As far as I can make out, the fix for CVE-2014-7821 removed a backslash
that effectively disables the negative look-ahead assertion that verifies
that hostname can't be all-digits. Worse, the new version now rejects
hostnames where a component starts with a digit.
This certainly addressed the immediate issue of "that regex was expensive",
but the change in behaviour looks like it was unintended. Given that we
backported this DoS fix to released versions of neutron, what do we want to
do about it now?
In general this regex is crazy complex for what it verifies. I can't see
any discussion of where it came from nor precisely what it was intended to
accept/reject when it was introduced in patch 16 of
If we're happy disabling the check for components being all-digits, then a
minimal change to the existing regex that could be backported might be
Alternatively (and clearly preferable for Kilo), Kevin has a replacement
underway that rewrites this entirely to conform to modern RFCs in
OpenStack-dev mailing list