Comment 2 for bug 1625402

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

It seems like the task api is admin only by default, so a vulnerable deployment also needs to have changed the task_add policy. Though this is likely a legitimate resource exhaustion denial of service vulnerability.

Can defusedxml works in place to process OVF files ?

I wonder if this really needs to be kept private since the issue has been discussed publicly on the #openstack-security channel ( http://eavesdrop.openstack.org/irclogs/%23openstack-security/%23openstack-security.2016-09-16.log.html#t2016-09-16T18:09:15 ).