Comment 23 for bug 1545092
Revision history for this message
| Brian Rosmaita (brian-rosmaita) wrote | #23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Just want to clarify what I said about the DefCore tempest test (way up top in the bug report). In addition to creating an image record, it does upload a small amount of "data", too.
I think it's OK to make this public, though I'm just speaking for myself here. We should definitely confirm with the Glance PTL. The mitigation to this attack is a combination of rate limiting the POST v2/images call plus vigilance on what's happening in the database.
It looks like the quota specs proposed near the end of Mitaka will not go into Newton, so an actual fix won't happen until at least the O release.