On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
> The said patch in question fixes a CVE[x] in stable/liberty.
> We currently have two options, both of them have caused an impasse with
> the Nova upstream / stable maintainers.  We've had two-ish months to
> mull over this.  I'd prefer to get this out of a limbo, & bring this to
> a logical conclusion.
> The two options at hand:
> (1) Nova backport from master (that also adds a check for the presence
>     of 'ProcessLimits' attribute which is only present in
>     oslo.concurrency>=2.6.1; and a conditional check for 'prlimit'
>     parameter in qemu_img_info() method.)
>     https://review.openstack.org/#/c/327624/ -- "virt: set address space
>     & CPU time limits when running qemu-img"

Conclusion: After discussion and analysis on this thread, especially
Tony's response here[*], we went the route of option (1) above, and it
is now merged in stable/liberty


Jeremy said (on #openstack-stable) he's going to follow up on the bug
for the security advisory.

Thanks everyone!


> (2) Or bump global-requirements for 'oslo.concurrency'
>     https://review.openstack.org/#/c/337277/5 -- Bump
>     'global-requirements' for 'oslo.concurrency' to 2.6.1
> Both patches have had long (and useful) discussion about their merits /
> demerits in the review comments in context of stable backports.  If you
> have sometime, I'd recommend going through the comments in both the
> reviews provides all the context, current disagreements.
> [x] https://bugs.launchpad.net/nova/+bug/1449062 -- 
>     qemu-img calls need to be restricted by ulimit (CVE-2015-5162)


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to