Update swift to 998abbc58f83feaffaa2cb62880e9ce2ae9bcabb

998abbc58f83feaffaa2cb62880e9ce2ae9bcabb Release note for CVE-2016-9590 b573fb0d12578bc58026818c5af73d292648bd36 [CVE-2016-9590] Correct configuration file perms b61475a793818b13c8e096753bcd1fb91b7e674f Keystone endpoints should go before the service 9c4b716497da75bb8fcb629e489be8b03309a4d9 Prepare 8.2.0 (mitaka) Change-Id: I49dc5c7f37633956a0154397ba31564581337fb1
redhat-openstack · Jan 13, 2017 · 8d6bfa3 · 8d6bfa3
1 parent 3339055
commit 8d6bfa3
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 5 deletions.
diff --git a/Puppetfile b/Puppetfile
@@ -223,7 +223,7 @@ mod 'stdlib',
   :git => 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
 
 mod 'swift',
-  :commit => '17d1411b01896deda0d96130f25a978b91009b8f',
+  :commit => '998abbc58f83feaffaa2cb62880e9ce2ae9bcabb',
   :git => 'https://github.com/openstack/puppet-swift.git'
 
 mod 'sysctl',

diff --git a/swift/manifests/keystone/auth.pp b/swift/manifests/keystone/auth.pp
@@ -282,6 +282,15 @@
       fail('cinder::keystone::auth parameters service_name and service_name_s3 must be different.')
   }
 
+  # Establish that keystone auth and endpoints are properly setup before
+  # managing any type of swift related service.
+  if $configure_endpoint {
+    Keystone_endpoint["${region}/${real_service_name}::object-store"] -> Swift::Service<||>
+  }
+  if $configure_s3_endpoint {
+    Keystone_endpoint["${region}/${real_service_name_s3}::s3"] -> Swift::Service<||>
+  }
+
   keystone::resource::service_identity { 'swift':
     configure_endpoint  => $configure_endpoint,
     configure_user      => $configure_user,

diff --git a/swift/manifests/proxy.pp b/swift/manifests/proxy.pp
@@ -180,6 +180,7 @@
   }
 
   concat { '/etc/swift/proxy-server.conf':
+    mode    => '0640',
     owner   => 'swift',
     group   => 'swift',
     require => Package['swift-proxy'],

diff --git a/swift/manifests/storage/server.pp b/swift/manifests/storage/server.pp
@@ -180,6 +180,7 @@
   }
 
   concat { "/etc/swift/${config_file_path}":
+    mode    => '0640',
     owner   => $owner,
     group   => $group,
     notify  => Service["swift-${type}-server", "swift-${type}-replicator", "swift-${type}-auditor"],

diff --git a/swift/metadata.json b/swift/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "openstack-swift",
-  "version": "8.1.0",
+  "version": "8.2.0",
   "author": "Puppet Labs and OpenStack Contributors",
   "summary": "Puppet module for OpenStack Swift",
   "license": "Apache-2.0",
@@ -24,7 +24,7 @@
   "description": "Installs and configures OpenStack Swift (Object Storage).",
   "dependencies": [
     { "name": "puppetlabs/inifile", "version_requirement": ">=1.4.0 <2.0.0" },
-    { "name": "openstack/keystone", "version_requirement": ">=8.1.0 <9.0.0" },
+    { "name": "openstack/keystone", "version_requirement": ">=8.2.0 <9.0.0" },
     { "name": "puppetlabs/rsync", "version_requirement": ">=0.4.0 <1.0.0" },
     { "name": "puppetlabs/stdlib", "version_requirement": ">=4.9.0 <5.0.0" },
     { "name": "puppetlabs/xinetd", "version_requirement": ">=1.5.0 <2.0.0" },

diff --git a/swift/releasenotes/notes/cve-2016-9590-b493949d7df27489.yaml b/swift/releasenotes/notes/cve-2016-9590-b493949d7df27489.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Updated file permissions for CVE-2016-9590. Fixes configuration file
+    permissions for the proxy server and storage servers. The permissions were
+    getting incorrectly changed from 0640 to 0644 due to lack of the explict
+    setting of mode on the concat resources.
diff --git a/swift/releasenotes/source/conf.py b/swift/releasenotes/source/conf.py
@@ -52,9 +52,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '8.1.0'
+version = '8.2.0'
 # The full version, including alpha/beta/rc tags.
-release = '8.1.0'
+release = '8.2.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/swift/spec/classes/swift_proxy_spec.rb b/swift/spec/classes/swift_proxy_spec.rb
@@ -52,6 +52,7 @@ class { swift: swift_hash_suffix => string }"
       )}
       it { is_expected.to contain_file('/etc/swift/proxy-server.conf').with(
         {:ensure  => 'present',
+         :mode    => '0640',
          :owner   => 'swift',
          :group   => 'swift',
         }

diff --git a/swift/spec/defines/swift_storage_server_spec.rb b/swift/spec/defines/swift_storage_server_spec.rb
@@ -168,6 +168,7 @@ class { 'swift::storage': storage_local_net_ip => '10.0.0.1' }
         )}
 
         # verify template lines
+        it { is_expected.to contain_concat("/etc/swift/#{t}-server.conf").with_mode('0640') }
         it { is_expected.to contain_file(fragment_file).with_content(/^devices\s*=\s*\/srv\/node\s*$/) }
         it { is_expected.to contain_file(fragment_file).with_content(/^bind_ip\s*=\s*10\.0\.0\.1\s*$/) }
         it { is_expected.to contain_file(fragment_file).with_content(/^bind_port\s*=\s*#{title}\s*$/) }