[openstack-dev] Security bug in diskimage-builder

Jeremy Stanley fungi at yuggoth.org
Wed May 17 15:46:37 UTC 2017

On 2017-05-17 15:57:16 +0300 (+0300), George Shuklin wrote:
> There is a bug in diskimage-builder I reported it at 2017-03-10 as 'private
> security'. I think this bug is a medium severity.
> So far there was no reaction at all. I plan to change this bug to public
> security on next Monday. If someone is interested in bumping up CVE count
> for DIB, please look at
> https://bugs.launchpad.net/diskimage-builder/+bug/1671842 (private-walled
> for security group).

Thanks for the heads up! One thing we missed in the migration of DIB
from TripleO to Infra team governance is that the bug tracker for it
was still under TripleO team control (I just now leveraged my
OpenStack Administrator membership on LP to fix that), so the bug
was only visible to https://launchpad.net/~tripleo until moments

That said, a "private" bug report visible to the 86 people who are
members of that LP team doesn't really qualify as private in my book
so there's probably no additional harm in just switching it to
public security while I work on triaging it with the DIB devs.
Going forward, private security bugs filed for DIB are only visible
to the 18 people who make up the diskimage-builder-core and
openstack-ci-core teams on LP, which is still more than it probably
should be but it's a start at least.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170517/b9007ef1/attachment.sig>

More information about the OpenStack-dev mailing list