OpenStack Security Advisory

  1. Bug #1732976
  2. Comment #8

Comment 8 for bug 1732976

Revision history for this message
Matt Riedemann (mriedem) wrote : Re: Potential DoS by rebuilding the same instance with a new image multiple times

> since we're discussing the possible need to document an unfixable vulnerability

I wouldn't say this is unfixable. As laid out in https://etherpad.openstack.org/p/nova-rebuild-issues, Dan Smith has an alternative fix which maintains a fix for CVE-2017-16239 while solving part of the regression introduced by the original change (we need to bypass some filters). I think we can build on that change to fix the potential DoS described in *this* bug, which is the issue where the FilterScheduler will double allocations in Placement (and that fix only needs to go back to stable/pike, it's not an issue in newton or ocata).