OpenStack Compute (nova)

  1. Series juno
  2. Bug #1387543
  3. Comment #46

Comment 46 for bug 1387543

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Resize/delete combo allows to overload nova-compute (CVE-2015-3241)

To sum-up:

1/ Required Oslo changes:

* Ifc23325eddb523f6449ba06a2deb0885a8a7009d: "Add 2 callbacks to processutils.execute()"
-> [oslo.concurrency] merged in master/kilo/juno
-> [oslo.incubator] *in progress* in juno

* I22b2d7bde8797276f7670bc289d915dab5122481: "processutils: ensure on_completion callback is always called"
-> [oslo.concurrency] merged in master/kilo/juno

* Ica74dd6c35e6bd17eac285e2dc2900c1ff23073f: "Sync process utils from oslo for execute callbacks"
-> [nova] *in progress* for juno

2/ Requirements bump:

* I08693891b2b4c1d4c166e41b38adc6776e25d8e5: "Nova requires concurrency 2.1.0 or better"
-> [nova] merged in master, *patch needed* for kilo

3/ Actual Nova fix:

* Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9: "libvirt: Kill rsync/scp processes before deleting instance"
-> [nova] merged in master, *in progress* for kilo, *patch needed* for juno

4/ What is missing:

* The priority is the oslo.incubator change ( https://review.openstack.org/208876 ).
* Once this gets in, we can update the sync ( https://review.openstack.org/209791 ).
* Seems like the nova requirements.txt olso bump needs to be adjusted, 2.1.0 does not have the "ensure on_completion is called" fix...
* The kilo fix ( https://review.openstack.org/209856 )
* The juno fix ( should depend on the sync )

Am I missing something here ?