So to recap, considering both keep-alive disabling and eventlet socket timeout, it now boils down to how effective these changes are:
* Can a single user still reserve all the resource as shown in this bug description ?
* Is the default timeout proposed (900 seconds) enough to prevent trivial attacks as shown in this bug description ?
Combined together these patches might warrant an embargoed advisory if they makes this type of attack really more difficult,
else we should consider marking this public security and focus on a good documentation (OSSN and/or security guide).
Also, for what it worth, as long as the relationship between the client side resources and server side resources is a linear one, I guess we should not consider an OSSA, especially an embargoed OSSA that will make the coordination much more difficult...
So to recap, considering both keep-alive disabling and eventlet socket timeout, it now boils down to how effective these changes are:
* Can a single user still reserve all the resource as shown in this bug description ?
* Is the default timeout proposed (900 seconds) enough to prevent trivial attacks as shown in this bug description ?
Combined together these patches might warrant an embargoed advisory if they makes this type of attack really more difficult,
else we should consider marking this public security and focus on a good documentation (OSSN and/or security guide).
Also, for what it worth, as long as the relationship between the client side resources and server side resources is a linear one, I guess we should not consider an OSSA, especially an embargoed OSSA that will make the coordination much more difficult...