On 2023-05-26 18:19:09 +0200 (+0200), Thomas Goirand wrote:
On 5/24/23 12:24, Sylvain Bauza wrote: [...] As for CVE-2023-2088, the issue is implementing the force
It would be difficult to fix the CVEs in the upstream branch but hopefully AFAIK all the OpenStack distros already fixed them for their related releases that use Train.
So far, I haven't seen such a fix, neither in Ubuntu or RedHat, on any version prior to ussuri. If you have a link to a working patch, please let me know.
I think he may be referring to Red Hat. As I understand it, they went with the https://wiki.openstack.org/wiki/OSSN/OSSN-0092 approach (mitigation through configuration only, disabling attachment-delete functionality for users). I may be wrong though, as I was not privy to their internal discussions. -- Jeremy Stanley