Control: tags -1 + confirmed On Thu, 2020-03-19 at 15:03 +0100, Thomas Goirand wrote: > The security team told me that this update is a no-DSA. Can I upload > this Manila update to proposed-updates then? > > If you didn't know, Manila is OpenStack's file system share as a > service (like for example, NFS share as a service, running on top of > a Cinder or a Ceph block storage, or CephFS, or a proprietary NAS, > etc.). > > FYI, the security bug is that anyone knowing an UUID of a Manila > share, can basically do whatever it wants with it. It's no DSA > because guessing such an UUID isn't practical, and an operator would > likely notice if one is attempting to brute-force. I still think it > deserves patching Buster. >
Please go ahead. Regards, Adam
