debian/0000755000000000000000000000000012014173464007170 5ustar debian/rules0000755000000000000000000000041511574121711010246 0ustar #!/usr/bin/make -f %: dh $@ --with python2 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) override_dh_auto_test: dh_auto_test ln -s secrets.py-dist test/secrets.py for pyversion in $(shell pyversions -vr); do python$$pyversion setup.py test; done touch $@ endif debian/control0000644000000000000000000000161411574115276010604 0ustar Source: libcloud Section: python Priority: optional Maintainer: Debian Python Modules Team Uploaders: Soren Hansen Build-Depends: debhelper (>= 7.0.50~), python-all (>= 2.6.6-3~), python-simplejson Standards-Version: 3.9.2 X-Python-Version: >= 2.5 Homepage: http://libcloud.org/ Package: python-libcloud Architecture: all Depends: ${misc:Depends}, ${python:Depends}, python-simplejson Description: unified Python interface into the cloud libcloud is a pure Python client library for interacting with many of the popular cloud server providers. It was created to make it easy for developers to build products that work between any of the services that it supports. . libcloud was originally created by the folks over at Cloudkick, but has since grown into an independent free software project licensed under the Apache License (2.0). debian/source/0000755000000000000000000000000011575642720010477 5ustar debian/source/format0000644000000000000000000000001411573740437011707 0ustar 3.0 (quilt) debian/changelog0000644000000000000000000000432712014173464011050 0ustar libcloud (0.5.0-1.1) unstable; urgency=low * Non-maintainer upload. * [SECURITY] Fix "CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification": add patch 0001-Fix-hostname-validation-in-the-SSL-verification-code.patch taken from upstream git. (Closes: #683927) -- gregor herrmann Sun, 19 Aug 2012 16:24:16 +0200 libcloud (0.5.0-1) unstable; urgency=low * New upstream release (Closes: #598463) * Make myself Uploader instead of Maintainer and set DPMT as the maintainer. * Adjust debian/watch now that libcloud is a toplevel Apache project. * Remove dependency on zope.interface (dropped upstream). * Convert to debhelper 7 and dh_python2. * Bumped Standards-Version to 3.9.2. No changes needed. * Bump debian/compat to 7. * Drop debian/pycompat. * Use debian/clean instead of overriding dh_auth_clean. -- Soren Hansen Tue, 14 Jun 2011 13:27:50 +0200 libcloud (0.3.1-1) unstable; urgency=low * New upstream release. * Update debian/copyright to reflect libcloud's inclusion into the Apache incubator programme (copyright reassigned to ASF) and to account for the new OpenNEbula driver being copyrighted differently than the bulk of the project. -- Soren Hansen Tue, 18 May 2010 07:40:17 +0200 libcloud (0.2.0-1) unstable; urgency=low * New upstream release. * Update Standards-Version to 3.8.4. No changes needed. * Switch to "3.0 (quilt)" source package format. * Dropped get-orig-source target from debian/rules. Upstream has released tarballs. * Added watch file. -- Soren Hansen Fri, 07 May 2010 10:00:57 +0200 libcloud (0.1.1~git20091201-1) unstable; urgency=low * New upstream snapshot. * Add dependencies for test suite to Build-Depends. -- Soren Hansen Wed, 02 Dec 2009 11:32:37 +0100 libcloud (0.1.1~git20091125-1) UNRELEASED; urgency=low * New upstream release * Run test suite at build time. -- Soren Hansen Wed, 25 Nov 2009 10:43:15 +0100 libcloud (0.1.1~git20091107-1) unstable; urgency=low * Initial upload to Debian. (Closes: #555006) -- Soren Hansen Sat, 07 Nov 2009 22:45:52 +0100 debian/compat0000644000000000000000000000000211574121711010364 0ustar 7 debian/clean0000644000000000000000000000005411575637552010212 0ustar test/secrets.py debian/stamp-makefile-check debian/patches/0000755000000000000000000000000012014173407010614 5ustar debian/patches/0001-Fix-hostname-validation-in-the-SSL-verification-code.patch0000644000000000000000000001024412014173407024117 0ustar Bug-Debian: http://bugs.debian.org/683927 Reviewed-by: gregor herrmann Last-Update: 2012-08-19 Origin: https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401 Comment: This is f2af550 from upstream git, minus the changes in the Changes file and the version change in __init__.py, plus adjustments for offsets From f2af5502dae3ac63e656dd1b7d5f29cc82ded401 Mon Sep 17 00:00:00 2001 From: Tomaž Muraus Date: Thu, 2 Aug 2012 00:39:09 +0000 Subject: [PATCH] Fix hostname validation in the SSL verification code (CVE-2012-3446). Reported by researchers from the University of Texas at Austin (Martin Georgiev, Suman Jana and Vitaly Shmatikov). For more info, see http://libcloud.apache.org/security.html. --- a/libcloud/httplib_ssl.py +++ b/libcloud/httplib_ssl.py @@ -115,13 +115,8 @@ # replace * with alphanumeric and dash # replace . with literal . valid_patterns = [ - re.compile( - pattern.replace( - r".", r"\." - ).replace( - r"*", r"[0-9A-Za-z]+" - ) - ) + re.compile('^' + pattern.replace(r".", r"\.") \ + .replace(r"*", r"[0-9A-Za-z]+") + '$') for pattern in (set(common_name) | set(alt_names)) ] --- a/test/test_httplib_ssl.py +++ b/test/test_httplib_ssl.py @@ -44,16 +44,49 @@ 'subjectAltName': ((('DNS', 'foo.alt.name')), (('DNS', 'foo.alt.name.1')))} + cert3 = {'notAfter': 'Feb 16 16:54:50 2013 GMT', + 'subject': ((('countryName', 'US'),), + (('stateOrProvinceName', 'Delaware'),), + (('localityName', 'Wilmington'),), + (('organizationName', 'Python Software Foundation'),), + (('organizationalUnitName', 'SSL'),), + (('commonName', 'python.org'),))} + self.assertFalse(self.httplib_object._verify_hostname( hostname='invalid', cert=cert1)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='machine.python.org', cert=cert1)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='foomachine.python.org', cert=cert1)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='somesomemachine.python.org', cert=cert1)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='somemachine.python.orga', cert=cert1)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='somemachine.python.org.org', cert=cert1)) self.assertTrue(self.httplib_object._verify_hostname( hostname='somemachine.python.org', cert=cert1)) self.assertFalse(self.httplib_object._verify_hostname( hostname='invalid', cert=cert2)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='afoo.alt.name.1', cert=cert2)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='a.foo.alt.name.1', cert=cert2)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='foo.alt.name.1.2', cert=cert2)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='afoo.alt.name.1.2', cert=cert2)) self.assertTrue(self.httplib_object._verify_hostname( hostname='foo.alt.name.1', cert=cert2)) + self.assertTrue(self.httplib_object._verify_hostname( + hostname='python.org', cert=cert3)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='opython.org', cert=cert3)) + self.assertFalse(self.httplib_object._verify_hostname( + hostname='ython.org', cert=cert3)) + def test_get_subject_alt_names(self): cert1 = {'notAfter': 'Feb 16 16:54:50 2013 GMT', 'subject': ((('countryName', 'US'),), debian/patches/series0000644000000000000000000000010012014171664012023 0ustar 0001-Fix-hostname-validation-in-the-SSL-verification-code.patch debian/copyright0000644000000000000000000000260011573740437011132 0ustar This package was debianized by Soren Hansen on Sat, 07 Nov 2009 22:40:06 +0100. {test/test_,libcloud/drivers/}rimuhosting.py and drivers/ibm_sbc.py are Copyright 2009 RedRata Ltd. {test/test_,libcloud/drivers/}opennebula.py are Copyright 2002-2009 Distributed Systems Architecture Group, Universidad Complutense de Madrid (dsa-research.org) Everything else is Copyright 2010 The Apache Software Foundation. License: Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. For the full license, see '/usr/share/common-licenses/Apache-2.0'. The Debian packaging is Copyright 2009-2010 Soren Hansen, and covered by the Apache 2.0 license. debian/docs0000644000000000000000000000000711574110763010043 0ustar README debian/watch0000644000000000000000000000011311574105077010221 0ustar version=3 http://www.apache.org/dist/libcloud/apache-libcloud-(.*).tar.bz2