Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/2013 06:53 AM, Thierry Carrez wrote:
> Bryan D. Payne wrote:
>> FWIW, I believe that one of the decision points here was that
>> this resource exhaustion attack is linear, rather than
>> exponential.  So it's not as bad as a traditional DoS attack.  I
>> could see this one going either way.  Happy to close the loop
>> with VMT before publishing the note.  However, it may also be
>> worth noting that this entire bug / OSN has been handled
>> publicly.
> 
> Replied to Kurt privately.
> 
> On this one we made a trade-off: rather than pushing a disruptive
> new feature to a stable branch, we documented the issue and how to
> deploy to avoid it. This is why it appears in a OSN rather than an
> OSSA: the fix is not in the code. That doesn't mean a CVE is not
> warranted. Grizzly has the sizelimit middleware and is therefore
> not affected.
> 
> The text of the note looks good -- maybe the title could be changed
> to something that doesn't make it look like a current vulnerability
> as much, but more like a deployment advice for older versions --
> that way people will not mistake it for a weird OSSA. My try at it
> would be:
> 
> "HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS"
> 
> Hope this helps,

Yeah, I have no problem with WONTFIX, I mean if fixing something
basically means breaking things/changing behaviour a lot, especially
when you (OpenStack) is on a 6 month release cycle it makes sense. But
we need to make sure they get labled as security issues with a CVE
still since some vendors like Red Hat will be backporting security
fixes since we (Red Hat) most likely won't have Red Hat OpenStack on a
6 month release cycle. We (and others) try to keep a close eye on
upstream, but things can get missed. On the other hand if it has a CVE
then it almost certainly won't get missed.

So if it's ok with you guys I'd like to make sure that all OpenStack
security issues get CVE's assigned regardless of whether or not they
are going to be fixed in code (e.g. addressed with a security note,
maybe a config change, a documentation change, whatever).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRditCAAoJEBYNRVNeJnmTYLQQAKFSGgjYQz2VyhnLs0yDee+0
kpxgeHA8PMJ4aZadUGKkf/Rt8tHFRxIvkgTVETIkTPLZatBc5rzYo3owdapZ8/R+
ACJBDAdDwe2lhE+1UkUtRFe1NOroxUo6MLtvUTL0lXMk2SC3PEqK5agLKjCv8fUO
8i1wfASUiqfHFcPZmUGSQcqnJznm+/15Rd6byFoyPAAadKwl2z8j3vB+Ell2Pdld
klnTMts7V9kBFl31nbm8lt9dj1bjTR9Oaoe6yGgsiLGksHTdPFHCrDw0RHzPn3iC
a9PJgJ1vnSW6IO/q2PCQUC6xnFBtxNRQUBFYRJRq5VBZOcpihqzZ++gGex9xE/mV
lBotio+xvE4M/3HFlc0x+/FH7x1JAZ2dK/56CDsOcyFcA6cNT1fe2XgcgeB0FHC7
sMpBAXkzXR80sMqCYmp9NL1qbblWmpbLM3+yIQt18As3r1SYlTny4mTnh79pE7/T
pjF/VWMJpq+PMAkZsMzcwqGyfvCyZVV6W61F4KgHUOUNzcgcX3hITDtgdUphfGMG
tJr8zXQOr68GtX76SaWJW0sGNQDV77TbXRcdZ9ktBRVTff3ou+QZjYyAYDwALcEU
Gx5ejd/xBaEVKoWyHqLCDBJjSkSrJ1cYD2e66gfxzTxCy+Mv7Cc955zYBBYVqGQO
8wkuEArbCwMcCb4RHZs7
=L4KD
-----END PGP SIGNATURE-----