Gary Kotton wrote:
On 8/19/14, 2:48 PM, "Ihar Hrachyshka" <ihrachys@redhat.com> wrote:
And if they haven't encountered the issue yet, and don't know that default value is failing hard, then we leave our users with DoS unfixed, waiting for their users to break the cloud and then debug the issue, finally discovering that we have defaults that are broken and not even documented as such anywhere.
Where is a DOS attack here? Is this a few extra RPC messages being sent?
If this is a security issue, different rules apply. the first of which is that the Vulnerability Management Team should handle that bug, assess the vulnerability, coordinate the backports and ask for relevant exceptions. You can't just sneak security fixes in without proper announcements (and then use the "security" card to justify exceptions). I added the security flag to that bug so that it gets assessed and handled through the regular channels. -- Thierry Carrez (ttx)