Comment 4 for bug 1686743

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Given the public nature of the issue, I'm inclined to switch this report to public. It doesn't sound like there's much point to an embargo here unless it's possible for unprivileged users to intentionally trigger an exception (in which case the value may be leaked in Nova's service logs?).

Since a dependency upgrade mitigates the issue and it sounds like there won't be any associated Nova patches, I'm inclined to treat this as C2 in our taxonomy (a vulnerability, but not in OpenStack supported code, e.g., in a dependency, https://security.openstack.org/vmt-process.html#incident-report-taxonomy ) and recommend an OSSN letting consumers of Nova know they should upgrade to at least qemu 2.6 and libvirt 2.2 (or backport the relevant fixes to their qemu/libvirt versions). I'm subscribing the ossg-coresec team for input on this as well.