On 5/24/23 12:24, Sylvain Bauza wrote:
Hi folks, in particular operators...
We discussed yesterday during the nova meeting [1] about our stable branches and eventually, we were wondering whether we should EOL [2] the stable/train branch for Nova.
Why so ? Two points : 1/ The gate is failing at the moment for the branch. 2/ Two CVEs (CVE-2022-47951 [3] and CVE-2023-2088 [4]) aren't fixed in this branch.
Hi, This is very disappointing to see these CVE as the cause for deprecating the branches. It should have been the opposite way: it should have triggered some effort to fix them... :/ FYI, I tried to get the fix in, and managed to break instead of fixing. An interesting way to fix CVE-2022-47951 could be to completely disable VMDK support. How hard would this be? As for CVE-2023-2088, the issue is implementing the force
It would be difficult to fix the CVEs in the upstream branch but hopefully AFAIK all the OpenStack distros already fixed them for their related releases that use Train.
So far, I haven't seen such a fix, neither in Ubuntu or RedHat, on any version prior to ussuri. If you have a link to a working patch, please let me know. Cheers, Thomas Goirand (zigo)