© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
2eb648a
demo site
(Get the code!)
This was not easy for me to parse as it's not my wheelhouse at all, but I'll try to give my interpretation of the bug.
If I understand correctly, the potential security issue is one where tenant(?) isolation is not enforced when it was supposed to be enforced.
But in order for the generated XML to exhibit the non-isolated, vulnerable state, multiple things (plugin type + tunneled network and vif_type=hw_veb) have to be true in order to have the security hole. And the rationale is that if it's sufficiently rare for a user to end up with this combination of things, it need not be considered a security bug.
If I've understood correctly (there's a high chance I haven't), then I would tend to think even if the security vulnerability is rare, I would still think to treat it as a security bug.
I guess the question is, how rare is it? How could we know how rare it is that deployers have such a configuration?