Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
> I'd like to push for an update of Nova, to fix the nova-placement-api
> package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a
> WSGI application, that can work for example with libapache-mod-wsgi
> or others.
[...]
> This update, I'd like to push it in the soon comming security update
> for Nova, through a security upload fixing CVE-2017-16239 / #882009.
> This update is currently on hold, because the upstream patch adds a
> DoS hole.
> Though the security team (ie: Sebastien Delafond) advised me wisely
> to start the discussion with the release team about this new
> dependency for nova-placement-api.

Dependency changes in stable updates always make me uneasy, but this
sounds like a reasonable way of fixing the issue.

Please close this bug once the security update has been released.

Regards,

Adam