Package: neutron / 2:13.0.2-15

Metadata

Package Version Patches format
neutron 2:13.0.2-15 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
flake8 legacy.patch | (download)

neutron/tests/unit/hacking/test_checks.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 use legacy api as provided in flake8 >= 3.0.0
rootwrap fix for neutron fwaas.patch | (download)

etc/neutron/rootwrap.d/l3.filters | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 rootwrap fix for neutron-fwaas
Join_on_explcit_relationship_paths.patch | (download)

neutron/db/l3_db.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 join on explcit relationship paths
 The join() in get_router_for_floatingip() is joining from entity
 to entity without an explicit ON clause which creates an ambiguous
 situation.  SQLAlchemy 1.3 guards against this now, so use the
 real relationship-bound path so that the ORM does not need to guess.
Date: Fri, 8 Mar 2019 14:09:14 -0500

Bug: #1819260

CVE 2019 9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch | (download)

neutron/agent/linux/iptables_firewall.py | 20 15 + 5 - 0 !
neutron/tests/unit/agent/linux/test_iptables_firewall.py | 14 14 + 0 - 0 !
2 files changed, 29 insertions(+), 5 deletions(-)

 cve-2019-9735: when converting sg rules to iptables, do not emit dport if not supported
 Since iptables-restore doesn't support --dport with protocol vrrp,
 it errors out setting the security groups on the hypervisor.
 .
 Marking this a partial fix, since we need a change to prevent
 adding those incompatible rules in the first place, but this
 patch will stop the bleeding.
CVE 2019 10876_rocky_fix_KeyError_in_OVS_firewall.patch | (download)

neutron/agent/linux/openvswitch_firewall/rules.py | 16 11 + 5 - 0 !
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py | 13 11 + 2 - 0 !
2 files changed, 22 insertions(+), 7 deletions(-)

 cve-2019-10876: fix keyerror in ovs firewall
 When merging port ranges, the code never assumed the
 conjunction ID might not be present in the set due to
 already being removed.
 .
 In this case there were two security groups, both using
 the same remote security group, but the first security
 group does not define a port range and the second one does.
 Or more generally, the first SG port range is a subset
 of the second, as no port-range means the full range.

Bug: #1813007