On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote: > The said patch in question fixes a CVE[x] in stable/liberty. > > We currently have two options, both of them have caused an impasse with > the Nova upstream / stable maintainers. We've had two-ish months to > mull over this. I'd prefer to get this out of a limbo, & bring this to > a logical conclusion. > > The two options at hand: > > (1) Nova backport from master (that also adds a check for the presence > of 'ProcessLimits' attribute which is only present in > oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' > parameter in qemu_img_info() method.) > > https://review.openstack.org/#/c/327624/ -- "virt: set address space > & CPU time limits when running qemu-img"
Conclusion: After discussion and analysis on this thread, especially Tony's response here[*], we went the route of option (1) above, and it is now merged in stable/liberty http://git.openstack.org/cgit/openstack/nova/commit/?h=stable/liberty&id=6bc37dc Jeremy said (on #openstack-stable) he's going to follow up on the bug for the security advisory. Thanks everyone! [*] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104303.html > (2) Or bump global-requirements for 'oslo.concurrency' > > https://review.openstack.org/#/c/337277/5 -- Bump > 'global-requirements' for 'oslo.concurrency' to 2.6.1 > > Both patches have had long (and useful) discussion about their merits / > demerits in the review comments in context of stable backports. If you > have sometime, I'd recommend going through the comments in both the > reviews provides all the context, current disagreements. > > > > [x] https://bugs.launchpad.net/nova/+bug/1449062 -- > qemu-img calls need to be restricted by ulimit (CVE-2015-5162) -- /kashyap __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev