Comment 2 for bug 1224014

It's not "exploitable" as such. The scenario is:

* Admin sets up a flavor to have a Trust requirement - so the instance will only boot on hosts which have been verified as trusted
* When booting the scheduler will correctly use the TrustedFilter to identify a host which is verified
* A live migration is requested by the administrator, without specifying a target host. In this scenario the conductor task does not correctly fill the parameters expected by the scheduler to enforce any trust requirements.

In this way an administrator may inadvertently move a VM to a host that may have been compromised (or, more precisely, that has not been verified as secure).

I have not checked the behavior for existing release branches - this is related to code accepted recently during H-3.