> since we're discussing the possible need to document an unfixable vulnerability
I wouldn't say this is unfixable. As laid out in https://etherpad.openstack.org/p/nova-rebuild-issues, Dan Smith has an alternative fix which maintains a fix for CVE-2017-16239 while solving part of the regression introduced by the original change (we need to bypass some filters). I think we can build on that change to fix the potential DoS described in *this* bug, which is the issue where the FilterScheduler will double allocations in Placement (and that fix only needs to go back to stable/pike, it's not an issue in newton or ocata).
> since we're discussing the possible need to document an unfixable vulnerability
I wouldn't say this is unfixable. As laid out in https:/ /etherpad. openstack. org/p/nova- rebuild- issues, Dan Smith has an alternative fix which maintains a fix for CVE-2017-16239 while solving part of the regression introduced by the original change (we need to bypass some filters). I think we can build on that change to fix the potential DoS described in *this* bug, which is the issue where the FilterScheduler will double allocations in Placement (and that fix only needs to go back to stable/pike, it's not an issue in newton or ocata).