[openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Matt Fischer matt at mattfischer.com
Mon Apr 11 17:53:14 UTC 2016

Thanks Michael,

I'm following the thread and I've asked Thierry for this tag to be
subscribable here if we're not using openstack-security anymore so that I
can receive the follow-ups.

On Mon, Apr 11, 2016 at 8:28 AM, Michael Xin <michael.xin at rackspace.com>

> Matt:
> Thanks for asking this. I forwarded this email to the new email list so
> that folks with better knowledge can answer this.
> Thanks and have a great day.
> Yours,
> Michael
> -----------------------------------------------------------------------------
> Michael Xin | Manager, Security Engineering - US
> Product Security  |Rackspace Hosting
> Office #: 501-7341   or  210-312-7341
> Mobile #: 210-284-8674
> 5000 Walzem Road, San Antonio, Tx 78218
> ----------------------------------------------------------------------------
> Experience fanatical support
> From: Matt Fischer <matt at mattfischer.com>
> Date: Monday, April 11, 2016 at 9:19 AM
> To: "openstack-security at lists.openstack.org" <
> openstack-security at lists.openstack.org>
> Subject: [Openstack-security] abandoned OSSNs?
> Some folks from our security team here asked me to ensure them that our
> services were patched for all the OSSNs that are listed here:
> https://wiki.openstack.org/wiki/Security_Notes
> Most of these are straight-forward, but there are some OSSNs that have
> been allocated an ID but then abandoned. There is no detailed wiki page and
> my best google efforts lead me to a possible IRC mention and maybe an
> abandoned review. The two specifically are OSSN-50/51.
> So what am I to do with an "abandoned" OSSN? Has it been decided that
> there is no issue anymore? These are pretty old if I look at the dates
> framing the other OSSNs (49/52), so I assume they aren't urgent. Can we
> ignore these? They sound somewhat scary, for example, "keystonemiddleware
> can allow access after token revocation" but I have no means to say whether
> it affects us or how we can mitigate without more info.
> Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160411/269cf41c/attachment.html>

More information about the OpenStack-dev mailing list