<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Matt:</div>
<div>Thanks for asking this. I forwarded this email to the new email list so that folks with better knowledge can answer this. </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<div>
<div>
<div>Thanks and have a great day. </div>
<div><br>
</div>
<div>Yours,</div>
<div>Michael </div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-----------------------------------------------------------------------------</div>
<div>Michael Xin | Manager, Security Engineering - US </div>
<div>Product Security |Rackspace Hosting</div>
<div>Office #: 501-7341 or 210-312-7341</div>
<div>Mobile #: 210-284-8674 </div>
<div>5000 Walzem Road, San Antonio, Tx 78218</div>
<div>----------------------------------------------------------------------------</div>
<div>Experience fanatical support</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Matt Fischer <<a href="mailto:matt@mattfischer.com">matt@mattfischer.com</a>><br>
<span style="font-weight:bold">Date: </span>Monday, April 11, 2016 at 9:19 AM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>" <<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>[Openstack-security] abandoned OSSNs?<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr"><span style="font-size:12.8px">Some folks from our security team here asked me to ensure them that our services were patched for all the OSSNs that are listed here: </span><a href="https://wiki.openstack.org/wiki/Security_Notes" target="_blank" style="font-size:12.8px">https://wiki.openstack.org/wiki/Security_Notes</a>
<div style="font-size:12.8px"><font face="arial,helvetica,sans-serif"><br>
</font></div>
<div style="font-size:12.8px"><font face="arial,helvetica,sans-serif">Most of these are straight-forward, but there are some OSSNs that have been allocated an ID but then abandoned. There is no detailed wiki page and my best google efforts lead me to a possible
IRC mention and maybe an abandoned review. The two specifically are OSSN-50/51.</font></div>
<div style="font-size:12.8px"><font face="arial,helvetica,sans-serif"><br>
</font></div>
<div style="font-size:12.8px"><font face="arial,helvetica,sans-serif">So what am I to do with an "abandoned" OSSN? Has it been decided that there is no issue anymore? These are pretty old if I look at the dates framing the other OSSNs (49/52), so I assume they
aren't urgent. Can we ignore these? They sound somewhat scary, for example, "<span style="color:rgb(51,51,51);line-height:20px">keystonemiddleware can allow access after token revocation" but I have no means to say whether it affects us or how we can mitigate
without more info.</span></font></div>
<div style="font-size:12.8px"><span style="color:rgb(51,51,51);line-height:20px"><font face="arial,helvetica,sans-serif"><br>
</font></span></div>
<div style="font-size:12.8px"><span style="color:rgb(51,51,51);line-height:20px"><font face="arial,helvetica,sans-serif">Thoughts?</font></span></div>
</div>
</div>
</div>
</span>
</body>
</html>