diff -Nru neutron-2013.2.3/debian/changelog neutron-2013.2.3/debian/changelog --- neutron-2013.2.3/debian/changelog 2014-05-06 08:20:13.000000000 +0000 +++ neutron-2013.2.3/debian/changelog 2014-06-26 08:03:52.000000000 +0000 @@ -1,8 +1,24 @@ -neutron (1:2013.2.3-0ubuntu1.1~cloud0) precise-havana; urgency=medium +neutron (1:2013.2.3-0ubuntu1.5~cloud0) precise-havana; urgency=medium * New update for the Ubuntu Cloud Archive. - -- Openstack Ubuntu Testing Bot Tue, 06 May 2014 04:20:13 -0400 + -- Openstack Ubuntu Testing Bot Thu, 26 Jun 2014 04:03:52 -0400 + +neutron (1:2013.2.3-0ubuntu1.5) saucy-security; urgency=medium + + * SECURITY UPDATE: specify /etc/neutron/rootwrap.conf for use with + neutron-rootwrap + - CVE-2013-6433 (LP: #1185019) + * SECURITY UPDATE: Validate CIDR given as ip-prefix in + security-group-rule-create + - CVE-2014-0187 + - LP: #1300785 + * debian/patches/CVE-2014-0187b.patch: update for python-netaddr <= 0.7.10 + * SECURITY UPDATE: Install SNAT rules for ipv4 only + - CVE-2014-4167 + - LP: #1309195 + + -- Jamie Strandboge Wed, 18 Jun 2014 16:15:47 -0500 neutron (1:2013.2.3-0ubuntu1.1) saucy-security; urgency=medium diff -Nru neutron-2013.2.3/debian/neutron_sudoers neutron-2013.2.3/debian/neutron_sudoers --- neutron-2013.2.3/debian/neutron_sudoers 2014-04-10 18:05:12.000000000 +0000 +++ neutron-2013.2.3/debian/neutron_sudoers 2014-06-09 14:40:05.000000000 +0000 @@ -1,3 +1,3 @@ Defaults:neutron !requiretty -neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap +neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * diff -Nru neutron-2013.2.3/debian/patches/CVE-2014-0187b.patch neutron-2013.2.3/debian/patches/CVE-2014-0187b.patch --- neutron-2013.2.3/debian/patches/CVE-2014-0187b.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2013.2.3/debian/patches/CVE-2014-0187b.patch 2014-06-18 19:44:58.000000000 +0000 @@ -0,0 +1,32 @@ +From 509d37c84f397a97ca8896309f916c47afe873e6 Mon Sep 17 00:00:00 2001 +From: Aaron Rosen +Date: Wed, 16 Apr 2014 11:31:25 -0700 +Subject: [PATCH] netaddr<=0.7.10 raises ValueError instead of AddrFormatError + +This patch ensures that ValueError is also caught in addition to +AddrFormatError as in netaddr>=0.7.11 AddrFormatError is raised and +in netaddr<=0.7.10 ValueError is raised. + +Change-Id: I595c90e42129a2d365f3860e3042e826bd031365 +Closes-bug: #1308675 +(cherry picked from commit dd2ccd12adfb6c7d4aa500ba4120f767beeed35c) +--- + neutron/extensions/securitygroup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py +index 3d10b5a..027504f 100644 +--- a/neutron/extensions/securitygroup.py ++++ b/neutron/extensions/securitygroup.py +@@ -163,7 +163,7 @@ def convert_ip_prefix_to_cidr(ip_prefix): + try: + cidr = netaddr.IPNetwork(ip_prefix) + return str(cidr) +- except (TypeError, netaddr.AddrFormatError): ++ except (ValueError, TypeError, netaddr.AddrFormatError): + raise qexception.InvalidCIDR(input=ip_prefix) + + +-- +1.7.9.5 + diff -Nru neutron-2013.2.3/debian/patches/CVE-2014-0187.patch neutron-2013.2.3/debian/patches/CVE-2014-0187.patch --- neutron-2013.2.3/debian/patches/CVE-2014-0187.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2013.2.3/debian/patches/CVE-2014-0187.patch 2014-06-09 15:48:18.000000000 +0000 @@ -0,0 +1,258 @@ +From 03eed8cd34cd4fb043c11fc99f6bb0b4fbd5728d Mon Sep 17 00:00:00 2001 +From: marios +Date: Fri, 29 Nov 2013 18:23:54 +0200 +Subject: [PATCH] Validate CIDR given as ip-prefix in + security-group-rule-create + +There was no validation for the provided ip prefix. This just adds +a simple parse using netaddr and explodes with appropriate message. +Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32). + +Validation occurs at the attribute level (API model) as well as at +the db level, where the ethertype is validated against the ip_prefix +address type. + +Unit test cases added - bad prefix, unmasked prefix and incorrect +ethertype. Also adds attribute test cases for the added +convert_ip_prefix_to_cidr method + +Closes-Bug: 1255338 + +Conflicts: + neutron/tests/unit/test_security_groups_rpc.py + neutron/tests/unit/test_extension_security_group.py + +Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954 +(cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607) +--- + neutron/common/exceptions.py | 4 + + neutron/db/securitygroups_db.py | 20 +++++ + neutron/extensions/securitygroup.py | 18 +++- + .../tests/unit/test_extension_security_group.py | 86 ++++++++++++++++++++ + 4 files changed, 127 insertions(+), 1 deletion(-) + +diff --git a/neutron/common/exceptions.py b/neutron/common/exceptions.py +index 88fa6e4..80a75d1 100644 +--- a/neutron/common/exceptions.py ++++ b/neutron/common/exceptions.py +@@ -306,3 +306,7 @@ class NetworkVxlanPortRangeError(object): + class DeviceIDNotOwnedByTenant(Conflict): + message = _("The following device_id %(device_id)s is not owned by your " + "tenant or matches another tenants router.") ++ ++ ++class InvalidCIDR(BadRequest): ++ message = _("Invalid CIDR %(input)s given as IP prefix") +diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py +index 2a7d2ef..8868546 100644 +--- a/neutron/db/securitygroups_db.py ++++ b/neutron/db/securitygroups_db.py +@@ -16,6 +16,7 @@ + # + # @author: Aaron Rosen, Nicira, Inc + ++import netaddr + import sqlalchemy as sa + from sqlalchemy import orm + from sqlalchemy.orm import exc +@@ -331,6 +332,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): + new_rules.add(rule['security_group_id']) + + self._validate_port_range(rule) ++ self._validate_ip_prefix(rule) + + if rule['remote_ip_prefix'] and rule['remote_group_id']: + raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix() +@@ -411,6 +413,24 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): + if (i['security_group_rule'] == db_rule): + raise ext_sg.SecurityGroupRuleExists(id=id) + ++ def _validate_ip_prefix(self, rule): ++ """Check that a valid cidr was specified as remote_ip_prefix ++ ++ No need to check that it is in fact an IP address as this is already ++ validated by attribute validators. ++ Check that rule ethertype is consistent with remote_ip_prefix ip type. ++ Add mask to ip_prefix if absent (192.168.1.10 -> 192.168.1.10/32). ++ """ ++ input_prefix = rule['remote_ip_prefix'] ++ if input_prefix: ++ addr = netaddr.IPNetwork(input_prefix) ++ # set input_prefix to always include the netmask: ++ rule['remote_ip_prefix'] = str(addr) ++ # check consistency of ethertype with addr version ++ if rule['ethertype'] != "IPv%d" % (addr.version): ++ raise ext_sg.SecurityGroupRuleParameterConflict( ++ ethertype=rule['ethertype'], cidr=input_prefix) ++ + def get_security_group_rules(self, context, filters=None, fields=None, + sorts=None, limit=None, marker=None, + page_reverse=False): +diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py +index 85d499a..3d10b5a 100644 +--- a/neutron/extensions/securitygroup.py ++++ b/neutron/extensions/securitygroup.py +@@ -17,6 +17,7 @@ + + from abc import ABCMeta + from abc import abstractmethod ++import netaddr + + from oslo.config import cfg + +@@ -102,6 +103,10 @@ class SecurityGroupRuleExists(qexception.InUse): + message = _("Security group rule already exists. Group id is %(id)s.") + + ++class SecurityGroupRuleParameterConflict(qexception.InvalidInput): ++ message = _("Conflicting value ethertype %(ethertype)s for CIDR %(cidr)s") ++ ++ + def convert_protocol(value): + if value is None: + return +@@ -152,6 +157,16 @@ def convert_to_uuid_list_or_none(value_list): + return value_list + + ++def convert_ip_prefix_to_cidr(ip_prefix): ++ if not ip_prefix: ++ return ++ try: ++ cidr = netaddr.IPNetwork(ip_prefix) ++ return str(cidr) ++ except (TypeError, netaddr.AddrFormatError): ++ raise qexception.InvalidCIDR(input=ip_prefix) ++ ++ + def _validate_name_not_default(data, valid_values=None): + if data == "default": + raise SecurityGroupDefaultAlreadyExists() +@@ -207,7 +222,8 @@ RESOURCE_ATTRIBUTE_MAP = { + 'convert_to': convert_ethertype_to_case_insensitive, + 'validate': {'type:values': sg_supported_ethertypes}}, + 'remote_ip_prefix': {'allow_post': True, 'allow_put': False, +- 'default': None, 'is_visible': True}, ++ 'default': None, 'is_visible': True, ++ 'convert_to': convert_ip_prefix_to_cidr}, + 'tenant_id': {'allow_post': True, 'allow_put': False, + 'required_by_policy': True, + 'is_visible': True}, +diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py +index d53e140..f0b1636 100644 +--- a/neutron/tests/unit/test_extension_security_group.py ++++ b/neutron/tests/unit/test_extension_security_group.py +@@ -21,11 +21,13 @@ import webob.exc + + from neutron.api.v2 import attributes as attr + from neutron.common import constants as const ++from neutron.common import exceptions as n_exc + from neutron.common.test_lib import test_config + from neutron import context + from neutron.db import db_base_plugin_v2 + from neutron.db import securitygroups_db + from neutron.extensions import securitygroup as ext_sg ++from neutron.tests import base + from neutron.tests.unit import test_db_plugin + + DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_security_group.' +@@ -413,6 +415,70 @@ class TestSecurityGroups(SecurityGroupDBTestCase): + self.deserialize(self.fmt, res) + self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) + ++ def test_create_security_group_rule_invalid_ip_prefix(self): ++ name = 'webservers' ++ description = 'my webservers' ++ for bad_prefix in ['bad_ip', 256, "2001:db8:a::123/129", '172.30./24']: ++ with self.security_group(name, description) as sg: ++ sg_id = sg['security_group']['id'] ++ remote_ip_prefix = bad_prefix ++ rule = self._build_security_group_rule( ++ sg_id, ++ 'ingress', ++ const.PROTO_NAME_TCP, ++ '22', '22', ++ remote_ip_prefix) ++ res = self._create_security_group_rule(self.fmt, rule) ++ self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) ++ ++ def test_create_security_group_rule_invalid_ethertype_for_prefix(self): ++ name = 'webservers' ++ description = 'my webservers' ++ test_addr = {'192.168.1.1/24': 'ipv4', '192.168.1.1/24': 'IPv6', ++ '2001:db8:1234::/48': 'ipv6', ++ '2001:db8:1234::/48': 'IPv4'} ++ for prefix, ether in test_addr.iteritems(): ++ with self.security_group(name, description) as sg: ++ sg_id = sg['security_group']['id'] ++ ethertype = ether ++ remote_ip_prefix = prefix ++ rule = self._build_security_group_rule( ++ sg_id, ++ 'ingress', ++ const.PROTO_NAME_TCP, ++ '22', '22', ++ remote_ip_prefix, ++ None, ++ None, ++ ethertype) ++ res = self._create_security_group_rule(self.fmt, rule) ++ self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) ++ ++ def test_create_security_group_rule_with_unmasked_prefix(self): ++ name = 'webservers' ++ description = 'my webservers' ++ addr = {'10.1.2.3': {'mask': '32', 'ethertype': 'IPv4'}, ++ 'fe80::2677:3ff:fe7d:4c': {'mask': '128', 'ethertype': 'IPv6'}} ++ for ip in addr: ++ with self.security_group(name, description) as sg: ++ sg_id = sg['security_group']['id'] ++ ethertype = addr[ip]['ethertype'] ++ remote_ip_prefix = ip ++ rule = self._build_security_group_rule( ++ sg_id, ++ 'ingress', ++ const.PROTO_NAME_TCP, ++ '22', '22', ++ remote_ip_prefix, ++ None, ++ None, ++ ethertype) ++ res = self._create_security_group_rule(self.fmt, rule) ++ self.assertEqual(res.status_int, 201) ++ res_sg = self.deserialize(self.fmt, res) ++ prefix = res_sg['security_group_rule']['remote_ip_prefix'] ++ self.assertEqual(prefix, '%s/%s' % (ip, addr[ip]['mask'])) ++ + def test_create_security_group_rule_tcp_protocol_as_number(self): + name = 'webservers' + description = 'my webservers' +@@ -1348,5 +1414,25 @@ class TestSecurityGroups(SecurityGroupDBTestCase): + self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) + + ++class TestConvertIPPrefixToCIDR(base.BaseTestCase): ++ ++ def test_convert_bad_ip_prefix_to_cidr(self): ++ for val in ['bad_ip', 256, "2001:db8:a::123/129"]: ++ self.assertRaises(n_exc.InvalidCIDR, ++ ext_sg.convert_ip_prefix_to_cidr, val) ++ self.assertIsNone(ext_sg.convert_ip_prefix_to_cidr(None)) ++ ++ def test_convert_ip_prefix_no_netmask_to_cidr(self): ++ addr = {'10.1.2.3': '32', 'fe80::2677:3ff:fe7d:4c': '128'} ++ for k, v in addr.iteritems(): ++ self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(k), ++ '%s/%s' % (k, v)) ++ ++ def test_convert_ip_prefix_with_netmask_to_cidr(self): ++ addresses = ['10.1.0.0/16', '10.1.2.3/32', '2001:db8:1234::/48'] ++ for addr in addresses: ++ self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(addr), addr) ++ ++ + class TestSecurityGroupsXML(TestSecurityGroups): + fmt = 'xml' +-- +1.7.9.5 + diff -Nru neutron-2013.2.3/debian/patches/CVE-2014-4167.patch neutron-2013.2.3/debian/patches/CVE-2014-4167.patch --- neutron-2013.2.3/debian/patches/CVE-2014-4167.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-2013.2.3/debian/patches/CVE-2014-4167.patch 2014-06-18 21:15:31.000000000 +0000 @@ -0,0 +1,208 @@ +From e5fed4812633b0e7cbcb4107b6dc04710e007edf Mon Sep 17 00:00:00 2001 +From: Baodong Li +Date: Thu, 24 Apr 2014 01:47:13 +0000 +Subject: [PATCH] Install SNAT rules for ipv4 only + +Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec +Closes-Bug: #1309195 +(cherry picked from commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5) +--- + neutron/agent/l3_agent.py | 19 ++++-- + neutron/tests/unit/test_l3_agent.py | 123 ++++++++++++++++++++++++++++++++--- + 2 files changed, 128 insertions(+), 14 deletions(-) + +Index: neutron-2013.2.3/neutron/agent/l3_agent.py +=================================================================== +--- neutron-2013.2.3.orig/neutron/agent/l3_agent.py 2014-06-18 16:15:27.731638980 -0500 ++++ neutron-2013.2.3/neutron/agent/l3_agent.py 2014-06-18 16:15:27.723638868 -0500 +@@ -387,7 +387,9 @@ + ri.internal_ports.remove(p) + self.internal_network_removed(ri, p['id'], p['ip_cidr']) + +- internal_cidrs = [p['ip_cidr'] for p in ri.internal_ports] ++ # Get IPv4 only internal CIDRs ++ internal_cidrs = [p['ip_cidr'] for p in ri.internal_ports ++ if netaddr.IPNetwork(p['ip_cidr']).version == 4] + # TODO(salv-orlando): RouterInfo would be a better place for + # this logic too + ex_gw_port_id = (ex_gw_port and ex_gw_port['id'] or +@@ -432,11 +434,16 @@ + # And add them back if the action if add_rules + if action == 'add_rules' and ex_gw_port: + # ex_gw_port should not be None in this case +- ex_gw_ip = ex_gw_port['fixed_ips'][0]['ip_address'] +- for rule in self.external_gateway_nat_rules(ex_gw_ip, +- internal_cidrs, +- interface_name): +- ri.iptables_manager.ipv4['nat'].add_rule(*rule) ++ # NAT rules are added only if ex_gw_port has an IPv4 address ++ for ip_addr in ex_gw_port['fixed_ips']: ++ ex_gw_ip = ip_addr['ip_address'] ++ if netaddr.IPAddress(ex_gw_ip).version == 4: ++ rules = self.external_gateway_nat_rules(ex_gw_ip, ++ internal_cidrs, ++ interface_name) ++ for rule in rules: ++ ri.iptables_manager.ipv4['nat'].add_rule(*rule) ++ break + ri.iptables_manager.apply() + + def process_router_floating_ips(self, ri, ex_gw_port): +Index: neutron-2013.2.3/neutron/tests/unit/test_l3_agent.py +=================================================================== +--- neutron-2013.2.3.orig/neutron/tests/unit/test_l3_agent.py 2014-06-18 16:15:27.731638980 -0500 ++++ neutron-2013.2.3/neutron/tests/unit/test_l3_agent.py 2014-06-18 16:15:27.723638868 -0500 +@@ -18,6 +18,7 @@ + import copy + + import mock ++import netaddr + from oslo.config import cfg + + from neutron.agent.common import config as agent_config +@@ -303,24 +304,37 @@ + '! -i %s ! -o %s -m conntrack ! --ctstate DNAT -j ACCEPT' % + (interface_name, interface_name)] + for source_cidr in source_cidrs: +- value_dict = {'source_cidr': source_cidr, +- 'source_nat_ip': source_nat_ip} +- expected_rules.append('-s %(source_cidr)s -j SNAT --to-source ' +- '%(source_nat_ip)s' % value_dict) ++ # Create SNAT rules for IPv4 only ++ if (netaddr.IPNetwork(source_cidr).version == 4 and ++ netaddr.IPNetwork(source_nat_ip).version == 4): ++ value_dict = {'source_cidr': source_cidr, ++ 'source_nat_ip': source_nat_ip} ++ expected_rules.append('-s %(source_cidr)s -j SNAT --to-source ' ++ '%(source_nat_ip)s' % value_dict) + for r in rules: + if negate: + self.assertNotIn(r.rule, expected_rules) + else: + self.assertIn(r.rule, expected_rules) + +- def _prepare_router_data(self, enable_snat=None, num_internal_ports=1): ++ def _prepare_router_data(self, ip_version=4, ++ enable_snat=None, num_internal_ports=1): ++ if ip_version == 4: ++ ip_addr = '19.4.4.4' ++ cidr = '19.4.4.0/24' ++ gateway_ip = '19.4.4.1' ++ elif ip_version == 6: ++ ip_addr = 'fd00::4' ++ cidr = 'fd00::/64' ++ gateway_ip = 'fd00::1' ++ + router_id = _uuid() + ex_gw_port = {'id': _uuid(), + 'network_id': _uuid(), +- 'fixed_ips': [{'ip_address': '19.4.4.4', ++ 'fixed_ips': [{'ip_address': ip_addr, + 'subnet_id': _uuid()}], +- 'subnet': {'cidr': '19.4.4.0/24', +- 'gateway_ip': '19.4.4.1'}} ++ 'subnet': {'cidr': cidr, ++ 'gateway_ip': gateway_ip}} + int_ports = [] + for i in range(0, num_internal_ports): + int_ports.append({'id': _uuid(), +@@ -525,6 +539,99 @@ + self.assertEqual(len(nat_rules_delta), 1) + self._verify_snat_rules(nat_rules_delta, router) + ++ def test_process_ipv6_only_gw(self): ++ agent = l3_agent.L3NATAgent(HOSTNAME, self.conf) ++ router = self._prepare_router_data(ip_version=6) ++ # Get NAT rules without the gw_port ++ gw_port = router['gw_port'] ++ router['gw_port'] = None ++ ri = l3_agent.RouterInfo(router['id'], self.conf.root_helper, ++ self.conf.use_namespaces, router=router) ++ agent.external_gateway_added = mock.Mock() ++ agent.process_router(ri) ++ orig_nat_rules = ri.iptables_manager.ipv4['nat'].rules[:] ++ ++ # Get NAT rules with the gw_port ++ router['gw_port'] = gw_port ++ ri = l3_agent.RouterInfo(router['id'], self.conf.root_helper, ++ self.conf.use_namespaces, router=router) ++ with mock.patch.object( ++ agent, ++ 'external_gateway_nat_rules') as external_gateway_nat_rules: ++ agent.process_router(ri) ++ new_nat_rules = ri.iptables_manager.ipv4['nat'].rules[:] ++ ++ # There should be no change with the NAT rules ++ self.assertFalse(external_gateway_nat_rules.called) ++ self.assertEqual(orig_nat_rules, new_nat_rules) ++ ++ def test_process_router_ipv6_interface_added(self): ++ agent = l3_agent.L3NATAgent(HOSTNAME, self.conf) ++ router = self._prepare_router_data() ++ ri = l3_agent.RouterInfo(router['id'], self.conf.root_helper, ++ self.conf.use_namespaces, router=router) ++ agent.external_gateway_added = mock.Mock() ++ # Process with NAT ++ agent.process_router(ri) ++ orig_nat_rules = ri.iptables_manager.ipv4['nat'].rules[:] ++ # Add an IPv6 interface and reprocess ++ router[l3_constants.INTERFACE_KEY].append( ++ {'id': _uuid(), ++ 'network_id': _uuid(), ++ 'admin_state_up': True, ++ 'fixed_ips': [{'ip_address': 'fd00::2', ++ 'subnet_id': _uuid()}], ++ 'mac_address': 'ca:fe:de:ad:be:ef', ++ 'subnet': {'cidr': 'fd00::/64', ++ 'gateway_ip': 'fd00::1'}}) ++ # Reassign the router object to RouterInfo ++ ri.router = router ++ agent.process_router(ri) ++ # For some reason set logic does not work well with ++ # IpTablesRule instances ++ nat_rules_delta = [r for r in ri.iptables_manager.ipv4['nat'].rules ++ if r not in orig_nat_rules] ++ self.assertFalse(nat_rules_delta) ++ ++ def test_process_router_ipv6v4_interface_added(self): ++ agent = l3_agent.L3NATAgent(HOSTNAME, self.conf) ++ router = self._prepare_router_data() ++ ri = l3_agent.RouterInfo(router['id'], self.conf.root_helper, ++ self.conf.use_namespaces, router=router) ++ agent.external_gateway_added = mock.Mock() ++ # Process with NAT ++ agent.process_router(ri) ++ orig_nat_rules = ri.iptables_manager.ipv4['nat'].rules[:] ++ # Add an IPv4 and IPv6 interface and reprocess ++ router[l3_constants.INTERFACE_KEY].append( ++ {'id': _uuid(), ++ 'network_id': _uuid(), ++ 'admin_state_up': True, ++ 'fixed_ips': [{'ip_address': '35.4.1.4', ++ 'subnet_id': _uuid()}], ++ 'mac_address': 'ca:fe:de:ad:be:ef', ++ 'subnet': {'cidr': '35.4.1.0/24', ++ 'gateway_ip': '35.4.1.1'}}) ++ ++ router[l3_constants.INTERFACE_KEY].append( ++ {'id': _uuid(), ++ 'network_id': _uuid(), ++ 'admin_state_up': True, ++ 'fixed_ips': [{'ip_address': 'fd00::2', ++ 'subnet_id': _uuid()}], ++ 'mac_address': 'ca:fe:de:ad:be:ef', ++ 'subnet': {'cidr': 'fd00::/64', ++ 'gateway_ip': 'fd00::1'}}) ++ # Reassign the router object to RouterInfo ++ ri.router = router ++ agent.process_router(ri) ++ # For some reason set logic does not work well with ++ # IpTablesRule instances ++ nat_rules_delta = [r for r in ri.iptables_manager.ipv4['nat'].rules ++ if r not in orig_nat_rules] ++ self.assertEqual(1, len(nat_rules_delta)) ++ self._verify_snat_rules(nat_rules_delta, router) ++ + def test_process_router_interface_removed(self): + agent = l3_agent.L3NATAgent(HOSTNAME, self.conf) + router = self._prepare_router_data(num_internal_ports=2) diff -Nru neutron-2013.2.3/debian/patches/series neutron-2013.2.3/debian/patches/series --- neutron-2013.2.3/debian/patches/series 2014-04-10 18:05:12.000000000 +0000 +++ neutron-2013.2.3/debian/patches/series 2014-06-18 21:15:18.000000000 +0000 @@ -4,3 +4,6 @@ disable-ml2-notification-tests.patch remove-jsonrpclib.patch revert-stable-havana-requirements.patch +CVE-2014-0187.patch +CVE-2014-0187b.patch +CVE-2014-4167.patch