apevec pushed to python-keystonemiddleware (master). "Update to upstream 1.5.0 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 24 18:37:09 UTC 2015
>From ae1a6e84b4c7a7e78154b862b568a9581b033e2a Mon Sep 17 00:00:00 2001
From: Alan Pevec <alan.pevec at redhat.com>
Date: Fri, 24 Apr 2015 20:23:20 +0200
Subject: Update to upstream 1.5.0
Also pactch for CVE-2015-1852
diff --git a/.gitignore b/.gitignore
index 5d72e41..87f1a91 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
/keystonemiddleware-1.0.0.tar.gz
/keystonemiddleware-1.1.1.tar.gz
/keystonemiddleware-1.2.0.tar.gz
+/keystonemiddleware-1.5.0.tar.gz
diff --git a/0001-Fix-s3_token-middleware-parsing-insecure-option.patch b/0001-Fix-s3_token-middleware-parsing-insecure-option.patch
new file mode 100644
index 0000000..9d91842
--- /dev/null
+++ b/0001-Fix-s3_token-middleware-parsing-insecure-option.patch
@@ -0,0 +1,79 @@
+From 928df2a5174b511025e30fe4a8b84b8e768c4f77 Mon Sep 17 00:00:00 2001
+From: Brant Knudson <bknudson at us.ibm.com>
+Date: Mon, 23 Mar 2015 18:19:18 -0500
+Subject: [PATCH] Fix s3_token middleware parsing insecure option
+
+The "insecure" option was being treated as a bool when it was
+actually provided as a string. The fix is to parse the string to
+a bool.
+
+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
+Closes-Bug: 1411063
+---
+ keystonemiddleware/s3_token.py | 3 ++-
+ .../tests/test_s3_token_middleware.py | 24 +++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/keystonemiddleware/s3_token.py b/keystonemiddleware/s3_token.py
+index d56482f..3fe13f9 100644
+--- a/keystonemiddleware/s3_token.py
++++ b/keystonemiddleware/s3_token.py
+@@ -35,6 +35,7 @@ import logging
+ import webob
+
+ from oslo_serialization import jsonutils
++from oslo_utils import strutils
+ import requests
+ import six
+ from six.moves import urllib
+@@ -116,7 +117,7 @@ class S3Token(object):
+ auth_port)
+
+ # SSL
+- insecure = conf.get('insecure', False)
++ insecure = strutils.bool_from_string(conf.get('insecure', False))
+ cert_file = conf.get('certfile')
+ key_file = conf.get('keyfile')
+
+diff --git a/keystonemiddleware/tests/test_s3_token_middleware.py b/keystonemiddleware/tests/test_s3_token_middleware.py
+index fdadb76..4b910a6 100644
+--- a/keystonemiddleware/tests/test_s3_token_middleware.py
++++ b/keystonemiddleware/tests/test_s3_token_middleware.py
+@@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
+ @mock.patch.object(requests, 'post')
+ def test_insecure(self, MOCK_REQUEST):
+ self.middleware = (
+- s3_token.filter_factory({'insecure': True})(FakeApp()))
++ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+
+ text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+ if six.PY3:
+@@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
+ mock_args, mock_kwargs = MOCK_REQUEST.call_args
+ self.assertIs(mock_kwargs['verify'], False)
+
++ def test_insecure_option(self):
++ # insecure is passed as a string.
++
++ # Some non-secure values.
++ true_values = ['true', 'True', '1', 'yes']
++ for val in true_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs(False, middleware._verify)
++
++ # Some "secure" values, including unexpected value.
++ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++ for val in false_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertEqual('false_ind', middleware._verify)
++
++ # Default is secure.
++ config = {'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs('false_ind', middleware._verify)
++
+
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+ def setUp(self):
diff --git a/python-keystonemiddleware.spec b/python-keystonemiddleware.spec
index ddf0dad..3984098 100644
--- a/python-keystonemiddleware.spec
+++ b/python-keystonemiddleware.spec
@@ -2,20 +2,31 @@
%global pypi_name keystonemiddleware
Name: python-%{pypi_name}
-Version: 1.2.0
+Version: 1.5.0
Release: 1%{?dist}
Summary: Middleware for OpenStack Identity
License: ASL 2.0
URL: http://launchpad.net/keystonemiddleware
Source0: https://pypi.python.org/packages/source/k/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+
+Patch0001: 0001-Fix-s3_token-middleware-parsing-insecure-option.patch
+
BuildArch: noarch
BuildRequires: python2-devel
BuildRequires: python-setuptools
BuildRequires: python-pbr
-Requires: python-keystoneclient >= 1:0.10.0
+Requires: python-oslo-config >= 1.9.0
+Requires: python-oslo-context >= 0.2.0
+Requires: python-oslo-i18n >= 1.3.0
+Requires: python-oslo-serialization >= 1.2.0
+Requires: python-oslo-utils >= 1.2.0
+Requires: python-pycadf >= 0.8.0
+Requires: python-six >= 1.9.0
+Requires: python-requests >= 2.5.0
+Requires: python-keystoneclient >= 1:1.1.0
# for s3 and ec2 token middlewares
Requires: python-webob
@@ -39,6 +50,9 @@ Documentation for the Middleware for OpenStack Identity
%prep
%setup -q -n %{pypi_name}-%{version}
+
+%patch0001 -p1
+
# Let RPM handle the dependencies
rm -f requirements.txt
# Remove bundled egg-info
@@ -73,6 +87,10 @@ rm -r %{buildroot}%{python_sitelib}/%{pypi_name}/tests
%doc html LICENSE
%changelog
+* Fri Apr 24 2015 Alan Pevec <alan.pevec at redhat.com> 1.5.0-1
+- Update to upstream 1.5.0
+- S3token incorrect condition expression for ssl_insecure CVE-2015-1852
+
* Fri Sep 26 2014 Alan Pevec <alan.pevec at redhat.com> 1.2.0-1
- Update to upstream 1.2.0
diff --git a/sources b/sources
index 791cb55..7aa2c3a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-ae9f4c14ab9f3378f83838e9655ede22 keystonemiddleware-1.2.0.tar.gz
+42490abdcd5991add3d9eb3f628888e3 keystonemiddleware-1.5.0.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/python-keystonemiddleware.git/commit/?h=master&id=ae1a6e84b4c7a7e78154b862b568a9581b033e2a
More information about the scm-commits
mailing list