[nova][ops] EOL'ing stable/train ?
Thomas Goirand
zigo at debian.org
Fri May 26 16:19:09 UTC 2023
On 5/24/23 12:24, Sylvain Bauza wrote:
> Hi folks, in particular operators...
>
> We discussed yesterday during the nova meeting [1] about our stable
> branches and eventually, we were wondering whether we should EOL [2] the
> stable/train branch for Nova.
>
> Why so ? Two points :
> 1/ The gate is failing at the moment for the branch.
> 2/ Two CVEs (CVE-2022-47951 [3] and CVE-2023-2088 [4]) aren't fixed in
> this branch.
Hi,
This is very disappointing to see these CVE as the cause for deprecating
the branches. It should have been the opposite way: it should have
triggered some effort to fix them... :/
FYI, I tried to get the fix in, and managed to break instead of fixing.
An interesting way to fix CVE-2022-47951 could be to completely disable
VMDK support. How hard would this be?
As for CVE-2023-2088, the issue is implementing the force
> It would be difficult to fix the CVEs in the upstream branch but
> hopefully AFAIK all the OpenStack distros already fixed them for their
> related releases that use Train.
So far, I haven't seen such a fix, neither in Ubuntu or RedHat, on any
version prior to ussuri. If you have a link to a working patch, please
let me know.
Cheers,
Thomas Goirand (zigo)
More information about the openstack-discuss
mailing list