25a1d78e83
Commit 984dd8ad6a makes a rebuild
with a new image go through the scheduler again to validate the
image against the instance.host (we rebuild to the same host that
the instance already lives on). This fixes the subsequent doubling
of allocations that will occur by skipping the claim process if
a policy-only scheduler check is being performed.
Closes-Bug: #1732976
Related-CVE: CVE-2017-17051
Related-OSSA: OSSA-2017-006
Change-Id: I8a9157bc76ba1068ab966c4abdbb147c500604a8
19 lines
817 B
YAML
19 lines
817 B
YAML
---
|
|
security:
|
|
- |
|
|
`OSSA-2017-006`_: Nova FilterScheduler doubles resource allocations during
|
|
rebuild with new image (CVE-2017-17051)
|
|
|
|
By repeatedly rebuilding an instance with new images, an authenticated user
|
|
may consume untracked resources on a hypervisor host leading to a denial of
|
|
service. This regression was introduced with the fix for `OSSA-2017-005`_
|
|
(CVE-2017-16239), however, only Nova stable/pike or later deployments with
|
|
that fix applied and relying on the default FilterScheduler are affected.
|
|
|
|
The fix is in the `nova-api` and `nova-scheduler` services.
|
|
|
|
.. note:: The fix for errata in `OSSA-2017-005`_ (CVE-2017-16239) will
|
|
need to be applied in addition to this fix.
|
|
|
|
.. _OSSA-2017-006: https://security.openstack.org/ossa/OSSA-2017-006.html
|