Control: tags -1 + confirmed On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote: > I'd like to push for an update of Nova, to fix the nova-placement-api > package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a > WSGI application, that can work for example with libapache-mod-wsgi > or others. [...] > This update, I'd like to push it in the soon comming security update > for Nova, through a security upload fixing CVE-2017-16239 / #882009. > This update is currently on hold, because the upstream patch adds a > DoS hole. > Though the security team (ie: Sebastien Delafond) advised me wisely > to start the discussion with the release team about this new > dependency for nova-placement-api.
Dependency changes in stable updates always make me uneasy, but this sounds like a reasonable way of fixing the issue. Please close this bug once the security update has been released. Regards, Adam