 25a1d78e83
			
		
	
	25a1d78e83
	
	
	
		
			
			Commit 984dd8ad6a makes a rebuild
with a new image go through the scheduler again to validate the
image against the instance.host (we rebuild to the same host that
the instance already lives on). This fixes the subsequent doubling
of allocations that will occur by skipping the claim process if
a policy-only scheduler check is being performed.
Closes-Bug: #1732976
Related-CVE: CVE-2017-17051
Related-OSSA: OSSA-2017-006
Change-Id: I8a9157bc76ba1068ab966c4abdbb147c500604a8
		
	
		
			
				
	
	
		
			19 lines
		
	
	
		
			817 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			19 lines
		
	
	
		
			817 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| security:
 | |
|   - |
 | |
|     `OSSA-2017-006`_: Nova FilterScheduler doubles resource allocations during
 | |
|     rebuild with new image (CVE-2017-17051)
 | |
| 
 | |
|     By repeatedly rebuilding an instance with new images, an authenticated user
 | |
|     may consume untracked resources on a hypervisor host leading to a denial of
 | |
|     service. This regression was introduced with the fix for `OSSA-2017-005`_
 | |
|     (CVE-2017-16239), however, only Nova stable/pike or later deployments with
 | |
|     that fix applied and relying on the default FilterScheduler are affected.
 | |
| 
 | |
|     The fix is in the `nova-api` and `nova-scheduler` services.
 | |
| 
 | |
|     .. note:: The fix for errata in `OSSA-2017-005`_ (CVE-2017-16239) will
 | |
|               need to be applied in addition to this fix.
 | |
| 
 | |
|     .. _OSSA-2017-006: https://security.openstack.org/ossa/OSSA-2017-006.html
 |