[openstack-dev] Security bug in diskimage-builder

Ben Nemec openstack at nemebean.com
Wed May 24 17:45:19 UTC 2017

On 05/17/2017 10:46 AM, Jeremy Stanley wrote:
> On 2017-05-17 15:57:16 +0300 (+0300), George Shuklin wrote:
>> There is a bug in diskimage-builder I reported it at 2017-03-10 as 'private
>> security'. I think this bug is a medium severity.
>> So far there was no reaction at all. I plan to change this bug to public
>> security on next Monday. If someone is interested in bumping up CVE count
>> for DIB, please look at
>> https://bugs.launchpad.net/diskimage-builder/+bug/1671842 (private-walled
>> for security group).
> Thanks for the heads up! One thing we missed in the migration of DIB
> from TripleO to Infra team governance is that the bug tracker for it
> was still under TripleO team control (I just now leveraged my
> OpenStack Administrator membership on LP to fix that), so the bug
> was only visible to https://launchpad.net/~tripleo until moments
> ago.
> That said, a "private" bug report visible to the 86 people who are
> members of that LP team doesn't really qualify as private in my book
> so there's probably no additional harm in just switching it to
> public security while I work on triaging it with the DIB devs.
> Going forward, private security bugs filed for DIB are only visible
> to the 18 people who make up the diskimage-builder-core and
> openstack-ci-core teams on LP, which is still more than it probably
> should be but it's a start at least.

Hmm, this points out a valid issue that we don't have a security group 
for tripleo at all.  We use the tripleo group to include basically all 
tripleo developers so it's definitely not appropriate for this purpose.

Emilien, I think we should create a tripleo-coresec group in launchpad 
that can be used for this.  We have had tripleo-affecting security bugs 
in the past and I imagine we will again.  I'm happy to help out with 
that, although I will admit my launchpad-fu is kind of weak so I don't 
know off the top of my head how to do it.


More information about the OpenStack-dev mailing list