25a1d78e83
Commit 984dd8ad6add4523d93c7ce5a666a32233e02e34 makes a rebuild with a new image go through the scheduler again to validate the image against the instance.host (we rebuild to the same host that the instance already lives on). This fixes the subsequent doubling of allocations that will occur by skipping the claim process if a policy-only scheduler check is being performed. Closes-Bug: #1732976 Related-CVE: CVE-2017-17051 Related-OSSA: OSSA-2017-006 Change-Id: I8a9157bc76ba1068ab966c4abdbb147c500604a8
19 lines
817 B
YAML
19 lines
817 B
YAML
---
|
|
security:
|
|
- |
|
|
`OSSA-2017-006`_: Nova FilterScheduler doubles resource allocations during
|
|
rebuild with new image (CVE-2017-17051)
|
|
|
|
By repeatedly rebuilding an instance with new images, an authenticated user
|
|
may consume untracked resources on a hypervisor host leading to a denial of
|
|
service. This regression was introduced with the fix for `OSSA-2017-005`_
|
|
(CVE-2017-16239), however, only Nova stable/pike or later deployments with
|
|
that fix applied and relying on the default FilterScheduler are affected.
|
|
|
|
The fix is in the `nova-api` and `nova-scheduler` services.
|
|
|
|
.. note:: The fix for errata in `OSSA-2017-005`_ (CVE-2017-16239) will
|
|
need to be applied in addition to this fix.
|
|
|
|
.. _OSSA-2017-006: https://security.openstack.org/ossa/OSSA-2017-006.html
|