Comment 12 for bug 1849624
Revision history for this message
| Brian Rosmaita (brian-rosmaita) wrote | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
OK, to move this along:
1. it looks like there is not a security fix we can issue at this time without redesigning the feature
2. the vulnerability is restricted to non-standard deployments
3. there is a workaround (the "Quick Workaround" outlined by Raphael in the Bug Description)
4. so, as of now, the mitigation is to use the workaround
5. since a patch isn't coming, we should issue an OSSN describing the vulnerability and the workaround
6. Cinder will deprecate the option referencing the OSSN
7. we can then make this bug public and continue a discussion of Walt's point that this is a legitimate use case and figure out how to address it
It would be great to have 1-6 done this week so that we can discuss this at the Forum/PTG next week so we can get an idea of how many users this affects (in the sense that they can't do the workaround, i.e., point #7).