1. https://review.openstack.org/#/c/521186/ - maintains the fix for the original CVE-2017-16239 and also fixes a regression introduced in the original fix where rebuilds can fail based on the scheduler filters that are run, e.g. the ComputeFilter will fail a rebuild if the instance is running on a disabled compute, or the CoreFilter can fail if the rebuild is on a host that is at capacity for vcpu usage. This fix will need to be backported through to stable/newton upstream and it supersedes the original fix for CVE-2017-16239.
2. https://review.openstack.org/#/c/521662/ - fixes the doubling allocations issue in Placement which is the potential DoS pointed out in *this* bug. I haven't linked the bug or added a release note to it, but this is potentially a new CVE, or an errata on the original (I'm not sure about the process here). This fix gets backported through to stable/pike upstream.
3. https://review.openstack.org/#/c/521391/ - fixes a regression introduced with the original fix for CVE-2017-16239 where all volume-backed instances are run through the scheduler during a rebuild, regardless of the image changing. This will need to be backported through to stable/newton upstream. This is more or less a companion to the fix in #1.
--
At this point, what do we do to move forward? Do we need to create a new CVE for #2? Or do these all just get lumped in as errata on the original CVE?
Between Dan and myself we have fixes for the issues pointed out in this bug and the etherpad:
https:/ /etherpad. openstack. org/p/nova- rebuild- issues
1. https:/ /review. openstack. org/#/c/ 521186/ - maintains the fix for the original CVE-2017-16239 and also fixes a regression introduced in the original fix where rebuilds can fail based on the scheduler filters that are run, e.g. the ComputeFilter will fail a rebuild if the instance is running on a disabled compute, or the CoreFilter can fail if the rebuild is on a host that is at capacity for vcpu usage. This fix will need to be backported through to stable/newton upstream and it supersedes the original fix for CVE-2017-16239.
2. https:/ /review. openstack. org/#/c/ 521662/ - fixes the doubling allocations issue in Placement which is the potential DoS pointed out in *this* bug. I haven't linked the bug or added a release note to it, but this is potentially a new CVE, or an errata on the original (I'm not sure about the process here). This fix gets backported through to stable/pike upstream.
3. https:/ /review. openstack. org/#/c/ 521391/ - fixes a regression introduced with the original fix for CVE-2017-16239 where all volume-backed instances are run through the scheduler during a rebuild, regardless of the image changing. This will need to be backported through to stable/newton upstream. This is more or less a companion to the fix in #1.
--
At this point, what do we do to move forward? Do we need to create a new CVE for #2? Or do these all just get lumped in as errata on the original CVE?