[openstack-dev] [stable] Swift object-updater and container-updater

Jay S. Bryant jsbryant at electronicjungle.net
Fri Jan 9 20:22:33 UTC 2015


It is important to understand that Icehouse has gone into a security 
fixes only mode.  It is too late in the stable process to be making 
notable changes for anything other than security issues.

The patch for the fork bomb like problem in object-auditor is in 
Icehouse:  https://review.openstack.org/#/c/126371/  So, we do not need 
to worry about that one.  The other two problems are not really security 
problems as they cause the object-updater and container-updater to throw 
an exception and exit.  The behavior is irritating but not a security risk.

So, I think the fix that you are really asking to have fixed in 
Icehouse, has already merged.  I will propose the other fixes back to 
stable/juno but don't feel they warrant a change in Icehouse.

I hope this clarifies the situation.


On 01/08/2015 09:21 AM, Minwoo Bae wrote:
> Hi, to whom it may concern:
> Jay Bryant and I would like to have the fixes for the Swift 
> object-updater (https://review.openstack.org/#/c/125746/) and the 
> Swift container-updater 
> (https://review.openstack.org/#/q/I7eed122bf6b663e6e7894ace136b6f4653db4985,n,z) 
> backported to Juno and then to Icehouse soon if possible. It's been in 
> the queue for a while now, so we were wondering if we could have an 
> estimated time for delivery?
> Icehouse is in security-only mode, but the container-updater issue may 
> potentially be used as a fork-bomb, which presents security concerns. 
> To further justify the fix, a problem of similar nature 
> https://review.openstack.org/#/c/126371/(regarding the object-auditor) 
> was successfully fixed in stable/icehouse.
> The object-updater issue may potentially have some security 
> implications as well.
> Thank you very much!
> Minwoo
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150109/be04d74a/attachment.html>

More information about the OpenStack-dev mailing list