req) + + # Verify any supplied size/checksum value matches size/checksum # returned from store when adding image - supplied_checksum = image_meta.get('checksum') - if supplied_checksum and supplied_checksum != checksum: - msg = _("Supplied checksum (%(supplied_checksum)s) and " - "checksum generated from uploaded image " - "(%(checksum)s) did not match. Setting image " - "status to 'killed'.") % locals() - LOG.error(msg) - self._safe_kill(req, image_id) - raise HTTPBadRequest(explanation=msg, - content_type="text/plain", - request=req) + _kill_mismatched(image_meta, 'size', size) + _kill_mismatched(image_meta, 'checksum', checksum) # Update the database with the checksum returned # from the backend store diff -Nru glance-2012.2.1/glance/common/config.py glance-2012.2.3/glance/common/config.py --- glance-2012.2.1/glance/common/config.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/common/config.py 2013-01-29 16:09:35.000000000 +0000 @@ -192,6 +192,8 @@ return app except (LookupError, ImportError), e: - raise RuntimeError("Unable to load %(app_name)s from " - "configuration file %(conf_file)s." - "\nGot: %(e)r" % locals()) + msg = _("Unable to load %(app_name)s from " + "configuration file %(conf_file)s." + "\nGot: %(e)r") % locals() + logger.error(msg) + raise RuntimeError(msg) diff -Nru glance-2012.2.1/glance/common/wsgi.py glance-2012.2.3/glance/common/wsgi.py --- glance-2012.2.1/glance/common/wsgi.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/common/wsgi.py 2013-01-29 16:09:35.000000000 +0000 @@ -324,6 +324,7 @@ if response: return response response = req.get_response(self.application) + response.request = req return self.process_response(response) diff -Nru glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/003_add_disk_format.py glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/003_add_disk_format.py --- glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/003_add_disk_format.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/003_add_disk_format.py 2013-01-29 16:09:35.000000000 +0000 @@ -43,7 +43,7 @@ Column('deleted', Boolean(), nullable=False, default=False, index=True), mysql_engine='InnoDB', - useexisting=True) + extend_existing=True) return images diff -Nru glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/005_size_big_integer.py glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/005_size_big_integer.py --- glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/005_size_big_integer.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/005_size_big_integer.py 2013-01-29 16:09:35.000000000 +0000 @@ -44,7 +44,7 @@ Column('deleted', Boolean(), nullable=False, default=False, index=True), mysql_engine='InnoDB', - useexisting=True) + extend_existing=True) return images diff -Nru glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/006_key_to_name.py glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/006_key_to_name.py --- glance-2012.2.1/glance/db/sqlalchemy/migrate_repo/versions/006_key_to_name.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/db/sqlalchemy/migrate_repo/versions/006_key_to_name.py 2013-01-29 16:09:35.000000000 +0000 @@ -56,7 +56,7 @@ index=True), UniqueConstraint('image_id', 'name'), mysql_engine='InnoDB', - useexisting=True) + extend_existing=True) return image_properties diff -Nru glance-2012.2.1/glance/store/swift.py glance-2012.2.3/glance/store/swift.py --- glance-2012.2.1/glance/store/swift.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/store/swift.py 2013-01-29 16:09:35.000000000 +0000 @@ -136,7 +136,7 @@ "like so: " "swift+http://user:pass@authurl.com/v1/container/obj" ) - LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals()) + LOG.error(_("Invalid store URI: %(reason)s") % locals()) raise exception.BadStoreUri(message=reason) pieces = urlparse.urlparse(uri) @@ -162,8 +162,7 @@ if creds: cred_parts = creds.split(':') if len(cred_parts) != 2: - reason = (_("Badly formed credentials '%(creds)s' in Swift " - "URI") % locals()) + reason = (_("Badly formed credentials in Swift URI.")) LOG.error(reason) raise exception.BadStoreUri() user, key = cred_parts @@ -181,7 +180,7 @@ path_parts.insert(0, netloc) self.auth_or_store_url = '/'.join(path_parts) except IndexError: - reason = _("Badly formed Swift URI: %s") % uri + reason = _("Badly formed Swift URI.") LOG.error(reason) raise exception.BadStoreUri() @@ -293,8 +292,8 @@ except swiftclient.ClientException, e: if e.http_status == httplib.NOT_FOUND: uri = location.get_store_uri() - raise exception.NotFound(_("Swift could not find image at " - "uri %(uri)s") % locals()) + msg = _("Swift could not find image at URI.") + raise exception.NotFound(msg) else: raise @@ -543,7 +542,7 @@ except swiftclient.ClientException, e: if e.http_status == httplib.CONFLICT: raise exception.Duplicate(_("Swift already has an image at " - "location %s") % location.get_uri()) + "this location.")) msg = (_("Failed to add object to Swift.\n" "Got error from Swift: %(e)s") % locals()) LOG.error(msg) @@ -596,8 +595,8 @@ except swiftclient.ClientException, e: if e.http_status == httplib.NOT_FOUND: uri = location.get_store_uri() - raise exception.NotFound(_("Swift could not find image at " - "uri %(uri)s") % locals()) + msg = _("Swift could not find image at URI.") + raise exception.NotFound(msg) else: raise @@ -637,8 +636,8 @@ except swiftclient.ClientException, e: if e.http_status == httplib.NOT_FOUND: uri = location.get_store_uri() - raise exception.NotFound(_("Swift could not find image at " - "uri %(uri)s") % locals()) + msg = _("Swift could not find image at URI.") + raise exception.NotFound(msg) else: raise diff -Nru glance-2012.2.1/glance/tests/functional/v1/test_api.py glance-2012.2.3/glance/tests/functional/v1/test_api.py --- glance-2012.2.1/glance/tests/functional/v1/test_api.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/tests/functional/v1/test_api.py 2013-01-29 16:09:35.000000000 +0000 @@ -1451,3 +1451,22 @@ self.assertEqual('tenant2', response['x-image-meta-owner']) self.stop_servers() + + @skip_if_disabled + def test_mismatched_size(self): + """ + Test mismatched size. + """ + self.cleanup() + self.start_servers(**self.__dict__.copy()) + + image_data = "*" * FIVE_KB + headers = minimal_headers('Image1') + headers['x-image-meta-size'] = str(FIVE_KB + 1) + path = "http://%s:%d/v1/images" % ("127.0.0.1", self.api_port) + http = httplib2.Http() + response, content = http.request(path, 'POST', headers=headers, + body=image_data) + self.assertEqual(response.status, 400) + + self.stop_servers() diff -Nru glance-2012.2.1/glance/tests/unit/v1/test_api.py glance-2012.2.3/glance/tests/unit/v1/test_api.py --- glance-2012.2.1/glance/tests/unit/v1/test_api.py 2012-11-30 20:19:33.000000000 +0000 +++ glance-2012.2.3/glance/tests/unit/v1/test_api.py 2013-01-29 16:09:35.000000000 +0000 @@ -2189,12 +2189,11 @@ self.assertEqual(res.status_int, 200) self.assertEqual(len(res.body), 0) - def test_add_image_checksum_mismatch(self): + def _do_test_add_image_attribute_mismatch(self, attributes): fixture_headers = { - 'x-image-meta-checksum': 'asdf', - 'x-image-meta-size': '4', 'x-image-meta-name': 'fake image #3', } + fixture_headers.update(attributes) req = webob.Request.blank("/images") req.method = 'POST' @@ -2206,6 +2205,25 @@ res = req.get_response(self.api) self.assertEquals(res.status_int, 400) + def test_add_image_checksum_mismatch(self): + attributes = { + 'x-image-meta-checksum': 'asdf', + } + self._do_test_add_image_attribute_mismatch(attributes) + + def test_add_image_size_mismatch(self): + attributes = { + 'x-image-meta-size': str(len("XXXX") + 1), + } + self._do_test_add_image_attribute_mismatch(attributes) + + def test_add_image_checksum_and_size_mismatch(self): + attributes = { + 'x-image-meta-checksum': 'asdf', + 'x-image-meta-size': str(len("XXXX") + 1), + } + self._do_test_add_image_attribute_mismatch(attributes) + def test_add_image_bad_store(self): """Tests raises BadRequest for invalid store header""" fixture_headers = {'x-image-meta-store': 'bad', diff -Nru glance-2012.2.1/glance/version.py glance-2012.2.3/glance/version.py --- glance-2012.2.1/glance/version.py 2012-12-03 22:26:30.000000000 +0000 +++ glance-2012.2.3/glance/version.py 2013-01-29 16:09:35.000000000 +0000 @@ -17,6 +17,6 @@ from glance.openstack.common import version as common_version -NEXT_VERSION = '2012.2.1' +NEXT_VERSION = '2012.2.3' version_info = common_version.VersionInfo('glance', pre_version=NEXT_VERSION) diff -Nru glance-2012.2.1/glance/versioninfo glance-2012.2.3/glance/versioninfo --- glance-2012.2.1/glance/versioninfo 2012-12-03 22:28:19.000000000 +0000 +++ glance-2012.2.3/glance/versioninfo 2013-01-29 16:12:58.000000000 +0000 @@ -1 +1 @@ -2012.2.1 +2012.2.3~20130129.11.ga5b0f4e diff -Nru glance-2012.2.1/glance.egg-info/PKG-INFO glance-2012.2.3/glance.egg-info/PKG-INFO --- glance-2012.2.1/glance.egg-info/PKG-INFO 2012-12-03 22:28:21.000000000 +0000 +++ glance-2012.2.3/glance.egg-info/PKG-INFO 2013-01-29 16:12:59.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: glance -Version: 2012.2.1 +Version: 2012.2.3 Summary: The Glance project provides services for discovering, registering, and retrieving virtual machine images Home-page: http://glance.openstack.org/ Author: OpenStack