Comment 39 for bug 1664931

Here's an updated impact description to cover latest releases and EOLs in the time since comment #13 (the lowest affected release may need altering if we follow Tony's recommendation to have a 14.0.9 without the fix and then tag 14.0.10 with it):

---

Title: Nova Filter Scheduler bypass through rebuild action
Reporter: George Shuklin (servers.com)
Products: Nova
Affects: <=14.0.8, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2

George Shuklin from servers.com reported a vulnerability in Nova. By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.

---

If I send a pre-OSSA to our downstream stakeholders today we *could* schedule the public advisory for this Thursday (November 2), but I'm concerned that we have limited VMT coverage to handle publication that day due to some of us traveling to Sydney for the OpenStack Summit and have further concerns that the Nova team may have trouble finding someone to shepherd the patches through Gerrit in a timely fashion as well as stable release management to approve subsequent point release requests. And then there's the problem that many of the staff from organizations impacted by this could fail to notice the advisory on Thursday for the same reasons.

At this point I'm leaning toward notifying downstreams via pre-OSSA this week but scheduling publication for Tuesday November 14 (first non-Monday business day after the Summit week) when more people will be around to help and to notice the advisory. I need to know, however, how much of a pain it is to delay Newton EOL for two weeks without being able to publicly say why.

An alternative is to declare that the criticality/impact of this bug is minimal enough to switch to our public disclosure workflow today so we can send an advisory earlier this week... opinions?