Open Stack

Gary Kotton wrote:
> On 8/19/14, 2:48 PM, "Ihar Hrachyshka" <ihrachys at redhat.com> wrote:
>> And if they haven't encountered the issue yet, and don't know that
>> default value is failing hard, then we leave our users with DoS
>> unfixed, waiting for their users to break the cloud and then debug the
>> issue, finally discovering that we have defaults that are broken and
>> not even documented as such anywhere.
> 
> Where is a DOS attack here? Is this a few extra RPC messages being sent?

If this is a security issue, different rules apply. the first of which
is that the Vulnerability Management Team should handle that bug, assess
the vulnerability, coordinate the backports and ask for relevant exceptions.

You can't just sneak security fixes in without proper announcements (and
then use the "security" card to justify exceptions).

I added the security flag to that bug so that it gets assessed and
handled through the regular channels.

-- 
Thierry Carrez (ttx)