| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-verify-warn-about-weak-certs.patch | verify: warn about weak cert keys or signing algos Extend x509.VerifyX509Certificate() to also check certificates for weak keys or signing algorithms. Rename _VerifyCertificateInner() to _VerifyX509CertificateValidity() to better match what it does, and add a new _VerifyX509CertificateStrength() function that checks: - whether the public key's length is smaller than constants.RSA_KEY_BITS - whether the certificate is signed using a known-weak signature algorithm Apart from cluster verify, VerifyX509Certificate() is also called in a number of places as a pre-flight check with expiration warnings disabled, where every non-empty response is treated as a hard error. In order not to break these uses, we need to change VerifyX509Certificate()'s API to make strength checks optional. Also we refactor the error handling logic to return multiple error XOR warning message that originate from different checks. |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2018-09-03 | ||
| 0002-remove-hardcoded-libc-linux-constants.patch | Do not hardcode arch-dependent libc/linux constants commit 1abcb876d279f698b0fafe723feac22540d145f9 utils.mlock: do not use hardcoded mlockall(2) flags Switch to using the build-time detected flags from constants. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> commit b273f537019249ce693f8df78640ff5c6c6bdf4c kvm.netdev: do not use hardcoded ioctl values Switch to using the build-time detected values from constants. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> commit 681b23e163fc7d1fd1c9a88906834c67b9f0bf2e Derive arch-dependent constant values from libc/linux headers We are currently hardcoding some C constants in our Python code in two places: the mlockall(2) flags (used via ctypes), and the TUN/TAP driver ioctls. These constants are actually architecture-dependent and should be derived at build time. Use hsc2py to append these definitions to src/AutoConf.hs, and have them propagate to Ganeti.Constants (and from there lib/_constants.py). A follow-up commit will replace the current constants with the derived ones. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2019-01-28 |