[openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Clark, Robert Graham robert.clark at hpe.com
Mon Apr 11 15:04:36 UTC 2016

Thanks Matt, Michael,

To start with, lets look quickly at the more recent OSSNs that are marked as work in progress, namely 63,64,65 and 66 – these should all be published within a week or so.

Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% sure what the blockers are on these.  I believe https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 and is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it looks to me like OSSN-0056 was written during a mid-cycle and could be the right one.

I’m struggling to work out the story behind OSSN-0050 – I’m adding Nathan Kinder who might be able to shed more light on this.


From: Michael Xin [mailto:michael.xin at RACKSPACE.COM]
Sent: 11 April 2016 15:28
To: Matt Fischer; OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Thanks for asking this. I forwarded this email to the new email list so that folks with better knowledge can answer this.

Thanks and have a great day.


Michael Xin | Manager, Security Engineering - US
Product Security  |Rackspace Hosting
Office #: 501-7341   or  210-312-7341
Mobile #: 210-284-8674
5000 Walzem Road, San Antonio, Tx 78218
Experience fanatical support

From: Matt Fischer <matt at mattfischer.com<mailto:matt at mattfischer.com>>
Date: Monday, April 11, 2016 at 9:19 AM
To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Subject: [Openstack-security] abandoned OSSNs?

Some folks from our security team here asked me to ensure them that our services were patched for all the OSSNs that are listed here: https://wiki.openstack.org/wiki/Security_Notes

Most of these are straight-forward, but there are some OSSNs that have been allocated an ID but then abandoned. There is no detailed wiki page and my best google efforts lead me to a possible IRC mention and maybe an abandoned review. The two specifically are OSSN-50/51.

So what am I to do with an "abandoned" OSSN? Has it been decided that there is no issue anymore? These are pretty old if I look at the dates framing the other OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound somewhat scary, for example, "keystonemiddleware can allow access after token revocation" but I have no means to say whether it affects us or how we can mitigate without more info.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160411/bd6c4d5b/attachment.html>

More information about the OpenStack-dev mailing list