sys-cluster/nova - fixing bug 459364 CVE-2013-0335

Package-Manager: portage-2.1.11.50/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3

5 files changed, 439 insertions, 83 deletions

diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 3edea8c786eb..e54fa990aa4a 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.3 2013/02/20 06:13:35 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.4 2013/02/26 21:44:05 prometheanfire Exp $
+
+*nova-2012.2.3-r1 (26 Feb 2013)
+
+  26 Feb 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/nova-folsom-3-CVE-2013-0335.patch, -nova-2012.2.2-r1.ebuild,
+  -nova-2012.2.3.ebuild, +nova-2012.2.3-r1.ebuild:
+  fixing bug 459364 CVE-2013-0335
 
   20 Feb 2013; Matthew Thode <prometheanfire@gentoo.org>
   nova-2012.2.2-r1.ebuild, nova-2012.2.3.ebuild:
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index 233bf364dd02..4fb20ef0306b 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -1,27 +1,26 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX nova-folsom-3-CVE-2013-0335.patch 18147 SHA256 be947b94ea5b41c13e0c945f428c426cddbfa127ab2a166adc7d49965e4060da SHA512 ba687fe8c557d4c03eaa189f7c611255e1b1902d31e4f95847abf3649cdba2eaa90d1f4e6813ec0c8c9065f10f5d38c77716a02ac2d103310edaf40de0a4070c WHIRLPOOL e02563ff87b2bbc966a02ab026f5a718a6cfd3a7d6aeb5854d67c348e16d324e45a1859d3c6c52d655e7b0a8b0cac637aee3aca30bcde9d2c7d005e341c4f58e
 AUX nova-folsom-CVE-2013-1664.patch 14249 SHA256 5eb9827905a51a96e86e582a6fb06585f6f4aec29232b06b17294c9745dd7582 SHA512 4ad9a6e5919ab7eb7c7c592b4ec6dfd9b448f836dd6329c58df876b0cdb1a0f92c90c8307450d85fa9ce2cef6ed90906c64e0fabfa848b8f804e044d5d451b87 WHIRLPOOL 8c25ae9c76c0a48524f8b00ceaeadded64615be50114ab371e444f75bedf1962537d23cda989f169422e7ec6ed5e92d7010405251105d2f8863db0c7fef81459
-DIST nova-2012.2.2.tar.gz 6253220 SHA256 fad9a8d1f538ee1fb578e2409de975d048e56abaaccee0ee4bb4a8aeb4c43adf SHA512 880228b3389525f412a176cdfc39610a80e607e3021e30b3815c0c3f27cf94f8bf10710c9db6f4f21ef0c3a964910d6f178636c323ee8d0c82a110010895e70c WHIRLPOOL 7263b369947d7d285d64890c5f94956a804cbb1fcc78dfc18da27f91c17d37f0cc16101d9430945d965bf9578ec9bdc3f8620e76b3d9e973271708156611f54c
 DIST nova-2012.2.3.tar.gz 6260067 SHA256 e9640d89e84d3feaa537b1faa3945c708beb2cffd8a114ff83484ea151406994 SHA512 bbbbb140ff09d508a44d6b5dc9817b4d6e277ddc45ae1b70b45915c3e8c6873cffaf670a2a745381bbf63b4d5869fab6a524c7d2816fafe0aa4fe73a6ffca15d WHIRLPOOL da4cc6033426fb5268bff67a18574c8d2de4dbbc528df6982e2b87e8b3a92f2df999c8d6bf0b6fb3de1397feccdd906e064b78e3f7bab7fee679eee2437e3185
-EBUILD nova-2012.2.2-r1.ebuild 1942 SHA256 8f64f4c5cc91ac46265cba83347380cdff41f66cd1e9d96a8cdbcdd1414532aa SHA512 c35ba4ce8757ffb2ac06200af48ce1e037f0cac4992f193e9dba7c7eb5be2936e8154a3a37ceb9d32fe3e06bc62e73a254fdd8ec29a2989b8a5f2420702af3ea WHIRLPOOL 7d44fc70b5bbcd5bd4d5a6417ea7c822e7d81e804e7b4ce298bb26c63096633c6d1a581063ee1fb538c741bc617898ee4a82ed40809f555223551dc2da667a98
-EBUILD nova-2012.2.3.ebuild 1946 SHA256 ecbcef19aab93ba026018f87e5a46871a0218ed151d773523de99690ace84982 SHA512 f537d2729eb6cc2a8e5351d7a98f39009de95fe48524a62dce1286bed62df0be14a9fdee34b989256306b942027abf4ff359d36a8f282378928260d3e2e18ede WHIRLPOOL b22b4b5a41e6f48bf6a958e54731a92f1a7e2d00b597fe7d5479c63a6340bc7693cf9b702a048404bd47470d0bb57e980d2da1115afef4f360d7a423a84f3f0a
-MISC ChangeLog 843 SHA256 f48cc364c8b25ddd5d49505e678c2863f9d43306ecbd488003612bbe4017f87c SHA512 8614669e5a1a47e96a6f50c28e3e7a5fa408fdfc9918fd8332719040db992322cb7fbd80fca92a4ddf15eb1745885611ac9ac919bc3bb74832cd7b2562958c96 WHIRLPOOL ca4fb96a1741b15fc936ffd568aa9936af4966e5829caa82318ff441f308f111a8b79e1167a81e95b7841d18e7079bb2fcae9abf0327b21be8b1a1bff408331c
+EBUILD nova-2012.2.3-r1.ebuild 2003 SHA256 94a9c990ed979c364c64b92f16e6055bf1c3741e87742ac4c00e5382cac3af33 SHA512 2a6bcc17a21d41a2eceadd546be6953eaa711b2226173bb9d739395f41452e23f1297b7aa4a464c955cb01c1ed2bc755ee7ed0f00947f00716bdcc0bcd9f15f4 WHIRLPOOL 509d3df0a224b04f4a33765c2bd93890069043f064d4c7ef409e490c299768641e490bad28fd6737a056a849e5fe87a403e7fb02fa0fbc1b223833c8b3ffd6a5
+MISC ChangeLog 1089 SHA256 b7afd75fe163543ca2de7b48e5fd80dc1495100ffd8c0652a75427f3a7dfcf19 SHA512 a1f656d9b83dae4d8ff027001ca2fe34360d5db32793d0418f65d1dcd7818cf75df60df3315dd93eecedd2a98bdfa5607bff17e47d7f9c8d0bf59b1ad36ec695 WHIRLPOOL f83cb5bda66b55585e3653c29bcdf99773983f19ccec6fb310c9a6286ec18599176287fe9f97c13120237a6e05665b37c187c76edb4a2bb3294114635e98360e
 MISC metadata.xml 407 SHA256 87ac581ad3af018ee16b2c5a8dbc98553ad93fc48bf5cfd62a6f929353049e77 SHA512 4ae00a6fc5411c1795249864317143787b31cb068fb1508f8a1455fd6194254961cca80256e0b437dc131560126cdf5a59d98a5a5064ac49c6e43c1651718a4a WHIRLPOOL 52b178c072593baea26fa3d7e9c06aac003d1a828ffa98de712306f60eeddba92271bc6061d7224a76ac35fa3c1da33213983e998160acf92a6d7027b284bcc0
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRJGLYAAoJECRx6z5ArFrDBC8P/Ahxvqa3N0BRjrysvyzhLRHS
-+7H2IeB9pYOKFjYIyoCaCN+A16yRgDfyIP1olqs+MMoIuREpYLSfBfkyIEUaG5gL
-omGb3Z5UklQ+qDNOUy2hh0iemOKCqjOGIGm+oPrfn9i9HO0SxbEFH1WFXoOmdUqr
-xiHsOKDTHBajWhOMFHvvfTMAiNHRCHBw7BnTg0fZhdoB466tWCRaWZujt7iE/U8i
-UZIIMyCglX3SAwhRg9U0/Yh8hTZ5+TsLs3+R4KNwi/VTG8ruMaB5FiEwILALS7Yl
-5G5CEa430RMq5SWwJNT2ooDL969zvvmGW5HwC6cIHXAHmIYmJzgd5yS/vCVceleT
-ZNwvZ1L4kZ/p/3br7TP8AW7HLT95U1e2nVfeUpxh/lY1NLFqB8kcfRuTLJVfOJFk
-J/Vxek1Eu1ryCacCkKob/n3+p5CijF4tv/BCJNCkmdhmhvKr8WMBnUSWm6NGTUND
-qQnZv3swm9CdcUsDErDU3sGYMO9R5zJBZkEJ/VYen781Vu2j7djYtZc+vrYFto1W
-T9EG8cKWQLoq1e0VQrgP81T+SjfgEnMUYKunUpDpKmGa1+yh4QvqvgvyZz5bfyAF
-MpjdNejiwovKDwKwg9AWopW9YnIJfdITG+/0GO3s+YcWxYm49VFy6LD6v9evKOwc
-6NeWxQHg26X3YDtkV7QV
-=0vaC
+iQIcBAEBCAAGBQJRLSxvAAoJECRx6z5ArFrDCkEP/33Mhwi0ddHgo5Mj05nUOmHQ
+nO53xWmVmffagMcMfoaDyEH02EnG6uxbfPiILut6/ElIsS1SdgPjzgf+CaBX8rCB
+4lUdsy0JgqZFCLUkKUJ4vGdAfKrLL5PBIXHsHo1kqDazb9j0SuA4ozpcbasYHrBG
+UeQBUUGjFrDlDLEzDR0lt17fonHVwbmxYbFrpp0dWONbh8FRzxnXDtTC5wURHNqX
+11p+v2UxyZ6b6Z88rKbDZLit8puNktHdo/U5IWjE/3mbVTis9RZKWYvJvwCUNzeq
+HCR3LUofaj1T28D/HbYW5ORx8jBWyOiUUzaDIOVYbtPL1W98xPC7JYU6RCmaYZB8
+/OZ3oOz0lRUyIHzt4qG33Mtq5VjUsd2Ia/d2hrRJOGo4ESiPYJyNALpj+NITZCSm
+LzZ/FqhA2KFB3+byWfKeRyvlJOrVke6xtkdZ2pUdsxWRmU56qdW/oEvyGKDQrRya
+j+lkGaj5EyriTj47Uzqjgal3TFrCbFAnXS/DE4RSGgBQ4wv+Nc5S+o7Z84HVyxVJ
+jQIs8TJaZVW7n8fZopWTR3cbL9hcCl0oH9Zx+vjSiAMdia7IAYSPa1c03bzfVQL/
+UdgLd0jn9dm08NawE4ypN6LLe2+o2wBTLwyy8p43YWMWv484VhDZM8zKZ7GxwPEr
+1Yb9NdovPadCE4LAoN2m
+=Bc1e
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/nova/files/nova-folsom-3-CVE-2013-0335.patch b/sys-cluster/nova/files/nova-folsom-3-CVE-2013-0335.patch
new file mode 100644
index 000000000000..813fd3e2ba03
--- /dev/null
+++ b/sys-cluster/nova/files/nova-folsom-3-CVE-2013-0335.patch
@@ -0,0 +1,410 @@
+From 05a3374992bc8ba53ddc9c491b51c4b59eed0a72 Mon Sep 17 00:00:00 2001
+From: John Herndon <john.herndon@hp.com>
+Date: Fri, 22 Feb 2013 20:43:58 +0000
+Subject: [PATCH] VNC Token Validation
+
+Force console auth service to flush all tokens
+associated with an instance when it is deleted.
+This will fix a bug where the console for the
+wrong instance can be connected to via the console
+if the correct circumstances occur. This change also
+makes a call to veriry vnc console tokens when a
+user attempts to connect to a console. This ensures
+the user is connecting to the correct console.
+
+bug 1125378
+Change-Id: I0d83ec6c4dbfef1af912a200ee15f8052f72da96
+---
+ nova/common/memorycache.py                 |  5 +++
+ nova/compute/api.py                        |  3 +-
+ nova/compute/manager.py                    | 12 ++++++
+ nova/compute/rpcapi.py                     |  7 ++++
+ nova/consoleauth/manager.py                | 41 +++++++++++++++++-
+ nova/consoleauth/rpcapi.py                 | 10 ++++-
+ nova/tests/compute/test_compute.py         | 52 ++++++++++++++++++++++-
+ nova/tests/compute/test_rpcapi.py          |  5 +++
+ nova/tests/consoleauth/test_consoleauth.py | 67 +++++++++++++++++++++++++++++-
+ nova/tests/consoleauth/test_rpcapi.py      |  6 ++-
+ 10 files changed, 200 insertions(+), 8 deletions(-)
+
+diff --git a/nova/common/memorycache.py b/nova/common/memorycache.py
+index 502f833..3a1935e 100644
+--- a/nova/common/memorycache.py
++++ b/nova/common/memorycache.py
+@@ -62,3 +62,8 @@ class Client(object):
+         new_value = int(value) + delta
+         self.cache[key] = (self.cache[key][0], str(new_value))
+         return new_value
++
++    def delete(self, key, time=0):
++        """Deletes the value associated with a key."""
++        if key in self.cache:
++            del self.cache[key]
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index df7b215..3860226 100644
+--- a/nova/compute/api.py
++++ b/nova/compute/api.py
+@@ -1853,7 +1853,8 @@ class API(base.Base):
+ 
+         self.consoleauth_rpcapi.authorize_console(context,
+                 connect_info['token'], console_type, connect_info['host'],
+-                connect_info['port'], connect_info['internal_access_path'])
++                connect_info['port'], connect_info['internal_access_path'],
++                instance["uuid"])
+ 
+         return {'url': connect_info['access_url']}
+ 
+diff --git a/nova/compute/manager.py b/nova/compute/manager.py
+index 90de5a4..5b0d1ea 100644
+--- a/nova/compute/manager.py
++++ b/nova/compute/manager.py
+@@ -52,6 +52,7 @@ from nova.compute import rpcapi as compute_rpcapi
+ from nova.compute import task_states
+ from nova.compute import utils as compute_utils
+ from nova.compute import vm_states
++from nova import consoleauth
+ import nova.context
+ from nova import exception
+ from nova import flags
+@@ -235,6 +236,7 @@ class ComputeManager(manager.SchedulerDependentManager):
+         self.compute_api = compute.API()
+         self.compute_rpcapi = compute_rpcapi.ComputeAPI()
+         self.scheduler_rpcapi = scheduler_rpcapi.SchedulerAPI()
++        self.consoleauth_rpcapi = consoleauth.rpcapi.ConsoleAuthAPI()
+ 
+         super(ComputeManager, self).__init__(service_name="compute",
+                                              *args, **kwargs)
+@@ -926,6 +928,10 @@ class ComputeManager(manager.SchedulerDependentManager):
+         self._notify_about_instance_usage(context, instance, "delete.end",
+                 system_metadata=system_meta)
+ 
++        if FLAGS.vnc_enabled:
++            self.consoleauth_rpcapi.delete_tokens_for_instance(context,
++                                                        instance["uuid"])
++
+     @exception.wrap_exception(notifier=notifier, publisher_id=publisher_id())
+     @wrap_instance_fault
+     def terminate_instance(self, context, instance):
+@@ -1989,6 +1995,12 @@ class ComputeManager(manager.SchedulerDependentManager):
+         return connection_info
+ 
+     @exception.wrap_exception(notifier=notifier, publisher_id=publisher_id())
++    @wrap_instance_fault
++    def validate_console_port(self, ctxt, instance, port, console_type):
++        console_info = self.driver.get_vnc_console(instance)
++        return console_info['port'] == port
++
++    @exception.wrap_exception(notifier=notifier, publisher_id=publisher_id())
+     @reverts_task_state
+     @wrap_instance_fault
+     def reserve_block_device_name(self, context, instance, device):
+diff --git a/nova/compute/rpcapi.py b/nova/compute/rpcapi.py
+index 2e3873c..afec290 100644
+--- a/nova/compute/rpcapi.py
++++ b/nova/compute/rpcapi.py
+@@ -259,6 +259,13 @@ class ComputeAPI(nova.openstack.common.rpc.proxy.RpcProxy):
+                 instance=instance_p, console_type=console_type),
+                 topic=_compute_topic(self.topic, ctxt, None, instance))
+ 
++    def validate_console_port(self, ctxt, instance, port, console_type):
++        instance_p = jsonutils.to_primitive(instance)
++        return self.call(ctxt, self.make_msg('validate_console_port',
++                instance=instance_p, port=port, console_type=console_type),
++                topic=_compute_topic(self.topic, ctxt,
++                None, instance))
++
+     def host_maintenance_mode(self, ctxt, host_param, mode, host):
+         '''Set host maintenance mode
+ 
+diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py
+index 61efdd0..e715f98 100644
+--- a/nova/consoleauth/manager.py
++++ b/nova/consoleauth/manager.py
+@@ -20,6 +20,8 @@
+ 
+ import time
+ 
++from nova.compute import rpcapi as compute_rpcapi
++from nova.db import api as db
+ from nova import flags
+ from nova import manager
+ from nova.openstack.common import cfg
+@@ -56,10 +58,21 @@ class ConsoleAuthManager(manager.Manager):
+             from nova.common import memorycache as memcache
+         self.mc = memcache.Client(FLAGS.memcached_servers,
+                                   debug=0)
++        self.compute_rpcapi = compute_rpcapi.ComputeAPI()
++
++    def _get_tokens_for_instance(self, instance_uuid):
++        tokens_str = self.mc.get(instance_uuid.encode('UTF-8'))
++        if not tokens_str:
++            tokens = []
++        else:
++            tokens = jsonutils.loads(tokens_str)
++        return tokens
+ 
+     def authorize_console(self, context, token, console_type, host, port,
+-                          internal_access_path):
++                          internal_access_path, instance_uuid=None):
++
+         token_dict = {'token': token,
++                      'instance_uuid': instance_uuid,
+                       'console_type': console_type,
+                       'host': host,
+                       'port': port,
+@@ -67,11 +80,35 @@ class ConsoleAuthManager(manager.Manager):
+                       'last_activity_at': time.time()}
+         data = jsonutils.dumps(token_dict)
+         self.mc.set(token.encode('UTF-8'), data, FLAGS.console_token_ttl)
++        if instance_uuid is not None:
++            tokens = self._get_tokens_for_instance(instance_uuid)
++            tokens.append(token)
++            self.mc.set(instance_uuid.encode('UTF-8'),
++                        jsonutils.dumps(tokens))
++
+         LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals())
+ 
++    def _validate_token(self, context, token):
++        instance_uuid = token['instance_uuid']
++        if instance_uuid is None:
++            return False
++        instance = db.instance_get_by_uuid(context, instance_uuid)
++        return self.compute_rpcapi.validate_console_port(context,
++                                            instance,
++                                            token['port'],
++                                            token['console_type'])
++
+     def check_token(self, context, token):
+         token_str = self.mc.get(token.encode('UTF-8'))
+         token_valid = (token_str is not None)
+         LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals())
+         if token_valid:
+-            return jsonutils.loads(token_str)
++            token = jsonutils.loads(token_str)
++            if self._validate_token(context, token):
++                return token
++
++    def delete_tokens_for_instance(self, context, instance_uuid):
++        tokens = self._get_tokens_for_instance(instance_uuid)
++        for token in tokens:
++            self.mc.delete(token)
++        self.mc.delete(instance_uuid.encode('UTF-8'))
+diff --git a/nova/consoleauth/rpcapi.py b/nova/consoleauth/rpcapi.py
+index 2fafe3f..b3b34c1 100644
+--- a/nova/consoleauth/rpcapi.py
++++ b/nova/consoleauth/rpcapi.py
+@@ -49,14 +49,20 @@ class ConsoleAuthAPI(nova.openstack.common.rpc.proxy.RpcProxy):
+                 default_version=self.BASE_RPC_API_VERSION)
+ 
+     def authorize_console(self, ctxt, token, console_type, host, port,
+-                          internal_access_path):
++                          internal_access_path, instance_uuid=None):
+         # The remote side doesn't return anything, but we want to block
+         # until it completes.
+         return self.call(ctxt,
+                 self.make_msg('authorize_console',
+                               token=token, console_type=console_type,
+                               host=host, port=port,
+-                              internal_access_path=internal_access_path))
++                              internal_access_path=internal_access_path,
++                              instance_uuid=instance_uuid))
+ 
+     def check_token(self, ctxt, token):
+         return self.call(ctxt, self.make_msg('check_token', token=token))
++
++    def delete_tokens_for_instance(self, ctxt, instance_uuid):
++        return self.call(ctxt,
++                self.make_msg('delete_tokens_for_instance',
++                              instance_uuid=instance_uuid))
+diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py
+index 10b89fd..b745798 100644
+--- a/nova/tests/compute/test_compute.py
++++ b/nova/tests/compute/test_compute.py
+@@ -1372,6 +1372,24 @@ class ComputeTestCase(BaseTestCase):
+         self.compute._delete_instance(self.context,
+                 instance=jsonutils.to_primitive(instance))
+ 
++    def test_delete_instance_deletes_console_auth_tokens(self):
++        instance = self._create_fake_instance()
++        self.flags(vnc_enabled=True)
++
++        self.tokens_deleted = False
++
++        def fake_delete_tokens(*args, **kwargs):
++            self.tokens_deleted = True
++
++        cauth_rpcapi = self.compute.consoleauth_rpcapi
++        self.stubs.Set(cauth_rpcapi, 'delete_tokens_for_instance',
++                       fake_delete_tokens)
++
++        self.compute._delete_instance(self.context,
++                instance=jsonutils.to_primitive(instance))
++
++        self.assertTrue(self.tokens_deleted)
++
+     def test_instance_termination_exception_sets_error(self):
+         """Test that we handle InstanceTerminationFailure
+         which is propagated up from the underlying driver.
+@@ -4505,7 +4523,9 @@ class ComputeAPITestCase(BaseTestCase):
+                              'console_type': fake_console_type,
+                              'host': 'fake_console_host',
+                              'port': 'fake_console_port',
+-                             'internal_access_path': 'fake_access_path'}
++                             'internal_access_path': 'fake_access_path',
++                             'instance_uuid': fake_instance["uuid"]}
++
+         fake_connect_info2 = copy.deepcopy(fake_connect_info)
+         fake_connect_info2['access_url'] = 'fake_console_url'
+ 
+@@ -4539,6 +4559,36 @@ class ComputeAPITestCase(BaseTestCase):
+ 
+         db.instance_destroy(self.context, instance['uuid'])
+ 
++    def test_validate_console_port(self):
++        self.flags(vnc_enabled=True)
++        instance = jsonutils.to_primitive(self._create_fake_instance())
++
++        def fake_driver_get_console(*args, **kwargs):
++            return {'host': "fake_host", 'port': "5900",
++                    'internal_access_path': None}
++        self.stubs.Set(self.compute.driver, "get_vnc_console",
++                       fake_driver_get_console)
++
++        self.assertTrue(self.compute.validate_console_port(self.context,
++                                                            instance,
++                                                            "5900",
++                                                            "novnc"))
++
++    def test_validate_console_port_wrong_port(self):
++        self.flags(vnc_enabled=True)
++        instance = jsonutils.to_primitive(self._create_fake_instance())
++
++        def fake_driver_get_console(*args, **kwargs):
++            return {'host': "fake_host", 'port': "5900",
++                    'internal_access_path': None}
++        self.stubs.Set(self.compute.driver, "get_vnc_console",
++                       fake_driver_get_console)
++
++        self.assertFalse(self.compute.validate_console_port(self.context,
++                                                            instance,
++                                                            "wrongport",
++                                                            "novnc"))
++
+     def test_console_output(self):
+         fake_instance = {'uuid': 'fake_uuid',
+                          'host': 'fake_compute_host'}
+diff --git a/nova/tests/compute/test_rpcapi.py b/nova/tests/compute/test_rpcapi.py
+index 559a56a..c42047b 100644
+--- a/nova/tests/compute/test_rpcapi.py
++++ b/nova/tests/compute/test_rpcapi.py
+@@ -168,6 +168,11 @@ class ComputeRpcAPITestCase(test.TestCase):
+         self._test_compute_api('get_vnc_console', 'call',
+                 instance=self.fake_instance, console_type='type')
+ 
++    def test_validate_console_port(self):
++        self._test_compute_api('validate_console_port', 'call',
++                instance=self.fake_instance, port="5900",
++                console_type="novnc")
++
+     def test_host_maintenance_mode(self):
+         self._test_compute_api('host_maintenance_mode', 'call',
+                 host_param='param', mode='mode', host='host')
+diff --git a/nova/tests/consoleauth/test_consoleauth.py b/nova/tests/consoleauth/test_consoleauth.py
+index da50eb8..4bea85a 100644
+--- a/nova/tests/consoleauth/test_consoleauth.py
++++ b/nova/tests/consoleauth/test_consoleauth.py
+@@ -45,8 +45,73 @@ class ConsoleauthTestCase(test.TestCase):
+         """Test that tokens expire correctly."""
+         token = 'mytok'
+         self.flags(console_token_ttl=1)
++
++        def fake_validate_token(*args, **kwargs):
++            return True
++        self.stubs.Set(self.manager,
++                       "_validate_token",
++                       fake_validate_token)
++
+         self.manager.authorize_console(self.context, token, 'novnc',
+-                                       '127.0.0.1', 'host', '')
++                                       '127.0.0.1', '8080', 'host', "1234")
+         self.assertTrue(self.manager.check_token(self.context, token))
+         time.sleep(1.1)
+         self.assertFalse(self.manager.check_token(self.context, token))
++
++    def test_multiple_tokens_for_instance(self):
++        tokens = ["token" + str(i) for i in xrange(10)]
++        instance = "12345"
++
++        def fake_validate_token(*args, **kwargs):
++            return True
++
++        self.stubs.Set(self.manager, "_validate_token",
++                       fake_validate_token)
++        for token in tokens:
++            self.manager.authorize_console(self.context, token, 'novnc',
++                                          '127.0.0.1', '8080', 'host',
++                                          instance)
++
++        for token in tokens:
++            self.assertTrue(self.manager.check_token(self.context, token))
++
++    def test_delete_tokens_for_instance(self):
++        instance = "12345"
++        tokens = ["token" + str(i) for i in xrange(10)]
++
++        def fake_validate_token(*args, **kwargs):
++            return True
++        self.stubs.Set(self.manager, "_validate_token",
++                       fake_validate_token)
++
++        for token in tokens:
++            self.manager.authorize_console(self.context, token, 'novnc',
++                                          '127.0.0.1', '8080', 'host',
++                                          instance)
++        self.manager.delete_tokens_for_instance(self.context, instance)
++        stored_tokens = self.manager._get_tokens_for_instance(instance)
++
++        self.assertEqual(len(stored_tokens), 0)
++
++        for token in tokens:
++            self.assertFalse(self.manager.check_token(self.context, token))
++
++    def test_wrong_token_has_port(self):
++        token = 'mytok'
++
++        def fake_validate_token(*args, **kwargs):
++            return False
++
++        self.stubs.Set(self.manager, "_validate_token",
++                       fake_validate_token)
++
++        self.manager.authorize_console(self.context, token, 'novnc',
++                                        '127.0.0.1', '8080', 'host',
++                                        instance_uuid='instance')
++        self.assertFalse(self.manager.check_token(self.context, token))
++
++    def test_console_no_instance_uuid(self):
++        self.manager.authorize_console(self.context, "token", 'novnc',
++                                        '127.0.0.1', '8080', 'host',
++                                        instance_uuid=None)
++        self.assertFalse(self.manager.check_token(self.context, "token"))
+diff --git a/nova/tests/consoleauth/test_rpcapi.py b/nova/tests/consoleauth/test_rpcapi.py
+index 10484c7..c1e7a46 100644
+--- a/nova/tests/consoleauth/test_rpcapi.py
++++ b/nova/tests/consoleauth/test_rpcapi.py
+@@ -68,7 +68,11 @@ class ConsoleAuthRpcAPITestCase(test.TestCase):
+     def test_authorize_console(self):
+         self._test_consoleauth_api('authorize_console', token='token',
+                 console_type='ctype', host='h', port='p',
+-                internal_access_path='iap')
++                internal_access_path='iap', instance_uuid="1234")
+ 
+     def test_check_token(self):
+         self._test_consoleauth_api('check_token', token='t')
++
++    def test_delete_tokens_for_instnace(self):
++        self._test_consoleauth_api('delete_tokens_for_instance',
++                                   instance_uuid="instance")
+-- 
+1.7.12.4
+
diff --git a/sys-cluster/nova/nova-2012.2.2-r1.ebuild b/sys-cluster/nova/nova-2012.2.2-r1.ebuild
deleted file mode 100644
index 246843f58a50..000000000000
--- a/sys-cluster/nova/nova-2012.2.2-r1.ebuild
+++ /dev/null
@@ -1,63 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.2-r1.ebuild,v 1.2 2013/02/20 06:13:35 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_5 python2_6 python2_7 )
-
-inherit distutils-r1
-
-DESCRIPTION="Nova is a cloud computing fabric controller (main part of an
-IaaS system). It is written in Python."
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="http://launchpad.net/${PN}/folsom/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE=""
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]"
-
-RDEPEND="=dev-python/amqplib-0.6.1
-		>=dev-python/anyjson-0.2.4
-		>=dev-python/sqlalchemy-0.7.8
-		<=dev-python/sqlalchemy-0.7.9
-		=dev-python/boto-2.1.1
-		>=dev-python/eventlet-0.9.17
-		=dev-python/kombu-1.0.4
-		=dev-python/routes-1.12.3
-		=dev-python/webob-1.0.8
-		>=dev-python/greenlet-0.3.1
-		=dev-python/pastedeploy-1.5.0
-		dev-python/paste
-		>=dev-python/sqlalchemy-migrate-0.7.2
-		dev-python/netaddr
-		=dev-python/suds-0.4
-		dev-python/paramiko
-		>=dev-python/Babel-0.9.6
-		>=dev-python/iso8601-0.1.4
-		dev-python/httplib2
-		>=dev-python/setuptools-git-0.4
-		>=dev-python/python-glanceclient-0.5.0
-		<dev-python/python-glanceclient-2
-		>=dev-python/python-quantumclient-2.1"
-
-PATCHES=( "${FILESDIR}/nova-folsom-CVE-2013-1664.patch" )
-
-python_install() {
-	distutils-r1_python_install
-	keepdir /etc/nova
-	insinto /etc/nova
-
-	newins "etc/nova/nova.conf.sample" "nova.conf"
-	newins "etc/nova/api-paste.ini" "api-paste.ini"
-	newins "etc/nova/logging_sample.conf" "logging_sample.conf"
-	newins "etc/nova/policy.json" "policy.json"
-	newins "etc/nova/rootwrap.conf" "rootwrap.conf"
-	insinto /etc/nova/rootwrap.d
-	doins "etc/nova/rootwrap.d/api-metadata.filters"
-	doins "etc/nova/rootwrap.d/compute.filters"
-	doins "etc/nova/rootwrap.d/network.filters"
-	doins "etc/nova/rootwrap.d/volume.filters"
-}
diff --git a/sys-cluster/nova/nova-2012.2.3.ebuild b/sys-cluster/nova/nova-2012.2.3-r1.ebuild
index 35387aa58f6f..1addf2883bf6 100644
--- a/sys-cluster/nova/nova-2012.2.3.ebuild
+++ b/sys-cluster/nova/nova-2012.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.3.ebuild,v 1.2 2013/02/20 06:13:35 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2012.2.3-r1.ebuild,v 1.1 2013/02/26 21:44:05 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_5 python2_6 python2_7 )
@@ -43,7 +43,10 @@ RDEPEND="=dev-python/amqplib-0.6.1
 		<dev-python/python-glanceclient-2
 		>=dev-python/python-quantumclient-2.1"
 
-PATCHES=( "${FILESDIR}/nova-folsom-CVE-2013-1664.patch" )
+PATCHES=(
+			"${FILESDIR}/nova-folsom-CVE-2013-1664.patch"
+			"${FILESDIR}/nova-folsom-3-CVE-2013-0335.patch"
+)
 
 python_install() {
 	distutils-r1_python_install