© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Since I'm the Neutron maintainer that triaged and fixed this I'm a little biased, but will just repeat some of the above for clarity:
1. You must be an authenticated user of the cloud to make the request
2. This is a GET request that in essence has the effect of a POST because it creates a resource
3. The resource created does not affect the quota of the user making the request
4. The DoS vector is going to consume API and DB resources, albeit a "small" amount
5. There is no action taken by the system - no agent will be triggered to instantiate the fake
security groups
I think if #5 was true it would warrant more cause for alarm, since something like the OVS agent doing a SG recalculation could consume more CPU resources.
The severity of the bug (critical) was more an indication fixing it should be prioritized over other bugs for the week, especially once I realized it got around the quota limit.
So IMHO it's at most a security advisory, but am open to other maintainer's opinions.