Created attachment 578328 [details] proposed fix This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: No quota enforced on security group rules Impact: High Reporter: Dan Prince <dprince> Products: Nova Affects: All versions Description: Dan Prince reported a vulnerability in Nova. He discovered that there was no limit on the number of security group rules a user can create. By creating a very large set of rules, an unreasonable number of iptables rules will be created on compute nodes, resulting in a denial of service. Proposed patch: See attached diff. This proposed patch will be merged to the Nova master, stable/essex, and stable/diablo branches on public disclosure date. Proposed public disclosure date/time: Thursday, April 19th, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date.
This issue affects the version of the openstack-nova package, as shipped with Fedora release of 16. Please schedule an update. -- This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL 6. Please schedule an update.
Created openstack-nova tracking bugs for this issue Affects: fedora-16 [bug 814361] Affects: epel-6 [bug 814362]