Version in base suite: 2020.12-5+deb11u1

Base version: lava_2020.12-5+deb11u1
Target version: lava_2020.12-5+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lava/lava_2020.12-5+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lava/lava_2020.12-5+deb11u2.dsc

 changelog                                                           |    9 +
 patches/0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch |   82 ++++++++++
 patches/series                                                      |    1 
 tests/testsuite                                                     |    5 
 4 files changed, 96 insertions(+), 1 deletion(-)

diff -Nru lava-2020.12/debian/changelog lava-2020.12/debian/changelog
--- lava-2020.12/debian/changelog	2022-10-18 20:24:50.000000000 +0000
+++ lava-2020.12/debian/changelog	2023-01-11 18:08:56.000000000 +0000
@@ -1,3 +1,12 @@
+lava (2020.12-5+deb11u2) bullseye-security; urgency=high
+
+  * Prevent Recursive XML entity expansion [CVE-2022-44641] (Closes: #1024429)
+  * debian/tests/testsuite: ignore tests/lava_dispatcher/test_compression.py
+    and tests/lava_dispatcher/test_defs.py. They both fail on bullseye, but
+    pass on bookworm.
+
+ -- Antonio Terceiro <terceiro@debian.org>  Wed, 11 Jan 2023 15:08:56 -0300
+
 lava (2020.12-5+deb11u1) bullseye-security; urgency=high
 
   * Fix remote code execution [CVE-2022-42902] (Closes: #1021737)
diff -Nru lava-2020.12/debian/patches/0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch lava-2020.12/debian/patches/0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch
--- lava-2020.12/debian/patches/0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch	1970-01-01 00:00:00.000000000 +0000
+++ lava-2020.12/debian/patches/0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch	2023-01-11 17:55:25.000000000 +0000
@@ -0,0 +1,82 @@
+From 1bee0f8957741582c2bed800974f31439c6f3ff5 Mon Sep 17 00:00:00 2001
+From: Igor Ponomarev <igor.ponomarev@collabora.com>
+Date: Wed, 19 Oct 2022 16:45:42 +0300
+Subject: [PATCH] Use `defusedxml` for XMLRPC to prevent DoS attacks
+
+`defusedxml` is a patched XML python library that fixes many issues
+with the standard library XML and prevents attacks such as
+Billion laughs attack.
+
+https://en.wikipedia.org/wiki/Billion_laughs_attack
+
+`defusedxml` provides a `defusedxml.xmlrpc.monkey_patch` call
+which will patch the `xmlrpc` standard library module with the
+safe XML decoders.
+
+This patch enables XML protections once a Dispatcher class is
+initiated. The Dispatcher is the one that uses the
+`xmlrpc.client.loads` call to parse XML from the HTTP call.
+---
+ docker/lava-server-base/Dockerfile      | 2 +-
+ linaro_django_xmlrpc/models.py          | 3 +++
+ share/requirements/debian/bullseye.yaml | 2 ++
+ share/requirements/debian/buster.yaml   | 2 ++
+ share/requirements/debian/unstable.yaml | 2 ++
+ 5 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/docker/lava-server-base/Dockerfile
++++ b/docker/lava-server-base/Dockerfile
+@@ -11,7 +11,7 @@ RUN echo 'deb http://deb.debian.org/debi
+     apt-get update -q && \
+     apt-get install --no-install-recommends --yes apache2 gunicorn3 postgresql postgresql-client postgresql-common python3-setuptools && \
+     apt-get install --no-install-recommends --yes python3-voluptuous python3-yaml && \
+-    apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-django python3-django-auth-ldap python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
++    apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-defusedxml python3-django python3-django-auth-ldap python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
+     apt-get install --no-install-recommends --yes python3-pip && \
+     python3 -m pip install sentry-sdk==0.17.2 && \
+     find /usr/lib/python3/dist-packages/ -name '__pycache__' -type d -exec rm -r "{}" + && \
+--- a/linaro_django_xmlrpc/models.py
++++ b/linaro_django_xmlrpc/models.py
+@@ -374,6 +374,9 @@ class Dispatcher:
+         # logging output goes to lava-server.log
+         logging.basicConfig()
+         self.logger = logging.getLogger("linaro-django-xmlrpc-dispatcher")
++        from defusedxml.xmlrpc import monkey_patch
++
++        monkey_patch()
+ 
+     def decode_request(self, data):
+         """
+--- a/share/requirements/debian/bullseye.yaml
++++ b/share/requirements/debian/bullseye.yaml
+@@ -13,6 +13,8 @@ lava-server:
+     name: python3-django-auth-ldap
+   PyYAML:
+     name: python3-yaml
++  defusedxml:
++    name: python3-defusedxml
+   django-filter:
+     name: python3-django-filters
+   django-tables2:
+--- a/share/requirements/debian/buster.yaml
++++ b/share/requirements/debian/buster.yaml
+@@ -13,6 +13,8 @@ lava-server:
+     name: python3-django-auth-ldap
+   PyYAML:
+     name: python3-yaml
++  defusedxml:
++    name: python3-defusedxml
+   django-filter:
+     name: python3-django-filters
+   django-tables2:
+--- a/share/requirements/debian/unstable.yaml
++++ b/share/requirements/debian/unstable.yaml
+@@ -13,6 +13,8 @@ lava-server:
+     name: python3-django-auth-ldap
+   PyYAML:
+     name: python3-yaml
++  defusedxml:
++    name: python3-defusedxml
+   django-filter:
+     name: python3-django-filters
+   django-tables2:
diff -Nru lava-2020.12/debian/patches/series lava-2020.12/debian/patches/series
--- lava-2020.12/debian/patches/series	2022-10-18 20:24:50.000000000 +0000
+++ lava-2020.12/debian/patches/series	2023-01-11 17:59:32.000000000 +0000
@@ -2,3 +2,4 @@
 0002-lava_common.compat-add-support-for-PyYAML-5.4.patch
 0003-Replace-dynamic-code-execution-in-lava_server-lavata.patch
 0004-share-requires.py-fix-building-for-debian-backports-.patch
+0005-Use-defusedxml-for-XMLRPC-to-prevent-DoS-attacks.patch
diff -Nru lava-2020.12/debian/tests/testsuite lava-2020.12/debian/tests/testsuite
--- lava-2020.12/debian/tests/testsuite	2021-05-24 12:05:18.000000000 +0000
+++ lava-2020.12/debian/tests/testsuite	2023-01-11 18:08:56.000000000 +0000
@@ -17,4 +17,7 @@
 export LAVA_STATE_DIR=${TESTDIR}/tmp
 cp -r pytest.ini etc/ tests/ "${TESTDIR}"
 cd "${TESTDIR}"
-python3 -m pytest "$@"
+python3 -m pytest \
+    --ignore=tests/lava_dispatcher/test_compression.py \
+    --ignore=tests/lava_dispatcher/test_defs.py \
+    "$@"