From robert.clark at hp.com Mon Apr 1 18:06:53 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 1 Apr 2013 18:06:53 +0000 Subject: [Openstack-security] OSSG Meeting Minutes 28 March 2013 Message-ID: Action items 1. hyakuhei to gather headcount for food. 2. hyakuhei publish Keystone DoS OSN. 3. hyakuhei to provide online meeting space, presentation and telecoms for anyone wanting to demo/preview/walkthrough content with the OSSG before the summit http://eavesdrop.openstack.org/meetings/openstack_security_group/2013/openstack_security_group.2013-03-28-18.00.html From prometheanfire at gentoo.org Tue Apr 9 14:21:00 2013 From: prometheanfire at gentoo.org (Matthew Thode) Date: Tue, 09 Apr 2013 09:21:00 -0500 Subject: [Openstack-security] what would be the best wat to get security notifications for openstack Message-ID: <516423CC.90703@gentoo.org> I've been packaging openstack in Gentoo but have been relying on others to watch you guys for security bugs. What would be the best way for me to get notification when a security bug is fixed (when a security patch is accepted), so that I may update the packages. -- -- Matthew Thode (prometheanfire) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From fungi at yuggoth.org Tue Apr 9 14:34:27 2013 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 9 Apr 2013 14:34:27 +0000 Subject: [Openstack-security] what would be the best wat to get security notifications for openstack In-Reply-To: <516423CC.90703@gentoo.org> References: <516423CC.90703@gentoo.org> Message-ID: <20130409143426.GV1520@yuggoth.org> On 2013-04-09 09:21:00 -0500 (-0500), Matthew Thode wrote: > I've been packaging openstack in Gentoo but have been relying on others > to watch you guys for security bugs. What would be the best way for me > to get notification when a security bug is fixed (when a security patch > is accepted), so that I may update the packages. Subscribe to the openstack-announce mailing list and look for OSSA tags in the subject lines. It's a very low-volume list--for example over a third of the posts last month were security advisories: http://lists.openstack.org/pipermail/openstack-announce/2013-March/thread.html OSSA details are also posted to other relevant places, notably the oss-security mailing list: http://oss-security.openwall.org/wiki/mailing-lists/oss-security -- Jeremy Stanley From thierry at openstack.org Tue Apr 9 15:31:35 2013 From: thierry at openstack.org (Thierry Carrez) Date: Tue, 09 Apr 2013 17:31:35 +0200 Subject: [Openstack-security] what would be the best wat to get security notifications for openstack In-Reply-To: <516423CC.90703@gentoo.org> References: <516423CC.90703@gentoo.org> Message-ID: <51643457.7080201@openstack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matthew Thode wrote: > I've been packaging openstack in Gentoo but have been relying on > others to watch you guys for security bugs. What would be the best > way for me to get notification when a security bug is fixed (when a > security patch is accepted), so that I may update the packages. We also post embargoed information on incoming vulnerability fixes to linux-distros at vs.openwall.org -- Gentoo's security team should have a member on that list who should be able to give you a heads-up. Cheers, - -- Thierry Carrez (ttx) Release Manager, OpenStack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZDRRAAoJEFB6+JAlsQQjiZ0P/RMrUzE7wFtVH34MAxGYyWvS VMsvW6fG8kDhnSGHFCnYx4sglrHoletUrT/IxgeJifF/4KgLMCaKUAgfbFJW6lf2 kph4zsEoCyqPzLTs78uwpWVBPTCB0kt+B0mqLfrdkcpk5ibcG5/w2+7ewzlzmjGR XsNo4rRSCvnAYi7RGPF8uG6NEeDkNUSdaON5P4MZm0GNYIxySi3iItF86pXVzkwl 62Z4qx5ktH6yq1lyhE7T05/5kXYd6dsaLQYhWyycs/syyXdJUuo96J1ZSvGlU2ot Wx/kAhwK9nYYwBI7bIia7x47f53GrFX2le+p/mZG7Vvmc8gc6f4eHjHA7attIWiK MMANx0mySoN7G5G+D0xfwPQ/sxIQgmbiDE5s6Pdz4b+j30iZP8nJHJreHtXm2W+n 45tmHY1+HvAGWGBlumMHEqSJmtFmeQJ5gIexaFiX8CC/cMB6SZUtfGg2JWKwcL1w PTvt4ur3QvgCiomMjDhCNHqOUkBoBN7yz2bEYk81HbaU0R3T1p9MsOxHZmfS+Q/r wYO2nhqZJFQv0bi2tkJ+T124wtPr343YQKw1p/cDE8/qqDiJe7gaWEabVi4jSygZ rjhg8XT7o0LmTIYXK/9N0mqjRvLQSd6lBvXfaLYpw6p8kbPfn4Ytgb/w+Uw6PQfz szZIShkbo197JtW0V/q5 =k0BT -----END PGP SIGNATURE----- From robert.clark at hp.com Tue Apr 9 18:11:51 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 9 Apr 2013 18:11:51 +0000 Subject: [Openstack-security] OSSG Luncheon. Message-ID: OSSG members, To show our support for the fast-growing OpenStack Security Group, HP Cloud Services are sponsoring a meet and greet for the OSSG during the summit. As hosting a dinner is somewhat problematic scheduling-wise we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch time to meet as it appears to have the least conflicts for the 'security minded' folk out there. The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's about a mile from the conference centre, looks to have decent food and good service. This is an opportunity to meet with the rest of the OpenStack Security Group, discuss projects and trade war stories. We very much hope that a good number of group members will be able to attend. So that's Tuesday, 12:45pm at the Davis Street Tavern. Please RSVP on list if you're attending along with any +1's so we can book enough space. We'll make the booking in the next couple of days so get your RSVP in quickly please. See you then! -Rob Robert Clark Security Architect HP Cloud Services -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6187 bytes Desc: not available URL: From laura.glendenning at jhuapl.edu Wed Apr 10 15:06:50 2013 From: laura.glendenning at jhuapl.edu (Laura Glendenning) Date: Wed, 10 Apr 2013 11:06:50 -0400 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <5165800A.9090901@jhuapl.edu> Rob, Expect 4 from APL (myself, Bruce Benjamin, Joel Coffman, and Shaku Harshavardhana). Thanks, Laura Glendenning On 04/09/2013 02:11 PM, Clark, Robert Graham wrote: > OSSG members, > > To show our support for the fast-growing OpenStack Security Group, HP > Cloud Services are sponsoring a meet and greet for the OSSG during the > summit. As hosting a dinner is somewhat problematic scheduling-wise > we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch > time to meet as it appears to have the least conflicts for the 'security > minded' folk out there. > > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's > about a mile from the conference centre, looks to have decent food and > good service. This is an opportunity to meet with the rest of the > OpenStack Security Group, discuss projects and trade war stories. We > very much hope that a good number of group members will be able to > attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we can > book enough space. We'll make the booking in the next couple of days so > get your RSVP in quickly please. > > See you then! > -Rob > > Robert Clark > Security Architect > HP Cloud Services > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2527 bytes Desc: S/MIME Cryptographic Signature URL: From erwan at zinux.com Wed Apr 10 15:11:17 2013 From: erwan at zinux.com (Erwan Gallen) Date: Wed, 10 Apr 2013 17:11:17 +0200 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: <5165800A.9090901@jhuapl.edu> References: <5165800A.9090901@jhuapl.edu> Message-ID: <18B63D43-0BBC-4362-8F06-216CE9313514@zinux.com> Hi, I'll be there. Regards, Erwan Cloudwatt +33 6 85 07 96 17 Le 10 avr. 2013 à 17:06, Laura Glendenning a écrit : > Rob, > > Expect 4 from APL (myself, Bruce Benjamin, Joel Coffman, and Shaku > Harshavardhana). > > Thanks, > Laura Glendenning > > On 04/09/2013 02:11 PM, Clark, Robert Graham wrote: >> OSSG members, >> >> To show our support for the fast-growing OpenStack Security Group, HP >> Cloud Services are sponsoring a meet and greet for the OSSG during the >> summit. As hosting a dinner is somewhat problematic scheduling-wise >> we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch >> time to meet as it appears to have the least conflicts for the 'security >> minded' folk out there. >> >> The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's >> about a mile from the conference centre, looks to have decent food and >> good service. This is an opportunity to meet with the rest of the >> OpenStack Security Group, discuss projects and trade war stories. We >> very much hope that a good number of group members will be able to >> attend. >> >> So that's Tuesday, 12:45pm at the Davis Street Tavern. >> >> Please RSVP on list if you're attending along with any +1's so we can >> book enough space. We'll make the booking in the next couple of days so >> get your RSVP in quickly please. >> >> See you then! >> -Rob >> >> Robert Clark >> Security Architect >> HP Cloud Services >> >> > > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security -------------- next part -------------- An HTML attachment was scrubbed... URL: From thierry at openstack.org Wed Apr 10 15:11:59 2013 From: thierry at openstack.org (Thierry Carrez) Date: Wed, 10 Apr 2013 17:11:59 +0200 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <5165813F.9050303@openstack.org> Clark, Robert Graham wrote: > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we can > book enough space. We'll make the booking in the next couple of days so > get your RSVP in quickly please. Looks like I should be able to make it, though if something happens at the last minute I'll have to pass :) Count me in ! Cheers, -- Thierry Carrez (ttx) From fungi at yuggoth.org Wed Apr 10 16:31:31 2013 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 10 Apr 2013 16:31:31 +0000 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: <5165813F.9050303@openstack.org> References: <5165813F.9050303@openstack.org> Message-ID: <20130410163130.GZ1520@yuggoth.org> I'm going to try to make it, but may wind up needing to be at the Tempest session which overlaps with this. I'll follow up if it turns out that I should to be stricken from the count after all. -- Jeremy Stanley From matt.joyce at cloudscaling.com Wed Apr 10 17:23:37 2013 From: matt.joyce at cloudscaling.com (Matt Joyce) Date: Wed, 10 Apr 2013 10:23:37 -0700 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: <20130410163130.GZ1520@yuggoth.org> References: <5165813F.9050303@openstack.org> <20130410163130.GZ1520@yuggoth.org> Message-ID: I will try to make it as well. -Matt On Apr 10, 2013 9:31 AM, "Jeremy Stanley" wrote: > I'm going to try to make it, but may wind up needing to be at the > Tempest session which overlaps with this. I'll follow up if it turns > out that I should to be stricken from the count after all. > -- > Jeremy Stanley > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zigo at debian.org Wed Apr 10 17:26:55 2013 From: zigo at debian.org (Thomas Goirand) Date: Thu, 11 Apr 2013 01:26:55 +0800 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <5165A0DF.8010409@debian.org> On 04/10/2013 02:11 AM, Clark, Robert Graham wrote: > OSSG members, > > To show our support for the fast-growing OpenStack Security Group, HP > Cloud Services are sponsoring a meet and greet for the OSSG during the > summit. As hosting a dinner is somewhat problematic scheduling-wise > we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch > time to meet as it appears to have the least conflicts for the 'security > minded' folk out there. > > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's > about a mile from the conference centre, looks to have decent food and > good service. This is an opportunity to meet with the rest of the > OpenStack Security Group, discuss projects and trade war stories. We > very much hope that a good number of group members will be able to > attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we can > book enough space. We'll make the booking in the next couple of days so > get your RSVP in quickly please. > > See you then! > -Rob > > Robert Clark > Security Architect > HP Cloud Services Hi, I'll be happy to join. For those who don't know me, I'm the Debian Developer taking care of Openstack packaging, and as a consequence, of the Q/A uploads in testing (and soon stable, when it will be released). It will be great to meet you guys in real! Thomas From kbasil at redhat.com Wed Apr 10 18:30:21 2013 From: kbasil at redhat.com (Keith Basil) Date: Wed, 10 Apr 2013 14:30:21 -0400 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <71DF3B51-EBE6-4B5A-9F0E-84876FE5902E@redhat.com> +1 -k -- keith basil | principal product manager, OpenStack kbasil at redhat.com | redhat.com/openstack 757-769-8674 (m) | 978-813-1323 (o) skype/twitter/github/irc, life: noslzzp On Apr 9, 2013, at 2:11 PM, Clark, Robert Graham wrote: > OSSG members, > > To show our support for the fast-growing OpenStack Security Group, HP > Cloud Services are sponsoring a meet and greet for the OSSG during the > summit. As hosting a dinner is somewhat problematic scheduling-wise > we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch > time to meet as it appears to have the least conflicts for the 'security > minded' folk out there. > > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's > about a mile from the conference centre, looks to have decent food and > good service. This is an opportunity to meet with the rest of the > OpenStack Security Group, discuss projects and trade war stories. We > very much hope that a good number of group members will be able to > attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we can > book enough space. We'll make the booking in the next couple of days so > get your RSVP in quickly please. > > See you then! > -Rob > > Robert Clark > Security Architect > HP Cloud Services > > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From bdpayne at acm.org Thu Apr 11 00:40:38 2013 From: bdpayne at acm.org (Bryan D. Payne) Date: Wed, 10 Apr 2013 17:40:38 -0700 Subject: [Openstack-security] IRC meetings canceled until after the summit Message-ID: Just a quick note to say that we will not be having OSSG IRC meetings on April 11 or April 18, due to the Summit. We will resume the normal meetings after the summit. I hope to see many of you at the summit. We already have a great response for the Tuesday OSSG lunch. If you haven't RSVP'd please do so soon. Cheers, -bryan From thomas at suse.de Thu Apr 11 13:02:04 2013 From: thomas at suse.de (Thomas Biege) Date: Thu, 11 Apr 2013 15:02:04 +0200 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <5166B44C.7090201@suse.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -1 I am not at the summit this time. :( Have fun, Thomas Am 09.04.2013 20:11, schrieb Clark, Robert Graham: > OSSG members, > > To show our support for the fast-growing OpenStack Security Group, > HP Cloud Services are sponsoring a meet and greet for the OSSG > during the summit. As hosting a dinner is somewhat problematic > scheduling-wise we've decided to arrange a luncheon on Tuesday. We > chose Tuesday lunch time to meet as it appears to have the least > conflicts for the 'security minded' folk out there. > > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 > it's about a mile from the conference centre, looks to have decent > food and good service. This is an opportunity to meet with the rest > of the OpenStack Security Group, discuss projects and trade war > stories. We very much hope that a good number of group members will > be able to attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we > can book enough space. We'll make the booking in the next couple of > days so get your RSVP in quickly please. > > See you then! -Rob > > Robert Clark Security Architect HP Cloud Services > > > > > _______________________________________________ Openstack-security > mailing list Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > - -- Thomas Biege , Team Leader MaintenanceSecurity, CSSLP SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) - -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRZrRMAAoJEJqHoVJVjr8DeJQH/28jD4RLPkR8F9RO7vS3XVMT HPP4EDEiyXrQN9m139gBWl/As8VJAz8qlBiIH7V313y7DOKVqPwprlTNm0W6IE3c BjcQfMta/0BHWbqTs6xEZ3ui+B/UKECcq+IFpkCz8KGijzb14sKUD4SVDfDzPpbm dMhnE+gYeS/Qe0Yspbxx+RsHSny39kYV2J1ZLvYLwmlKTAfQ40S8Foj15Y1VBb5y +IpB2YYSoOqWl/a0Im4tc2grf6hZ/1zX/atY2ck7hS/VnJys9qoL5dQSSqr3IjxQ C2rrmeFQ1FugMgPhtGhz0pQfg1u64ILKuL6FyoNMslCH4wuyHZ21XYlPKeiZ+m8= =xjLh -----END PGP SIGNATURE----- From n.paladi at gmail.com Thu Apr 11 13:18:00 2013 From: n.paladi at gmail.com (Nicolae Paladi) Date: Thu, 11 Apr 2013 15:18:00 +0200 Subject: [Openstack-security] Fwd: OSSG Luncheon. In-Reply-To: <5166B44C.7090201@suse.de> References: <5166B44C.7090201@suse.de> Message-ID: -1 same here, didn't make it to the summit this time cheers, /Nico ---------- Forwarded message ---------- From: Thomas Biege Date: 11 April 2013 15:02 Subject: Re: [Openstack-security] OSSG Luncheon. To: openstack-security at lists.openstack.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -1 I am not at the summit this time. :( Have fun, Thomas Am 09.04.2013 20:11, schrieb Clark, Robert Graham: > OSSG members, > > To show our support for the fast-growing OpenStack Security Group, > HP Cloud Services are sponsoring a meet and greet for the OSSG > during the summit. As hosting a dinner is somewhat problematic > scheduling-wise we've decided to arrange a luncheon on Tuesday. We > chose Tuesday lunch time to meet as it appears to have the least > conflicts for the 'security minded' folk out there. > > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 > it's about a mile from the conference centre, looks to have decent > food and good service. This is an opportunity to meet with the rest > of the OpenStack Security Group, discuss projects and trade war > stories. We very much hope that a good number of group members will > be able to attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. > > Please RSVP on list if you're attending along with any +1's so we > can book enough space. We'll make the booking in the next couple of > days so get your RSVP in quickly please. > > See you then! -Rob > > Robert Clark Security Architect HP Cloud Services > > > > > _______________________________________________ Openstack-security > mailing list Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > - -- Thomas Biege , Team Leader MaintenanceSecurity, CSSLP SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) - -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRZrRMAAoJEJqHoVJVjr8DeJQH/28jD4RLPkR8F9RO7vS3XVMT HPP4EDEiyXrQN9m139gBWl/As8VJAz8qlBiIH7V313y7DOKVqPwprlTNm0W6IE3c BjcQfMta/0BHWbqTs6xEZ3ui+B/UKECcq+IFpkCz8KGijzb14sKUD4SVDfDzPpbm dMhnE+gYeS/Qe0Yspbxx+RsHSny39kYV2J1ZLvYLwmlKTAfQ40S8Foj15Y1VBb5y +IpB2YYSoOqWl/a0Im4tc2grf6hZ/1zX/atY2ck7hS/VnJys9qoL5dQSSqr3IjxQ C2rrmeFQ1FugMgPhtGhz0pQfg1u64ILKuL6FyoNMslCH4wuyHZ21XYlPKeiZ+m8= =xjLh -----END PGP SIGNATURE----- _______________________________________________ Openstack-security mailing list Openstack-security at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperryman at gmail.com Fri Apr 12 01:47:44 2013 From: rperryman at gmail.com (Randy Perryman) Date: Thu, 11 Apr 2013 21:47:44 -0400 Subject: [Openstack-security] luncheon @ Summit Message-ID: <023701ce371f$badecac0$309c6040$@gmail.com> +1 Randy Perryman Dell, inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From zigo at debian.org Sat Apr 13 01:18:21 2013 From: zigo at debian.org (Thomas Goirand) Date: Sat, 13 Apr 2013 09:18:21 +0800 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: <5168B25D.9020206@debian.org> On 04/10/2013 02:11 AM, Clark, Robert Graham wrote: > The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's > about a mile from the conference centre, looks to have decent food and > good service. This is an opportunity to meet with the rest of the > OpenStack Security Group, discuss projects and trade war stories. We > very much hope that a good number of group members will be able to > attend. > > So that's Tuesday, 12:45pm at the Davis Street Tavern. It does look like there's a tram line going next to the tavern. Does anyone know Portland and can tell what line we should take from the conference center, or where to find this information? Cheers, Thomas From fungi at yuggoth.org Sat Apr 13 01:31:27 2013 From: fungi at yuggoth.org (Jeremy Stanley) Date: Sat, 13 Apr 2013 01:31:27 +0000 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: <5168B25D.9020206@debian.org> References: <5168B25D.9020206@debian.org> Message-ID: <20130413013126.GA25089@yuggoth.org> On 2013-04-13 09:18:21 +0800 (+0800), Thomas Goirand wrote: > It does look like there's a tram line going next to the tavern. Does > anyone know Portland and can tell what line we should take from the > conference center, or where to find this information? It looks like it's about a mile walk, or else take the green line from the Convention Center MAX Station towards the city center and Portland State University (3 stops) to the station at NW 5th and Couch Street. -- Jeremy Stanley From robert.clark at hp.com Mon Apr 15 17:19:20 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 15 Apr 2013 17:19:20 +0000 Subject: [Openstack-security] Summit Security Picks Message-ID: Hi All, In case you've missed them, here's a selection of the security related talks at the summit this week Monday ------ Cloud Keep http://openstacksummitapril2013.sched.org/event/886118ad75e16dae1da91d9ca98 66ca7#.UWwzKiskGyc Tuesday ------- VPN-as-a-Service http://openstacksummitapril2013.sched.org/event/2eab4785efb66e2bdc40d529335 49401#.UWwzyCskGyc Firewall-as-a-Service http://openstacksummitapril2013.sched.org/event/4a3e55a01c2f40e775259cb7f40 3fcf9#.UWwz3SskGyc RPC Message Signing and Encryption http://openstacksummitapril2013.sched.org/event/a9981bf4aab2052b7df966ab71c eb713#.UWw0ISskGyc Wednesday --------- Nova Updates for Disk Encryption http://openstacksummitapril2013.sched.org/event/10dc3d6a84e3a087b03a6377b94 4f4bd#.UWw0WCskGyc [ ^^ Collides With ] Case Study on Virtualising Advanced Network and Security Services http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c34ace 7c790#.UWw0hyskGyc Firewall-as-a-Service http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c34ace 7c790#.UWw0hyskGyc Vulnerability Management: Infras Needs, Scoring http://openstacksummitapril2013.sched.org/event/90e648cbcbf3f453e7d53918752 6d4d1#.UWw03yskGyc VPN-as-a-service http://openstacksummitapril2013.sched.org/event/a9264b0dd9470fba9335acc8a78 ff61c#.UWw0-yskGyc Thursday [Lots of collisions] -------- Cinder Update for Disk Encryption http://openstacksummitapril2013.sched.org/event/c8b42c9c10342da121d919b72a2 06bd8#.UWw1OiskGyc SAML, Oauth 2 and SCIM http://openstacksummitapril2013.sched.org/event/f9633b038397252508e50139d18 2e24e#.UWw1UyskGyc Securing OpenStack with FreeIPA http://openstacksummitapril2013.sched.org/event/02841e3d64620e15b861db63628 735bd#.UWw1eCskGyc A Multi-Tenant RBAC Federated System for OpenStack http://openstacksummitapril2013.sched.org/event/446c17aeceeaa26f7617732e7ba 5b111#.UWw1niskGyc Support for Domain quota management http://openstacksummitapril2013.sched.org/event/c0c6befcb4361e54d5c7e45b2f7 72de7#.UWw1qiskGyc Cloud Security: We're doing it wrong. http://openstacksummitapril2013.sched.org/event/f96d9529fe616f6f9f0f0155f34 a1909#.UWw1wSskGyc Federated Access to OpenStack via Keystone v3 API http://openstacksummitapril2013.sched.org/event/64ef2716e7eac6b2c0bb728ed6b 830e7#.UWw16iskGyc OpenStack Security Group - Present and Future http://openstacksummitapril2013.sched.org/event/a8e332bd0553e860657880a82b8 c6b8b#.UWw2ASskGyc Folsom Security in Review http://openstacksummitapril2013.sched.org/event/14020a2119c1e055140ad6cbbf2 c65cd#.UWw2HyskGyc Practical OpenStack Cloud Hardening and PCI-DSS Readiness http://openstacksummitapril2013.sched.org/event/cc5c026266e96f47df21f730634 7d6f7#.UWw2MyskGyc Securing OpenStack's Underside: True Computing http://openstacksummitapril2013.sched.org/event/9cc051b1d6bf6eaeea856bbda14 60f9f#.UWw2TCskGyc From robert.clark at hp.com Mon Apr 15 17:28:43 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 15 Apr 2013 17:28:43 +0000 Subject: [Openstack-security] Summit Security Picks In-Reply-To: Message-ID: Short links: Monday ------ Cloud Keep http://bit.ly/YKOoCs Tuesday ------- VPN-as-a-Service http://bit.ly/15g8fMN Firewall-as-a-Service http://bit.ly/YKOKsS RPC Message Signing and Encryption http://bit.ly/ZWkvtK Wednesday --------- Nova Updates for Disk Encryption http://bit.ly/10XPgRs [ ^^ Collides With ] Case Study on Virtualising Advanced Network and Security Services http://bit.ly/15g8ojt Firewall-as-a-Service http://bit.ly/15g8ojt Vulnerability Management: Infras Needs, Scoring http://bit.ly/10XPo3b VPN-as-a-service http://bit.ly/16Yor3e Thursday [Lots of collisions] -------- Cinder Update for Disk Encryption http://bit.ly/136r6JV SAML, Oauth 2 and SCIM http://bit.ly/12f9uc2 Securing OpenStack with FreeIPA http://bit.ly/138tCLQ A Multi-Tenant RBAC Federated System for OpenStack http://bit.ly/14qkJlr Support for Domain quota management http://bit.ly/XCyW9T Cloud Security: We're doing it wrong. http://bit.ly/XCyWXs Federated Access to OpenStack via Keystone v3 API http://bit.ly/10XPsju OpenStack Security Group - Present and Future http://bit.ly/12f9N6K Folsom Security in Review http://bit.ly/XCz0GC Practical OpenStack Cloud Hardening and PCI-DSS Readiness http://bit.ly/117qLQx Securing OpenStack's Underside: True Computing http://bit.ly/10XPyYs On 15/04/2013 10:19, "Clark, Robert Graham" wrote: >Hi All, > >In case you've missed them, here's a selection of the security related >talks at the summit this week > >Monday >------ >Cloud Keep >http://openstacksummitapril2013.sched.org/event/886118ad75e16dae1da91d9ca9 >8 >66ca7#.UWwzKiskGyc > >Tuesday >------- >VPN-as-a-Service >http://openstacksummitapril2013.sched.org/event/2eab4785efb66e2bdc40d52933 >5 >49401#.UWwzyCskGyc > >Firewall-as-a-Service >http://openstacksummitapril2013.sched.org/event/4a3e55a01c2f40e775259cb7f4 >0 >3fcf9#.UWwz3SskGyc > >RPC Message Signing and Encryption >http://openstacksummitapril2013.sched.org/event/a9981bf4aab2052b7df966ab71 >c >eb713#.UWw0ISskGyc > >Wednesday >--------- >Nova Updates for Disk Encryption >http://openstacksummitapril2013.sched.org/event/10dc3d6a84e3a087b03a6377b9 >4 >4f4bd#.UWw0WCskGyc > >[ ^^ Collides With ] > >Case Study on Virtualising Advanced Network and Security Services >http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c34ac >e >7c790#.UWw0hyskGyc > > >Firewall-as-a-Service >http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c34ac >e >7c790#.UWw0hyskGyc > > >Vulnerability Management: Infras Needs, Scoring >http://openstacksummitapril2013.sched.org/event/90e648cbcbf3f453e7d5391875 >2 >6d4d1#.UWw03yskGyc > > >VPN-as-a-service >http://openstacksummitapril2013.sched.org/event/a9264b0dd9470fba9335acc8a7 >8 >ff61c#.UWw0-yskGyc > > >Thursday [Lots of collisions] >-------- > >Cinder Update for Disk Encryption >http://openstacksummitapril2013.sched.org/event/c8b42c9c10342da121d919b72a >2 >06bd8#.UWw1OiskGyc > > >SAML, Oauth 2 and SCIM >http://openstacksummitapril2013.sched.org/event/f9633b038397252508e50139d1 >8 >2e24e#.UWw1UyskGyc > > >Securing OpenStack with FreeIPA >http://openstacksummitapril2013.sched.org/event/02841e3d64620e15b861db6362 >8 >735bd#.UWw1eCskGyc > > >A Multi-Tenant RBAC Federated System for OpenStack >http://openstacksummitapril2013.sched.org/event/446c17aeceeaa26f7617732e7b >a >5b111#.UWw1niskGyc > > >Support for Domain quota management >http://openstacksummitapril2013.sched.org/event/c0c6befcb4361e54d5c7e45b2f >7 >72de7#.UWw1qiskGyc > > >Cloud Security: We're doing it wrong. >http://openstacksummitapril2013.sched.org/event/f96d9529fe616f6f9f0f0155f3 >4 >a1909#.UWw1wSskGyc > > >Federated Access to OpenStack via Keystone v3 API >http://openstacksummitapril2013.sched.org/event/64ef2716e7eac6b2c0bb728ed6 >b >830e7#.UWw16iskGyc > > >OpenStack Security Group - Present and Future >http://openstacksummitapril2013.sched.org/event/a8e332bd0553e860657880a82b >8 >c6b8b#.UWw2ASskGyc > > >Folsom Security in Review >http://openstacksummitapril2013.sched.org/event/14020a2119c1e055140ad6cbbf >2 >c65cd#.UWw2HyskGyc > > >Practical OpenStack Cloud Hardening and PCI-DSS Readiness >http://openstacksummitapril2013.sched.org/event/cc5c026266e96f47df21f73063 >4 >7d6f7#.UWw2MyskGyc > > >Securing OpenStack's Underside: True Computing >http://openstacksummitapril2013.sched.org/event/9cc051b1d6bf6eaeea856bbda1 >4 >60f9f#.UWw2TCskGyc > > > > > > > > > > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From malini.k.bhandaru at intel.com Tue Apr 16 00:32:50 2013 From: malini.k.bhandaru at intel.com (Bhandaru, Malini K) Date: Tue, 16 Apr 2013 00:32:50 +0000 Subject: [Openstack-security] Summit Security Picks In-Reply-To: References: Message-ID: Would very much appreciate input on: http://openstacksummitapril2013.sched.org/event/d9aee375d4bdccf9ddf4b37390536b08 Regards Malini -----Original Message----- From: Clark, Robert Graham [mailto:robert.clark at hp.com] Sent: Monday, April 15, 2013 10:29 AM To: Clark, Robert Graham; openstack-security at lists.openstack.org Subject: Re: [Openstack-security] Summit Security Picks Short links: Monday ------ Cloud Keep http://bit.ly/YKOoCs Tuesday ------- VPN-as-a-Service http://bit.ly/15g8fMN Firewall-as-a-Service http://bit.ly/YKOKsS RPC Message Signing and Encryption http://bit.ly/ZWkvtK Wednesday --------- Nova Updates for Disk Encryption http://bit.ly/10XPgRs [ ^^ Collides With ] Case Study on Virtualising Advanced Network and Security Services http://bit.ly/15g8ojt Firewall-as-a-Service http://bit.ly/15g8ojt Vulnerability Management: Infras Needs, Scoring http://bit.ly/10XPo3b VPN-as-a-service http://bit.ly/16Yor3e Thursday [Lots of collisions] -------- Cinder Update for Disk Encryption http://bit.ly/136r6JV SAML, Oauth 2 and SCIM http://bit.ly/12f9uc2 Securing OpenStack with FreeIPA http://bit.ly/138tCLQ A Multi-Tenant RBAC Federated System for OpenStack http://bit.ly/14qkJlr Support for Domain quota management http://bit.ly/XCyW9T Cloud Security: We're doing it wrong. http://bit.ly/XCyWXs Federated Access to OpenStack via Keystone v3 API http://bit.ly/10XPsju OpenStack Security Group - Present and Future http://bit.ly/12f9N6K Folsom Security in Review http://bit.ly/XCz0GC Practical OpenStack Cloud Hardening and PCI-DSS Readiness http://bit.ly/117qLQx Securing OpenStack's Underside: True Computing http://bit.ly/10XPyYs On 15/04/2013 10:19, "Clark, Robert Graham" wrote: >Hi All, > >In case you've missed them, here's a selection of the security related >talks at the summit this week > >Monday >------ >Cloud Keep >http://openstacksummitapril2013.sched.org/event/886118ad75e16dae1da91d9 >ca9 >8 >66ca7#.UWwzKiskGyc > >Tuesday >------- >VPN-as-a-Service >http://openstacksummitapril2013.sched.org/event/2eab4785efb66e2bdc40d52 >933 >5 >49401#.UWwzyCskGyc > >Firewall-as-a-Service >http://openstacksummitapril2013.sched.org/event/4a3e55a01c2f40e775259cb >7f4 >0 >3fcf9#.UWwz3SskGyc > >RPC Message Signing and Encryption >http://openstacksummitapril2013.sched.org/event/a9981bf4aab2052b7df966a >b71 >c >eb713#.UWw0ISskGyc > >Wednesday >--------- >Nova Updates for Disk Encryption >http://openstacksummitapril2013.sched.org/event/10dc3d6a84e3a087b03a637 >7b9 >4 >4f4bd#.UWw0WCskGyc > >[ ^^ Collides With ] > >Case Study on Virtualising Advanced Network and Security Services >http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c3 >4ac >e >7c790#.UWw0hyskGyc > > >Firewall-as-a-Service >http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c3 >4ac >e >7c790#.UWw0hyskGyc > > >Vulnerability Management: Infras Needs, Scoring >http://openstacksummitapril2013.sched.org/event/90e648cbcbf3f453e7d5391 >875 >2 >6d4d1#.UWw03yskGyc > > >VPN-as-a-service >http://openstacksummitapril2013.sched.org/event/a9264b0dd9470fba9335acc >8a7 >8 >ff61c#.UWw0-yskGyc > > >Thursday [Lots of collisions] >-------- > >Cinder Update for Disk Encryption >http://openstacksummitapril2013.sched.org/event/c8b42c9c10342da121d919b >72a >2 >06bd8#.UWw1OiskGyc > > >SAML, Oauth 2 and SCIM >http://openstacksummitapril2013.sched.org/event/f9633b038397252508e5013 >9d1 >8 >2e24e#.UWw1UyskGyc > > >Securing OpenStack with FreeIPA >http://openstacksummitapril2013.sched.org/event/02841e3d64620e15b861db6 >362 >8 >735bd#.UWw1eCskGyc > > >A Multi-Tenant RBAC Federated System for OpenStack >http://openstacksummitapril2013.sched.org/event/446c17aeceeaa26f7617732 >e7b >a >5b111#.UWw1niskGyc > > >Support for Domain quota management >http://openstacksummitapril2013.sched.org/event/c0c6befcb4361e54d5c7e45 >b2f >7 >72de7#.UWw1qiskGyc > > >Cloud Security: We're doing it wrong. >http://openstacksummitapril2013.sched.org/event/f96d9529fe616f6f9f0f015 >5f3 >4 >a1909#.UWw1wSskGyc > > >Federated Access to OpenStack via Keystone v3 API >http://openstacksummitapril2013.sched.org/event/64ef2716e7eac6b2c0bb728 >ed6 >b >830e7#.UWw16iskGyc > > >OpenStack Security Group - Present and Future >http://openstacksummitapril2013.sched.org/event/a8e332bd0553e860657880a >82b >8 >c6b8b#.UWw2ASskGyc > > >Folsom Security in Review >http://openstacksummitapril2013.sched.org/event/14020a2119c1e055140ad6c >bbf >2 >c65cd#.UWw2HyskGyc > > >Practical OpenStack Cloud Hardening and PCI-DSS Readiness >http://openstacksummitapril2013.sched.org/event/cc5c026266e96f47df21f73 >063 >4 >7d6f7#.UWw2MyskGyc > > >Securing OpenStack's Underside: True Computing >http://openstacksummitapril2013.sched.org/event/9cc051b1d6bf6eaeea856bb >da1 >4 >60f9f#.UWw2TCskGyc > > > > > > > > > > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security _______________________________________________ Openstack-security mailing list Openstack-security at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From robert.clark at hp.com Tue Apr 16 08:47:28 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 16 Apr 2013 08:47:28 +0000 Subject: [Openstack-security] Summit Security Picks In-Reply-To: Message-ID: Hi Malini, I'm sure that I and several of members of the OSSG will be there. Good luck with your talk, if you're coming to lunch tomorrow we chat before you present. -Rob On 15/04/2013 17:32, "Bhandaru, Malini K" wrote: >Would very much appreciate input on: >http://openstacksummitapril2013.sched.org/event/d9aee375d4bdccf9ddf4b37390 >536b08 >Regards >Malini > >-----Original Message----- >From: Clark, Robert Graham [mailto:robert.clark at hp.com] >Sent: Monday, April 15, 2013 10:29 AM >To: Clark, Robert Graham; openstack-security at lists.openstack.org >Subject: Re: [Openstack-security] Summit Security Picks > >Short links: >Monday >------ >Cloud Keep >http://bit.ly/YKOoCs > >Tuesday >------- >VPN-as-a-Service >http://bit.ly/15g8fMN > >Firewall-as-a-Service >http://bit.ly/YKOKsS > >RPC Message Signing and Encryption >http://bit.ly/ZWkvtK > >Wednesday >--------- >Nova Updates for Disk Encryption >http://bit.ly/10XPgRs > >[ ^^ Collides With ] > >Case Study on Virtualising Advanced Network and Security Services >http://bit.ly/15g8ojt > >Firewall-as-a-Service >http://bit.ly/15g8ojt > >Vulnerability Management: Infras Needs, Scoring http://bit.ly/10XPo3b > >VPN-as-a-service >http://bit.ly/16Yor3e > >Thursday [Lots of collisions] >-------- > >Cinder Update for Disk Encryption >http://bit.ly/136r6JV > >SAML, Oauth 2 and SCIM >http://bit.ly/12f9uc2 > >Securing OpenStack with FreeIPA >http://bit.ly/138tCLQ > >A Multi-Tenant RBAC Federated System for OpenStack http://bit.ly/14qkJlr > >Support for Domain quota management >http://bit.ly/XCyW9T > >Cloud Security: We're doing it wrong. >http://bit.ly/XCyWXs > >Federated Access to OpenStack via Keystone v3 API http://bit.ly/10XPsju > >OpenStack Security Group - Present and Future http://bit.ly/12f9N6K > >Folsom Security in Review >http://bit.ly/XCz0GC > >Practical OpenStack Cloud Hardening and PCI-DSS Readiness >http://bit.ly/117qLQx > >Securing OpenStack's Underside: True Computing http://bit.ly/10XPyYs > > > > > > > > > > > >On 15/04/2013 10:19, "Clark, Robert Graham" wrote: > >>Hi All, >> >>In case you've missed them, here's a selection of the security related >>talks at the summit this week >> >>Monday >>------ >>Cloud Keep >>http://openstacksummitapril2013.sched.org/event/886118ad75e16dae1da91d9 >>ca9 >>8 >>66ca7#.UWwzKiskGyc >> >>Tuesday >>------- >>VPN-as-a-Service >>http://openstacksummitapril2013.sched.org/event/2eab4785efb66e2bdc40d52 >>933 >>5 >>49401#.UWwzyCskGyc >> >>Firewall-as-a-Service >>http://openstacksummitapril2013.sched.org/event/4a3e55a01c2f40e775259cb >>7f4 >>0 >>3fcf9#.UWwz3SskGyc >> >>RPC Message Signing and Encryption >>http://openstacksummitapril2013.sched.org/event/a9981bf4aab2052b7df966a >>b71 >>c >>eb713#.UWw0ISskGyc >> >>Wednesday >>--------- >>Nova Updates for Disk Encryption >>http://openstacksummitapril2013.sched.org/event/10dc3d6a84e3a087b03a637 >>7b9 >>4 >>4f4bd#.UWw0WCskGyc >> >>[ ^^ Collides With ] >> >>Case Study on Virtualising Advanced Network and Security Services >>http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c3 >>4ac >>e >>7c790#.UWw0hyskGyc >> >> >>Firewall-as-a-Service >>http://openstacksummitapril2013.sched.org/event/c425abe00b168c7468914c3 >>4ac >>e >>7c790#.UWw0hyskGyc >> >> >>Vulnerability Management: Infras Needs, Scoring >>http://openstacksummitapril2013.sched.org/event/90e648cbcbf3f453e7d5391 >>875 >>2 >>6d4d1#.UWw03yskGyc >> >> >>VPN-as-a-service >>http://openstacksummitapril2013.sched.org/event/a9264b0dd9470fba9335acc >>8a7 >>8 >>ff61c#.UWw0-yskGyc >> >> >>Thursday [Lots of collisions] >>-------- >> >>Cinder Update for Disk Encryption >>http://openstacksummitapril2013.sched.org/event/c8b42c9c10342da121d919b >>72a >>2 >>06bd8#.UWw1OiskGyc >> >> >>SAML, Oauth 2 and SCIM >>http://openstacksummitapril2013.sched.org/event/f9633b038397252508e5013 >>9d1 >>8 >>2e24e#.UWw1UyskGyc >> >> >>Securing OpenStack with FreeIPA >>http://openstacksummitapril2013.sched.org/event/02841e3d64620e15b861db6 >>362 >>8 >>735bd#.UWw1eCskGyc >> >> >>A Multi-Tenant RBAC Federated System for OpenStack >>http://openstacksummitapril2013.sched.org/event/446c17aeceeaa26f7617732 >>e7b >>a >>5b111#.UWw1niskGyc >> >> >>Support for Domain quota management >>http://openstacksummitapril2013.sched.org/event/c0c6befcb4361e54d5c7e45 >>b2f >>7 >>72de7#.UWw1qiskGyc >> >> >>Cloud Security: We're doing it wrong. >>http://openstacksummitapril2013.sched.org/event/f96d9529fe616f6f9f0f015 >>5f3 >>4 >>a1909#.UWw1wSskGyc >> >> >>Federated Access to OpenStack via Keystone v3 API >>http://openstacksummitapril2013.sched.org/event/64ef2716e7eac6b2c0bb728 >>ed6 >>b >>830e7#.UWw16iskGyc >> >> >>OpenStack Security Group - Present and Future >>http://openstacksummitapril2013.sched.org/event/a8e332bd0553e860657880a >>82b >>8 >>c6b8b#.UWw2ASskGyc >> >> >>Folsom Security in Review >>http://openstacksummitapril2013.sched.org/event/14020a2119c1e055140ad6c >>bbf >>2 >>c65cd#.UWw2HyskGyc >> >> >>Practical OpenStack Cloud Hardening and PCI-DSS Readiness >>http://openstacksummitapril2013.sched.org/event/cc5c026266e96f47df21f73 >>063 >>4 >>7d6f7#.UWw2MyskGyc >> >> >>Securing OpenStack's Underside: True Computing >>http://openstacksummitapril2013.sched.org/event/9cc051b1d6bf6eaeea856bb >>da1 >>4 >>60f9f#.UWw2TCskGyc >> >> >> >> >> >> >> >> >> >> >>_______________________________________________ >>Openstack-security mailing list >>Openstack-security at lists.openstack.org >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From robert.clark at hp.com Tue Apr 16 18:30:01 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 16 Apr 2013 18:30:01 +0000 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: Message-ID: Just a quick reminder for today's luncheon. See you there. -Rob On 09/04/2013 19:11, "Clark, Robert Graham" wrote: >OSSG members, > >To show our support for the fast-growing OpenStack Security Group, HP >Cloud Services are sponsoring a meet and greet for the OSSG during the >summit. As hosting a dinner is somewhat problematic scheduling-wise >we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch >time to meet as it appears to have the least conflicts for the 'security >minded' folk out there. > >The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's >about a mile from the conference centre, looks to have decent food and >good service. This is an opportunity to meet with the rest of the >OpenStack Security Group, discuss projects and trade war stories. We >very much hope that a good number of group members will be able to >attend. > >So that's Tuesday, 12:45pm at the Davis Street Tavern. > >Please RSVP on list if you're attending along with any +1's so we can >book enough space. We'll make the booking in the next couple of days so >get your RSVP in quickly please. > >See you then! >-Rob > >Robert Clark >Security Architect >HP Cloud Services > > From robert.clark at hp.com Tue Apr 16 19:20:28 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 16 Apr 2013 19:20:28 +0000 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: Message-ID: Early arrivals are welcome to join myself and Ben DeBont at the Bar while they prepare our table. On 16/04/2013 11:30, "Clark, Robert Graham" wrote: >Just a quick reminder for today's luncheon. > >See you there. > >-Rob > >On 09/04/2013 19:11, "Clark, Robert Graham" wrote: > >>OSSG members, >> >>To show our support for the fast-growing OpenStack Security Group, HP >>Cloud Services are sponsoring a meet and greet for the OSSG during the >>summit. As hosting a dinner is somewhat problematic scheduling-wise >>we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch >>time to meet as it appears to have the least conflicts for the 'security >>minded' folk out there. >> >>The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's >>about a mile from the conference centre, looks to have decent food and >>good service. This is an opportunity to meet with the rest of the >>OpenStack Security Group, discuss projects and trade war stories. We >>very much hope that a good number of group members will be able to >>attend. >> >>So that's Tuesday, 12:45pm at the Davis Street Tavern. >> >>Please RSVP on list if you're attending along with any +1's so we can >>book enough space. We'll make the booking in the next couple of days so >>get your RSVP in quickly please. >> >>See you then! >>-Rob >> >>Robert Clark >>Security Architect >>HP Cloud Services >> >> > From mikal at stillhq.com Tue Apr 16 19:24:48 2013 From: mikal at stillhq.com (Michael Still) Date: Tue, 16 Apr 2013 12:24:48 -0700 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: Unfortunately I can't make lunch because my conference presentation is straight after. I'd be interested in meeting some OSSG people some other time though. Michael On Tue, Apr 16, 2013 at 12:20 PM, Clark, Robert Graham wrote: > Early arrivals are welcome to join myself and Ben DeBont at the Bar while > they prepare our table. > > On 16/04/2013 11:30, "Clark, Robert Graham" wrote: > > >Just a quick reminder for today's luncheon. > > > >See you there. > > > >-Rob > > > >On 09/04/2013 19:11, "Clark, Robert Graham" wrote: > > > >>OSSG members, > >> > >>To show our support for the fast-growing OpenStack Security Group, HP > >>Cloud Services are sponsoring a meet and greet for the OSSG during the > >>summit. As hosting a dinner is somewhat problematic scheduling-wise > >>we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch > >>time to meet as it appears to have the least conflicts for the 'security > >>minded' folk out there. > >> > >>The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's > >>about a mile from the conference centre, looks to have decent food and > >>good service. This is an opportunity to meet with the rest of the > >>OpenStack Security Group, discuss projects and trade war stories. We > >>very much hope that a good number of group members will be able to > >>attend. > >> > >>So that's Tuesday, 12:45pm at the Davis Street Tavern. > >> > >>Please RSVP on list if you're attending along with any +1's so we can > >>book enough space. We'll make the booking in the next couple of days so > >>get your RSVP in quickly please. > >> > >>See you then! > >>-Rob > >> > >>Robert Clark > >>Security Architect > >>HP Cloud Services > >> > >> > > > > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malini.k.bhandaru at intel.com Tue Apr 16 22:31:40 2013 From: malini.k.bhandaru at intel.com (Bhandaru, Malini K) Date: Tue, 16 Apr 2013 22:31:40 +0000 Subject: [Openstack-security] OSSG Luncheon. In-Reply-To: References: Message-ID: Sorry! I missed this! Would very much like to at least say an in-person hello to some of you. I met the JHU-APL folks only. Malini -----Original Message----- From: Clark, Robert Graham [mailto:robert.clark at hp.com] Sent: Tuesday, April 16, 2013 11:30 AM To: Clark, Robert Graham; openstack-security at lists.openstack.org Cc: Bryan D. Payne (bryan.payne at nebula.com) Subject: Re: [Openstack-security] OSSG Luncheon. Just a quick reminder for today's luncheon. See you there. -Rob On 09/04/2013 19:11, "Clark, Robert Graham" wrote: >OSSG members, > >To show our support for the fast-growing OpenStack Security Group, HP >Cloud Services are sponsoring a meet and greet for the OSSG during the >summit. As hosting a dinner is somewhat problematic scheduling-wise >we've decided to arrange a luncheon on Tuesday. We chose Tuesday lunch >time to meet as it appears to have the least conflicts for the >'security minded' folk out there. > >The proposed venue is the Davis Street Tavern http://bit.ly/Xqp030 it's >about a mile from the conference centre, looks to have decent food and >good service. This is an opportunity to meet with the rest of the >OpenStack Security Group, discuss projects and trade war stories. We >very much hope that a good number of group members will be able to >attend. > >So that's Tuesday, 12:45pm at the Davis Street Tavern. > >Please RSVP on list if you're attending along with any +1's so we can >book enough space. We'll make the booking in the next couple of days so >get your RSVP in quickly please. > >See you then! >-Rob > >Robert Clark >Security Architect >HP Cloud Services > > _______________________________________________ Openstack-security mailing list Openstack-security at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From robert.clark at hp.com Wed Apr 17 23:03:27 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Wed, 17 Apr 2013 23:03:27 +0000 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting Message-ID: All, below is our draft security note for bug https://bugs.launchpad.net/keystone/+bug/1098177 please review before I release it on the general OpenStack ML. Thanks! -Rob Requests with large POST body can crash Pre-Grizzly Keystone or underlying services. ----- ### Summary ### Concurrent Keystone POST requests with large body messages are held in memory without filtering or rate limiting, this can lead to resource exhaustion on the Keystone server. ### Affected Services / Software ### Keystone, Databases ### Discussion ### Keystone stores POST messages in memory before validation, concurrent submission of multiple large POST messages can cause the Keystone process to be killed due to memory exhaustion, resulting in a remote Denial of Service. In many cases Keystone will be deployed behind a load-balancer or proxy that can rate limit POST messages inbound to Keystone. Grizzly is protected against that through the sizelimit middleware. ### Recommended Actions ### If you are in a situation where Keystone is directly exposed to incoming POST messages and not protected by the sizelimit middleware there are a number of load-balancing/proxy options, we suggest you consider one of the following: Nginx: Open-source, high-performance HTTP server and reverse proxy. Nginx Config: http://wiki.nginx.org/HttpCoreModule#client_max_body_size Apache: HTTP Server Project Apache Config: http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody ### Contacts / References ### Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1098177 OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg From bdpayne at acm.org Wed Apr 17 23:48:18 2013 From: bdpayne at acm.org (Bryan D. Payne) Date: Wed, 17 Apr 2013 16:48:18 -0700 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: Message-ID: Looks good to me. -bryan On Wed, Apr 17, 2013 at 4:03 PM, Clark, Robert Graham wrote: > All, below is our draft security note for bug https://bugs.launchpad.net/keystone/+bug/1098177 please review before I release it on the general OpenStack ML. > > Thanks! > > -Rob > > > Requests with large POST body can crash Pre-Grizzly Keystone or underlying services. > ----- > > ### Summary ### > Concurrent Keystone POST requests with large body messages are held in memory without filtering or rate limiting, this can lead to resource exhaustion on the Keystone server. > > ### Affected Services / Software ### > Keystone, Databases > > ### Discussion ### > Keystone stores POST messages in memory before validation, concurrent submission of multiple large POST messages can cause the Keystone process to be killed due to memory exhaustion, resulting in a remote Denial of Service. > > In many cases Keystone will be deployed behind a load-balancer or proxy that can rate limit POST messages inbound to Keystone. Grizzly is protected against that through the sizelimit middleware. > > ### Recommended Actions ### > If you are in a situation where Keystone is directly exposed to incoming POST messages and not protected by the sizelimit middleware there are a number of load-balancing/proxy options, we suggest you consider one of the following: > > Nginx: Open-source, high-performance HTTP server and reverse proxy. > Nginx Config: http://wiki.nginx.org/HttpCoreModule#client_max_body_size > > Apache: HTTP Server Project > Apache Config: http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody > > ### Contacts / References ### > Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1098177 > OpenStack Security ML : openstack-security at lists.openstack.org > OpenStack Security Group : https://launchpad.net/~openstack-ossg > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From kseifried at redhat.com Thu Apr 18 02:57:20 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Wed, 17 Apr 2013 20:57:20 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: Message-ID: <516F6110.1020508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 05:03 PM, Clark, Robert Graham wrote: > All, below is our draft security note for bug > https://bugs.launchpad.net/keystone/+bug/1098177 please review > before I release it on the general OpenStack ML. So normally you guys send the finished draft to distros@ and I assign it a CVE there. If you want I can start assigning the CVE here and now. That sound ok? > Thanks! > > -Rob > > > Requests with large POST body can crash Pre-Grizzly Keystone or > underlying services. ----- > > ### Summary ### Concurrent Keystone POST requests with large body > messages are held in memory without filtering or rate limiting, > this can lead to resource exhaustion on the Keystone server. > > ### Affected Services / Software ### Keystone, Databases > > ### Discussion ### Keystone stores POST messages in memory before > validation, concurrent submission of multiple large POST messages > can cause the Keystone process to be killed due to memory > exhaustion, resulting in a remote Denial of Service. > > In many cases Keystone will be deployed behind a load-balancer or > proxy that can rate limit POST messages inbound to Keystone. > Grizzly is protected against that through the sizelimit > middleware. > > ### Recommended Actions ### If you are in a situation where > Keystone is directly exposed to incoming POST messages and not > protected by the sizelimit middleware there are a number of > load-balancing/proxy options, we suggest you consider one of the > following: > > Nginx: Open-source, high-performance HTTP server and reverse > proxy. Nginx Config: > http://wiki.nginx.org/HttpCoreModule#client_max_body_size > > Apache: HTTP Server Project Apache Config: > http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody > > ### Contacts / References ### Original LaunchPad Bug : > https://bugs.launchpad.net/keystone/+bug/1098177 OpenStack Security > ML : openstack-security at lists.openstack.org OpenStack Security > Group : https://launchpad.net/~openstack-ossg > > _______________________________________________ Openstack-security > mailing list Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb2EQAAoJEBYNRVNeJnmT2HIQAI26fzoXDw96zqU9ANyYRrLv LMRL90QHqw1cHeFSLbA8qYymwNXV/FL1Q1D+7+JIYqXaQNZp4e0QbL1pohi/D8Xh qCRrfFHdVWNjdctZohSkFoHfYLsuvws6sPQ2F/36Lc/zIqvU+OQitQnJYiF7KTDp Bd9fCgZWVpJ6cYy0iTiNcn3grUWYAlXfjCcf0hQfzpPEnrHeWpvv88nOGdNY+uGx FnteGjuB5tzrUaFd32ZOf9qK0qrM2/0vkccOY3tYUtUCHBXlcEbo5xb4PquaQJ1z fOYzlPAi9AkDxff9psNXWxYHbzehN1FisS4crEAedBiVC2D0VLVN8ppD+4iDjj/N fwYsZ9S1uVZ043BY2hg9VGPqP7jjKdZg7AOAMWJL+rwyTo6GuQys8qD2ooY3UDvh trCO/4i8Wl2UY3HFWV8OtG/FPUdv0DKGHoF1PRaExbJKyB1cnqsHuaVcezrppIZL kndnXdctfbJFNR7JdMbxI5T8TPzY3tXAna4yq6et3LFFniWC6DIPyiMeA+NIvqJg +dzWQcRqX0hOIhyRMu5V6KWfdrcA7hKziP+H4Vx0QouBR+lOqmlsnVKDqNrZxHn0 pt8zk2oVhBy2inzHzciOzdRuB9XwIaaEDWpdHdiypjT4JnmNeBRnLFi1fVvrgtz0 iraQeg3pIOwNmCaNb7U+ =ycXK -----END PGP SIGNATURE----- From robert.clark at hp.com Thu Apr 18 03:02:28 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Thu, 18 Apr 2013 03:02:28 +0000 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <516F6110.1020508@redhat.com> Message-ID: On 17/04/2013 19:57, "Kurt Seifried" wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 04/17/2013 05:03 PM, Clark, Robert Graham wrote: >> All, below is our draft security note for bug >> https://bugs.launchpad.net/keystone/+bug/1098177 please review >> before I release it on the general OpenStack ML. > >So normally you guys send the finished draft to distros@ and I assign >it a CVE there. If you want I can start assigning the CVE here and >now. That sound ok? > >> Thanks! >> >> -Rob >> >> >> Requests with large POST body can crash Pre-Grizzly Keystone or >> underlying services. ----- >> >> ### Summary ### Concurrent Keystone POST requests with large body >> messages are held in memory without filtering or rate limiting, >> this can lead to resource exhaustion on the Keystone server. >> >> ### Affected Services / Software ### Keystone, Databases >> >> ### Discussion ### Keystone stores POST messages in memory before >> validation, concurrent submission of multiple large POST messages >> can cause the Keystone process to be killed due to memory >> exhaustion, resulting in a remote Denial of Service. >> >> In many cases Keystone will be deployed behind a load-balancer or >> proxy that can rate limit POST messages inbound to Keystone. >> Grizzly is protected against that through the sizelimit >> middleware. >> >> ### Recommended Actions ### If you are in a situation where >> Keystone is directly exposed to incoming POST messages and not >> protected by the sizelimit middleware there are a number of >> load-balancing/proxy options, we suggest you consider one of the >> following: >> >> Nginx: Open-source, high-performance HTTP server and reverse >> proxy. Nginx Config: >> http://wiki.nginx.org/HttpCoreModule#client_max_body_size >> >> Apache: HTTP Server Project Apache Config: >> http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody >> >> ### Contacts / References ### Original LaunchPad Bug : >> https://bugs.launchpad.net/keystone/+bug/1098177 OpenStack Security >> ML : openstack-security at lists.openstack.org OpenStack Security >> Group : https://launchpad.net/~openstack-ossg >> >> _______________________________________________ Openstack-security >> mailing list Openstack-security at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security >> >> >- -- >Kurt Seifried Red Hat Security Response Team (SRT) >PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.13 (GNU/Linux) > >iQIcBAEBAgAGBQJRb2EQAAoJEBYNRVNeJnmT2HIQAI26fzoXDw96zqU9ANyYRrLv >LMRL90QHqw1cHeFSLbA8qYymwNXV/FL1Q1D+7+JIYqXaQNZp4e0QbL1pohi/D8Xh >qCRrfFHdVWNjdctZohSkFoHfYLsuvws6sPQ2F/36Lc/zIqvU+OQitQnJYiF7KTDp >Bd9fCgZWVpJ6cYy0iTiNcn3grUWYAlXfjCcf0hQfzpPEnrHeWpvv88nOGdNY+uGx >FnteGjuB5tzrUaFd32ZOf9qK0qrM2/0vkccOY3tYUtUCHBXlcEbo5xb4PquaQJ1z >fOYzlPAi9AkDxff9psNXWxYHbzehN1FisS4crEAedBiVC2D0VLVN8ppD+4iDjj/N >fwYsZ9S1uVZ043BY2hg9VGPqP7jjKdZg7AOAMWJL+rwyTo6GuQys8qD2ooY3UDvh >trCO/4i8Wl2UY3HFWV8OtG/FPUdv0DKGHoF1PRaExbJKyB1cnqsHuaVcezrppIZL >kndnXdctfbJFNR7JdMbxI5T8TPzY3tXAna4yq6et3LFFniWC6DIPyiMeA+NIvqJg >+dzWQcRqX0hOIhyRMu5V6KWfdrcA7hKziP+H4Vx0QouBR+lOqmlsnVKDqNrZxHn0 >pt8zk2oVhBy2inzHzciOzdRuB9XwIaaEDWpdHdiypjT4JnmNeBRnLFi1fVvrgtz0 >iraQeg3pIOwNmCaNb7U+ >=ycXK >-----END PGP SIGNATURE----- Hi Kurt, This isn't being considered as an 'OpenStack Vulnerability' as suchŠ OpenStack Security Notes exist to guide users and implementers of OpenStack through various security 'pain-points'. Security Notes do not directly address vulnerabilities in OpenStack. OSNs provide guidance to ensure secure use of OpenStack and will often provide work arounds or advice for 3rd party libraries and services used in conjunction with OpenStack. These notes are a product of the OSSG. You should probably reach out to the VMT if you believe that a CVE is required. I've sent this around for comments on -security this evening and I'll publish it (with any changes) tomorrow morning (west-coast). -Rob > From kseifried at redhat.com Thu Apr 18 03:30:50 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Wed, 17 Apr 2013 21:30:50 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: Message-ID: <516F68EA.9010409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 09:02 PM, Clark, Robert Graham wrote: > > On 17/04/2013 19:57, "Kurt Seifried" wrote: > > On 04/17/2013 05:03 PM, Clark, Robert Graham wrote: >>>> All, below is our draft security note for bug >>>> https://bugs.launchpad.net/keystone/+bug/1098177 please >>>> review before I release it on the general OpenStack ML. > > So normally you guys send the finished draft to distros@ and I > assign it a CVE there. If you want I can start assigning the CVE > here and now. That sound ok? > >>>> Thanks! >>>> >>>> -Rob >>>> >>>> >>>> Requests with large POST body can crash Pre-Grizzly Keystone >>>> or underlying services. ----- >>>> >>>> ### Summary ### Concurrent Keystone POST requests with large >>>> body messages are held in memory without filtering or rate >>>> limiting, this can lead to resource exhaustion on the >>>> Keystone server. >>>> >>>> ### Affected Services / Software ### Keystone, Databases >>>> >>>> ### Discussion ### Keystone stores POST messages in memory >>>> before validation, concurrent submission of multiple large >>>> POST messages can cause the Keystone process to be killed due >>>> to memory exhaustion, resulting in a remote Denial of >>>> Service. >>>> >>>> In many cases Keystone will be deployed behind a >>>> load-balancer or proxy that can rate limit POST messages >>>> inbound to Keystone. Grizzly is protected against that >>>> through the sizelimit middleware. >>>> >>>> ### Recommended Actions ### If you are in a situation where >>>> Keystone is directly exposed to incoming POST messages and >>>> not protected by the sizelimit middleware there are a number >>>> of load-balancing/proxy options, we suggest you consider one >>>> of the following: > Hi Kurt, > > This isn't being considered as an 'OpenStack Vulnerability' as > suchŠ > > OpenStack Security Notes exist to guide users and implementers of > OpenStack through various security 'pain-points'. Security Notes do > not directly address vulnerabilities in OpenStack. OSNs provide > guidance to ensure secure use of OpenStack and will often provide > work arounds or advice for 3rd party libraries and services used in > conjunction with OpenStack. > > These notes are a product of the OSSG. You should probably reach > out to the VMT if you believe that a CVE is required. I've sent > this around for comments on -security this evening and I'll publish > it (with any changes) tomorrow morning (west-coast). > > -Rob Ok but this sounds like a classic web DoS (send some big requests to server, servers falls over/stays busy for a long time). "Concurrent Keystone POST requests with large body messages are held in memory without filtering or rate limiting, this can lead to resource exhaustion on the Keystone server. " If this was brought up to me internally at Red Hat I would have 1) assigned a CVE and then 2) notified upstream, this definitely is a security flaw. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb2jqAAoJEBYNRVNeJnmT/MQP/0uWYezwNki3Q/d7Y9+NXucc i2RYTtuTPvZaT87ilRIIJxYTFkuza7m/bmlayI+jft8wI+NswRWlXA5MtnKdl8Kp 9htyzM4QSrlqWjsBYT1mAvK/wgYwb6dDi+DsEzfAQIbiFP0IJX5ZOvX7thCqt2vX 40DcUFANhEJu+78S0MgNgVdBJxtXWSNbizZdDEgWWaZqUVT0uigFBUWnz4razHcL aCjsJWDVGkORjmXLAea/P+gmA5/CO8tF9tTElwwVbtsNK/XN+LVBptC2k6/06Er9 YSF42kUPRUDnnxF4tjjPW+vBiSOcu5XPDy2geELVo8tTB0SIq6r7rmCnpx31XbiI xA0VjUOtL60is/iDzaVK/U1Jv+j0lpv8vTkJNLPZGt5IZqmt4+Zf5SOaemp7WOMP IiZNoKK4Xp21orAD013cGOZ4vCDndZHzTS9X6hInrw4e3Iz2fm+ab0cQyroyY3Ox WjZPeV/JLpPEYWO10jfL12jBlkeBpzufri96iyI01bzc6XVzuY/IX3ZiYncaNM+1 UO4WG2b4qOU/O2YtOVk4hvV/E2AMFTkHsmmlE9GWXJPWUe+dlSlDQMuXJ2vad+M+ 8fYa/gniheeZ0DCdlRx1aSPtMGQvoOYAoTkSBtBqb526zTLYnNQGYjS9S7orypeA 1qBCWow304un3wDfDAan =e+cJ -----END PGP SIGNATURE----- From robert.clark at hp.com Thu Apr 18 03:38:33 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Thu, 18 Apr 2013 03:38:33 +0000 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <516F68EA.9010409@redhat.com> Message-ID: On 17/04/2013 20:30, "Kurt Seifried" wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 04/17/2013 09:02 PM, Clark, Robert Graham wrote: >> >> On 17/04/2013 19:57, "Kurt Seifried" wrote: >> >> On 04/17/2013 05:03 PM, Clark, Robert Graham wrote: >>>>> All, below is our draft security note for bug >>>>> https://bugs.launchpad.net/keystone/+bug/1098177 please >>>>> review before I release it on the general OpenStack ML. >> >> So normally you guys send the finished draft to distros@ and I >> assign it a CVE there. If you want I can start assigning the CVE >> here and now. That sound ok? >> >>>>> Thanks! >>>>> >>>>> -Rob >>>>> >>>>> >>>>> Requests with large POST body can crash Pre-Grizzly Keystone >>>>> or underlying services. ----- >>>>> >>>>> ### Summary ### Concurrent Keystone POST requests with large >>>>> body messages are held in memory without filtering or rate >>>>> limiting, this can lead to resource exhaustion on the >>>>> Keystone server. >>>>> >>>>> ### Affected Services / Software ### Keystone, Databases >>>>> >>>>> ### Discussion ### Keystone stores POST messages in memory >>>>> before validation, concurrent submission of multiple large >>>>> POST messages can cause the Keystone process to be killed due >>>>> to memory exhaustion, resulting in a remote Denial of >>>>> Service. >>>>> >>>>> In many cases Keystone will be deployed behind a >>>>> load-balancer or proxy that can rate limit POST messages >>>>> inbound to Keystone. Grizzly is protected against that >>>>> through the sizelimit middleware. >>>>> >>>>> ### Recommended Actions ### If you are in a situation where >>>>> Keystone is directly exposed to incoming POST messages and >>>>> not protected by the sizelimit middleware there are a number >>>>> of load-balancing/proxy options, we suggest you consider one >>>>> of the following: > > >> Hi Kurt, >> >> This isn't being considered as an 'OpenStack Vulnerability' as >> suchŠ >> >> OpenStack Security Notes exist to guide users and implementers of >> OpenStack through various security 'pain-points'. Security Notes do >> not directly address vulnerabilities in OpenStack. OSNs provide >> guidance to ensure secure use of OpenStack and will often provide >> work arounds or advice for 3rd party libraries and services used in >> conjunction with OpenStack. >> >> These notes are a product of the OSSG. You should probably reach >> out to the VMT if you believe that a CVE is required. I've sent >> this around for comments on -security this evening and I'll publish >> it (with any changes) tomorrow morning (west-coast). >> >> -Rob > >Ok but this sounds like a classic web DoS (send some big requests to >server, servers falls over/stays busy for a long time). > >"Concurrent Keystone POST requests with large body messages are held >in memory without filtering or rate limiting, this can lead to >resource exhaustion on the Keystone server. " > >If this was brought up to me internally at Red Hat I would have 1) >assigned a CVE and then 2) notified upstream, this definitely is a >security flaw. > >- -- >Kurt Seifried Red Hat Security Response Team (SRT) >PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.13 (GNU/Linux) > >iQIcBAEBAgAGBQJRb2jqAAoJEBYNRVNeJnmT/MQP/0uWYezwNki3Q/d7Y9+NXucc >i2RYTtuTPvZaT87ilRIIJxYTFkuza7m/bmlayI+jft8wI+NswRWlXA5MtnKdl8Kp >9htyzM4QSrlqWjsBYT1mAvK/wgYwb6dDi+DsEzfAQIbiFP0IJX5ZOvX7thCqt2vX >40DcUFANhEJu+78S0MgNgVdBJxtXWSNbizZdDEgWWaZqUVT0uigFBUWnz4razHcL >aCjsJWDVGkORjmXLAea/P+gmA5/CO8tF9tTElwwVbtsNK/XN+LVBptC2k6/06Er9 >YSF42kUPRUDnnxF4tjjPW+vBiSOcu5XPDy2geELVo8tTB0SIq6r7rmCnpx31XbiI >xA0VjUOtL60is/iDzaVK/U1Jv+j0lpv8vTkJNLPZGt5IZqmt4+Zf5SOaemp7WOMP >IiZNoKK4Xp21orAD013cGOZ4vCDndZHzTS9X6hInrw4e3Iz2fm+ab0cQyroyY3Ox >WjZPeV/JLpPEYWO10jfL12jBlkeBpzufri96iyI01bzc6XVzuY/IX3ZiYncaNM+1 >UO4WG2b4qOU/O2YtOVk4hvV/E2AMFTkHsmmlE9GWXJPWUe+dlSlDQMuXJ2vad+M+ >8fYa/gniheeZ0DCdlRx1aSPtMGQvoOYAoTkSBtBqb526zTLYnNQGYjS9S7orypeA >1qBCWow304un3wDfDAan >=e+cJ >-----END PGP SIGNATURE----- I agree with you. I'm not currently responsible for how OpenStack handles issues and wether they're considered as 'vulnerabilities' though the OSSG will be assisting with that process in the near future. There's discussion of the issue here: https://bugs.launchpad.net/keystone/+bug/1098177 I believe the request for us to cut a OSN in response to this was due to the fact that it doesn't affect Grizzly and most people who would have an vulnerable attack surface (web facing etc) would already be running Keystone behind Nginx, WAFs, LB's etc. I can hold the draft while you create a CVE and we can reference that in the released OSN, you should probably approach the VMT about the CVE or comment on the bug perhaps? -Rob From kseifried at redhat.com Thu Apr 18 05:37:56 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Wed, 17 Apr 2013 23:37:56 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: Message-ID: <516F86B4.5000209@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 09:38 PM, Clark, Robert Graham wrote: > I agree with you. I'm not currently responsible for how OpenStack > handles issues and wether they're considered as 'vulnerabilities' > though the OSSG will be assisting with that process in the near > future. > > There's discussion of the issue here: > https://bugs.launchpad.net/keystone/+bug/1098177 I believe the > request for us to cut a OSN in response to this was due to the fact > that it doesn't affect Grizzly and most people who would have an > vulnerable attack surface (web facing etc) would already be running > Keystone behind Nginx, WAFs, LB's etc. > > I can hold the draft while you create a CVE and we can reference > that in the released OSN, you should probably approach the VMT > about the CVE or comment on the bug perhaps? > > -Rob I've emailed the OpenStack VMT to confirm handling this. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb4azAAoJEBYNRVNeJnmT33MP/RpAY6Z5Iaz9Li9BWLJAtUqS qyh4bTRGz9tdAu4wu6ZmfRuOZ8256r5b9el3lf4a6o42WoDGSVCxc2+5yG8mC8YV nwEqw8Ol6IUNV3lWi1jVX7Gho5zDZnI3Dvc1O24UNJ4Afptloitp1apUi4VK4HQo pCS6iMuKZwaojfmzuySkAeT39vhf5bWoDPxv91Oa4tl1UHRVDp83dya4lBizNOwv jMszUloBf+AAOmGhW2wFaX5bezgaxlQN8W+gAE1QueFoK5G8eyiCayCeP6bzhqZG 3soJQRysoa2HSmZvJ37MLbUNV/S3DyfhBFrB99yc8/m/rkLaynF9mddqL7dWrBZ1 5rBPQLFX+9yFYnDhS8ppguRTv/jW6DZUkCX47BU/YCr8iKOnbnPDeQ72XnHDubXv PcXAmI36IprawQoM/almAKf4R2JGecnrgg4DaQawWbDc/Kn61dKe6U67rGBW+UOj UEBJEYTgQmIdFAXgdj8e52bIFZRlIkJf3FVHEOXIIQDVmk7/zAsIVG/tC+leMBCk EAo/qkebWh/oIfxwl7zopWTsoYT5B9DnoxdQR2NGaUJP10wvSr6Ja3RoWI0XoINF 9KBC7srAWwgLodBSyDzyAkjkbNovB3dHUI91c2qCxXquN9Ff4QzZnvPChregkgM/ ZPEqza2Sb3e9IrRFss2z =JHVL -----END PGP SIGNATURE----- From bdpayne at acm.org Thu Apr 18 06:18:20 2013 From: bdpayne at acm.org (Bryan D. Payne) Date: Wed, 17 Apr 2013 23:18:20 -0700 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <516F86B4.5000209@redhat.com> References: <516F86B4.5000209@redhat.com> Message-ID: FWIW, I believe that one of the decision points here was that this resource exhaustion attack is linear, rather than exponential. So it's not as bad as a traditional DoS attack. I could see this one going either way. Happy to close the loop with VMT before publishing the note. However, it may also be worth noting that this entire bug / OSN has been handled publicly. Cheers, -bryan On Wed, Apr 17, 2013 at 10:37 PM, Kurt Seifried wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/17/2013 09:38 PM, Clark, Robert Graham wrote: >> I agree with you. I'm not currently responsible for how OpenStack >> handles issues and wether they're considered as 'vulnerabilities' >> though the OSSG will be assisting with that process in the near >> future. >> >> There's discussion of the issue here: >> https://bugs.launchpad.net/keystone/+bug/1098177 I believe the >> request for us to cut a OSN in response to this was due to the fact >> that it doesn't affect Grizzly and most people who would have an >> vulnerable attack surface (web facing etc) would already be running >> Keystone behind Nginx, WAFs, LB's etc. >> >> I can hold the draft while you create a CVE and we can reference >> that in the released OSN, you should probably approach the VMT >> about the CVE or comment on the bug perhaps? >> >> -Rob > > I've emailed the OpenStack VMT to confirm handling this. > > - -- > Kurt Seifried Red Hat Security Response Team (SRT) > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > > iQIcBAEBAgAGBQJRb4azAAoJEBYNRVNeJnmT33MP/RpAY6Z5Iaz9Li9BWLJAtUqS > qyh4bTRGz9tdAu4wu6ZmfRuOZ8256r5b9el3lf4a6o42WoDGSVCxc2+5yG8mC8YV > nwEqw8Ol6IUNV3lWi1jVX7Gho5zDZnI3Dvc1O24UNJ4Afptloitp1apUi4VK4HQo > pCS6iMuKZwaojfmzuySkAeT39vhf5bWoDPxv91Oa4tl1UHRVDp83dya4lBizNOwv > jMszUloBf+AAOmGhW2wFaX5bezgaxlQN8W+gAE1QueFoK5G8eyiCayCeP6bzhqZG > 3soJQRysoa2HSmZvJ37MLbUNV/S3DyfhBFrB99yc8/m/rkLaynF9mddqL7dWrBZ1 > 5rBPQLFX+9yFYnDhS8ppguRTv/jW6DZUkCX47BU/YCr8iKOnbnPDeQ72XnHDubXv > PcXAmI36IprawQoM/almAKf4R2JGecnrgg4DaQawWbDc/Kn61dKe6U67rGBW+UOj > UEBJEYTgQmIdFAXgdj8e52bIFZRlIkJf3FVHEOXIIQDVmk7/zAsIVG/tC+leMBCk > EAo/qkebWh/oIfxwl7zopWTsoYT5B9DnoxdQR2NGaUJP10wvSr6Ja3RoWI0XoINF > 9KBC7srAWwgLodBSyDzyAkjkbNovB3dHUI91c2qCxXquN9Ff4QzZnvPChregkgM/ > ZPEqza2Sb3e9IrRFss2z > =JHVL > -----END PGP SIGNATURE----- > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From kseifried at redhat.com Thu Apr 18 06:56:34 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Thu, 18 Apr 2013 00:56:34 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: <516F86B4.5000209@redhat.com> Message-ID: <516F9922.2070600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/18/2013 12:18 AM, Bryan D. Payne wrote: > FWIW, I believe that one of the decision points here was that this > resource exhaustion attack is linear, rather than exponential. So > it's not as bad as a traditional DoS attack. I could see this one > going either way. Happy to close the loop with VMT before > publishing the note. However, it may also be worth noting that > this entire bug / OSN has been handled publicly. Right, DoS is about more than just quadratic/exponential resource use. Here the problem is that keystone crashes and dies, and you have some serious problems until you get it restarted. With network access an attacker can easily kill keystone repeatedly and make your life not fun. > > Cheers, -bryan - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb5kiAAoJEBYNRVNeJnmTEVoQAJ5rnKfuDA0uIPzm5cvylVd/ QG89bOuaN72p4rMj2HMzyW3CimzH8aBy4aBtoZza29grYjA/U7xbo/G7XdcaxwRR Z20F32dz+duVZpigWECjb2SidukmmZxDTYYOpd1mk3vNV+mTAXz31yUtO+VhHw7y Q4+XwVmZ8dDXQnzxs3LMPVvFyYlkqg9gsm82FVz/HomVZD6y9ZV7mFSnNvRIzezc 3mANVC3zQ46tb2wVpMthC4Q9oJDrj7bQSy2uQ3tSNlOX6kXg3cc/v6uFEl9QWdOT H4TJg1Md55ukWewzc8aCPAXYMyanfqLmSGJuUlInsdMI9K84l9TiCv0rLyPApT9V QcheUO1scSiV+LBY0mwzC7j89hhG6+YwyBAXXdc5LNYnv5ctZD+ZSjwi4sEyG6UT Tb4uEmcVWV/EC1tzRGu1tICRIp/wCvghMDnqo6mpEw1YxMRlejerXIYToFi0u51f 8JQpwjmm1nkTJmLLCfxYRa9+0zZNbwaa62pL8QHAr7/YOz3Vh8yOQDVK/KxVJ634 PKq1N/g+gpV6425gOWKBgLO5dPGi0HpIH+CRRldDnkwOxCECwqFmP7g7sjQVyi1A sWr+koGZWd98XeCv8NpETOkXimU23mVfqENEyL2F7UGeuNTDRLKx4hjRPeJGkM+s GmMu+drbXpNA7Gno9YLy =WK2E -----END PGP SIGNATURE----- From thierry at openstack.org Mon Apr 22 12:53:31 2013 From: thierry at openstack.org (Thierry Carrez) Date: Mon, 22 Apr 2013 14:53:31 +0200 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: References: <516F86B4.5000209@redhat.com> Message-ID: <517532CB.30704@openstack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bryan D. Payne wrote: > FWIW, I believe that one of the decision points here was that this > resource exhaustion attack is linear, rather than exponential. So > it's not as bad as a traditional DoS attack. I could see this one > going either way. Happy to close the loop with VMT before > publishing the note. However, it may also be worth noting that > this entire bug / OSN has been handled publicly. Replied to Kurt privately. On this one we made a trade-off: rather than pushing a disruptive new feature to a stable branch, we documented the issue and how to deploy to avoid it. This is why it appears in a OSN rather than an OSSA: the fix is not in the code. That doesn't mean a CVE is not warranted. Grizzly has the sizelimit middleware and is therefore not affected. The text of the note looks good -- maybe the title could be changed to something that doesn't make it look like a current vulnerability as much, but more like a deployment advice for older versions -- that way people will not mistake it for a weird OSSA. My try at it would be: "HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS" Hope this helps, - -- Thierry Carrez (ttx) Release Manager, OpenStack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRdTLLAAoJEFB6+JAlsQQj9nYP+QGTO8QzBXFMdtyiKAkvcVE5 3bhNg9vQ1+mDr2o94sSCTfyULB+hTj0iVODxObcuDOUzSHtbRsrS/w0Ogo/gaj85 uFyNiorPRa1T7d2CCXHb/+A1QkHwOuhJ0uRs0M6D3qNB5pPFpse0b8FzJk5crm78 5ROcp/K/q9HHBu2T5XlezjZw8aPDWuhlliJbbUNrIRuHrtIx3jKOaNWPCX1+ZDoV +cLzU9tRH7+jRck8L9vq695GV/0UHr6knce19UHqUZBI76eHlXvjQ5d0v9o5b9hU KFn0iFCH3fUJT04qUMH0IVgPxgeg6Bkx1d+Q6on6gfhqDG95fuby1kswL0gKewFv wm+faxv9ZoPaPMdDZw9rUQiVa+Zih3hpG1UHvhB1WIQUtR9o97gYMweU1Bsz3v4y P//jVsBd01d+YwI1x6fSz3hAJ9fb6sRvQbvPfS7FAEAbG5sb0wuMf0jOl7SBA+ZA MQ7uXqDSti+oHmGmUXPDoWotR/Ml9JVibLyjz5TWXF+DoWHJN3YVLfToM0Jsy0cx 5UsLd4CqI3ndNQdpOolJZYV35fOlWFoYXpayfcOe9T/FO6A7JfJkvpB/khupAJhS 05fYsUPsFjFbBUdsnDPVzzI8OQxOqgC77hhkDB1gPsZHKTEtBFWrhIPWGIu8dJTw FyXssa7IfA1gElXIRioo =J1lP -----END PGP SIGNATURE----- From matt.joyce at cloudscaling.com Mon Apr 22 20:35:58 2013 From: matt.joyce at cloudscaling.com (Matt Joyce) Date: Mon, 22 Apr 2013 13:35:58 -0700 Subject: [Openstack-security] OSN vs OSSA Message-ID: In short... If ( { "OSSA": "OpenStack Security Advisory" } ) then ( { "OSSN": "OpenStack Security Note" } ) Shouldn't it be an OSSN not an OSN? -Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From bdpayne at acm.org Mon Apr 22 20:43:43 2013 From: bdpayne at acm.org (Bryan D. Payne) Date: Mon, 22 Apr 2013 13:43:43 -0700 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: References: Message-ID: Sure. Not sure that it matters too much. But I'm pretty indifferent on this one. -bryan On Mon, Apr 22, 2013 at 1:35 PM, Matt Joyce wrote: > In short... > > If ( { "OSSA": "OpenStack Security Advisory" } ) > > then ( { "OSSN": "OpenStack Security Note" } ) > > > Shouldn't it be an OSSN not an OSN? > > -Matt > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > From robert.clark at hp.com Mon Apr 22 20:42:49 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 22 Apr 2013 20:42:49 +0000 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: Message-ID: Probably yes. From: "matt.joyce at cloudscaling.com" > Date: Monday, 22 April 2013 13:35 To: "openstack-security at lists.openstack.org" > Subject: [Openstack-security] OSN vs OSSA In short... If ( { "OSSA": "OpenStack Security Advisory" } ) then ( { "OSSN": "OpenStack Security Note" } ) Shouldn't it be an OSSN not an OSN? -Matt From kseifried at redhat.com Mon Apr 22 22:04:06 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Mon, 22 Apr 2013 16:04:06 -0600 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: References: Message-ID: <5175B3D6.8050301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/22/2013 02:43 PM, Bryan D. Payne wrote: > Sure. Not sure that it matters too much. But I'm pretty > indifferent on this one. -bryan > > On Mon, Apr 22, 2013 at 1:35 PM, Matt Joyce > wrote: >> In short... >> >> If ( { "OSSA": "OpenStack Security Advisory" } ) >> >> then ( { "OSSN": "OpenStack Security Note" } ) >> >> >> Shouldn't it be an OSSN not an OSN? >> >> -Matt Consistency is almost always better than random exceptions. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRdbPWAAoJEBYNRVNeJnmTxAMQAK7UibaEWXHRQSJvTpiR0vQX TYp4iaM4goiBIBzBtOSNovV8jYroScOTKk5YLehPg7awFpj6ltjHi5cU7NSiOeI1 dz+4qr4YdAL4LE8lzj+lT00sjsJpS8DfVYwFaTBCZdo8L5u4lUI+r4u9NCZ1FkhM 1YmvdbH+QJfYxizt26iceNvddu+Hu6VScjkfisbkX2QU8y/ITOjXkMyo2oiRmIur 6jKiKoEC7Ye/hm72IlHKxQXUKw5imhNRXs/KbG04lNx7NsJTAaEz3PXODVymKSYg 4TCD7fMo6BmnL3US2s3cf151eBI2wt/YxvW5gPSBxgIAbLjF8bMlU4WkErWL8y2E LbKX7gEQueQ7AKCS+dHxnYGcd/xrQTnYmp9zJGpsY2qH5RLBDY1YCadpa/FJ4Bey Q1Fq8F1TjoYLNbafNrFnh5cYUKKZMcCIovUP9sGpuajiyKssEhM3/JFyv6cr4gfT IkUJzNjat2z/At1htbDS8C4cYk5ZKAScTkNtcx0RFDI10Xs2AWJ+rRD9VBp9Hxhw Z30rxlnNblouiLa3JdMWkOsqRde4BEhGBw0fZVUnnqET/yGZniOdForEKgfGM25I 0nsTwzL2eaRewjf/N5eG5Kd0ZIEyeUsLATbRii/gKGa1LwjFy1mrj/yD5KO8h+SC x00LeWqMAmiUbIVLWxbc =6vO6 -----END PGP SIGNATURE----- From kseifried at redhat.com Tue Apr 23 06:33:38 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Tue, 23 Apr 2013 00:33:38 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <517532CB.30704@openstack.org> References: <516F86B4.5000209@redhat.com> <517532CB.30704@openstack.org> Message-ID: <51762B42.4040105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/22/2013 06:53 AM, Thierry Carrez wrote: > Bryan D. Payne wrote: >> FWIW, I believe that one of the decision points here was that >> this resource exhaustion attack is linear, rather than >> exponential. So it's not as bad as a traditional DoS attack. I >> could see this one going either way. Happy to close the loop >> with VMT before publishing the note. However, it may also be >> worth noting that this entire bug / OSN has been handled >> publicly. > > Replied to Kurt privately. > > On this one we made a trade-off: rather than pushing a disruptive > new feature to a stable branch, we documented the issue and how to > deploy to avoid it. This is why it appears in a OSN rather than an > OSSA: the fix is not in the code. That doesn't mean a CVE is not > warranted. Grizzly has the sizelimit middleware and is therefore > not affected. > > The text of the note looks good -- maybe the title could be changed > to something that doesn't make it look like a current vulnerability > as much, but more like a deployment advice for older versions -- > that way people will not mistake it for a weird OSSA. My try at it > would be: > > "HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS" > > Hope this helps, Yeah, I have no problem with WONTFIX, I mean if fixing something basically means breaking things/changing behaviour a lot, especially when you (OpenStack) is on a 6 month release cycle it makes sense. But we need to make sure they get labled as security issues with a CVE still since some vendors like Red Hat will be backporting security fixes since we (Red Hat) most likely won't have Red Hat OpenStack on a 6 month release cycle. We (and others) try to keep a close eye on upstream, but things can get missed. On the other hand if it has a CVE then it almost certainly won't get missed. So if it's ok with you guys I'd like to make sure that all OpenStack security issues get CVE's assigned regardless of whether or not they are going to be fixed in code (e.g. addressed with a security note, maybe a config change, a documentation change, whatever). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRditCAAoJEBYNRVNeJnmTYLQQAKFSGgjYQz2VyhnLs0yDee+0 kpxgeHA8PMJ4aZadUGKkf/Rt8tHFRxIvkgTVETIkTPLZatBc5rzYo3owdapZ8/R+ ACJBDAdDwe2lhE+1UkUtRFe1NOroxUo6MLtvUTL0lXMk2SC3PEqK5agLKjCv8fUO 8i1wfASUiqfHFcPZmUGSQcqnJznm+/15Rd6byFoyPAAadKwl2z8j3vB+Ell2Pdld klnTMts7V9kBFl31nbm8lt9dj1bjTR9Oaoe6yGgsiLGksHTdPFHCrDw0RHzPn3iC a9PJgJ1vnSW6IO/q2PCQUC6xnFBtxNRQUBFYRJRq5VBZOcpihqzZ++gGex9xE/mV lBotio+xvE4M/3HFlc0x+/FH7x1JAZ2dK/56CDsOcyFcA6cNT1fe2XgcgeB0FHC7 sMpBAXkzXR80sMqCYmp9NL1qbblWmpbLM3+yIQt18As3r1SYlTny4mTnh79pE7/T pjF/VWMJpq+PMAkZsMzcwqGyfvCyZVV6W61F4KgHUOUNzcgcX3hITDtgdUphfGMG tJr8zXQOr68GtX76SaWJW0sGNQDV77TbXRcdZ9ktBRVTff3ou+QZjYyAYDwALcEU Gx5ejd/xBaEVKoWyHqLCDBJjSkSrJ1cYD2e66gfxzTxCy+Mv7Cc955zYBBYVqGQO 8wkuEArbCwMcCb4RHZs7 =L4KD -----END PGP SIGNATURE----- From robert.clark at hp.com Tue Apr 23 08:04:50 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 23 Apr 2013 08:04:50 +0000 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: <5175B3D6.8050301@redhat.com> Message-ID: This has actually been bugging me for a while but it's a pita to change. I'll get on it when I'm back from vacation. I don't think you can change a LP group url once it's setup so we will need to create a new one and migrate what we can over, probably. On 22/04/2013 23:04, "Kurt Seifried" wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 04/22/2013 02:43 PM, Bryan D. Payne wrote: >> Sure. Not sure that it matters too much. But I'm pretty >> indifferent on this one. -bryan >> >> On Mon, Apr 22, 2013 at 1:35 PM, Matt Joyce >> wrote: >>> In short... >>> >>> If ( { "OSSA": "OpenStack Security Advisory" } ) >>> >>> then ( { "OSSN": "OpenStack Security Note" } ) >>> >>> >>> Shouldn't it be an OSSN not an OSN? >>> >>> -Matt > >Consistency is almost always better than random exceptions. > > >- -- >Kurt Seifried Red Hat Security Response Team (SRT) >PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.13 (GNU/Linux) > >iQIcBAEBAgAGBQJRdbPWAAoJEBYNRVNeJnmTxAMQAK7UibaEWXHRQSJvTpiR0vQX >TYp4iaM4goiBIBzBtOSNovV8jYroScOTKk5YLehPg7awFpj6ltjHi5cU7NSiOeI1 >dz+4qr4YdAL4LE8lzj+lT00sjsJpS8DfVYwFaTBCZdo8L5u4lUI+r4u9NCZ1FkhM >1YmvdbH+QJfYxizt26iceNvddu+Hu6VScjkfisbkX2QU8y/ITOjXkMyo2oiRmIur >6jKiKoEC7Ye/hm72IlHKxQXUKw5imhNRXs/KbG04lNx7NsJTAaEz3PXODVymKSYg >4TCD7fMo6BmnL3US2s3cf151eBI2wt/YxvW5gPSBxgIAbLjF8bMlU4WkErWL8y2E >LbKX7gEQueQ7AKCS+dHxnYGcd/xrQTnYmp9zJGpsY2qH5RLBDY1YCadpa/FJ4Bey >Q1Fq8F1TjoYLNbafNrFnh5cYUKKZMcCIovUP9sGpuajiyKssEhM3/JFyv6cr4gfT >IkUJzNjat2z/At1htbDS8C4cYk5ZKAScTkNtcx0RFDI10Xs2AWJ+rRD9VBp9Hxhw >Z30rxlnNblouiLa3JdMWkOsqRde4BEhGBw0fZVUnnqET/yGZniOdForEKgfGM25I >0nsTwzL2eaRewjf/N5eG5Kd0ZIEyeUsLATbRii/gKGa1LwjFy1mrj/yD5KO8h+SC >x00LeWqMAmiUbIVLWxbc >=6vO6 >-----END PGP SIGNATURE----- > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From thierry at openstack.org Tue Apr 23 08:36:12 2013 From: thierry at openstack.org (Thierry Carrez) Date: Tue, 23 Apr 2013 10:36:12 +0200 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: References: Message-ID: <517647FC.1050807@openstack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Clark, Robert Graham wrote: > This has actually been bugging me for a while but it's a pita to > change. > > I'll get on it when I'm back from vacation. I don't think you can > change a LP group url once it's setup so we will need to create a > new one and migrate what we can over, probably. You can ask a LP admin to do that rename for you, through a question on "Launchpad itself" at https://answers.launchpad.net/launchpad Example @ https://answers.launchpad.net/launchpad/+question/75458 - -- Thierry Carrez (ttx) Release Manager, OpenStack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRdkf4AAoJEFB6+JAlsQQjP/EP/jg4Ydt6+aO8wPFiq+qQxzF4 g4N25On6EFJT0Bl63iAwYVttZR7gqaB7ro3en7Q5MKrqI9j9JoF+DnEjdu6QHQO3 Fpq4tpLoOP2g1cn94+KwFHGXnUPCUFGIiw7XAIE/tvJC3hRAqQJaFuhgcQlzQSrg a3YyjICTGwFlhBP03qCOmxYgWgQOF3DKScBlPrPVyNC7d6cu4nlnIv8M12iN9vR3 3aAQPPABgbp8gqF9o5+OGOWBfgdxJNba8G11bNzwz8sSfCYQ/O+vvJj7uG8FttAU pNrdw43APbthn6ilJloQp+TsCbMm7Boj9Mf4fq+/KzbAjoWtjU5Pq+OeQw1AsZSS mFOlGrevJErXfmtNGCAwNcXMq7HpOFmoCGtM88+UDGrFDSgk9slrnfaJwfmfMlrA 5s86lULD/kG+LOH4x1IFRW83If6omS9nM06eLYTH1PSaVG8Ar8OnHmKZYHmAgcxP 0uaFlCb3Jl8o3CdEU6U6GCFcOpaVwqFu4inoAl/pSXLwrtLDrgUdM53PnJ/s0qH+ YYnRWsEMJ+Z91p5t1K5/TTjfzkRhu0e+/bQq9HmCvKu/ebUh71HUVG3eyQDfVNZj 7GXtHAFl/aKeQlNDJclahqTPc/ZqL7azUYfCk1f0YqOt++ApjVR4M+eY5FBYPiZr +qh+9OXO+k2l5JFtzQf+ =yhHe -----END PGP SIGNATURE----- From thierry at openstack.org Tue Apr 23 08:37:28 2013 From: thierry at openstack.org (Thierry Carrez) Date: Tue, 23 Apr 2013 10:37:28 +0200 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <51762B42.4040105@redhat.com> References: <516F86B4.5000209@redhat.com> <517532CB.30704@openstack.org> <51762B42.4040105@redhat.com> Message-ID: <51764848.9080901@openstack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kurt Seifried wrote: > So if it's ok with you guys I'd like to make sure that all > OpenStack security issues get CVE's assigned regardless of whether > or not they are going to be fixed in code (e.g. addressed with a > security note, maybe a config change, a documentation change, > whatever). Makes sense to me. - -- Thierry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRdkhIAAoJEFB6+JAlsQQjdtUQAJvH6RRZVpklkTyhUevJE2cg ppKf4B4CDb/c5fkPc8efwNDNNF9n5cnw3xCMq8yQ9jShEesWphPynUPtjVAYbBbg LTO3fBjJsDkkAKlZgkHjuMm3j2buNqOYqLhZ+r683l8TSG4QcDuO+I5mIcet3G0g kHfW0+FVlW0ZIelwBhL9ovt4wOQHpurqCX3ON9B3wj6UlgEP4yExw8R76R9tLRn2 +BCjWo4nVHy04F8FfQ1ojkIiOqdnLUtwsUXkSSj/pKytYzJKhfON2nBZDHklrlTN KjxsSnCfdlsJ4jTm6Bi5mK9CDyc2PAks/nxPBwiTZO4gA+zuaL1lGRELy80Db90u yKYxZAJVfmOW6fFBXcmnNsZQ0PBXHFE1wyyEuzXxGY0jtX0jHdrRxG2Lgxzxbray wCSGizb4a2duD0YkHgc07V5JqihamXwnvMu7Vxs37K7gfmCQjtBAagupVyWqRhNF f7qXntOHQFKijcHJosN09zd5fXX0vEBYrb/DV2YlnMdxmJ5Q5ap3ZxoCtQaO7K3d 6DO7DlMGbGM9V/dlp/I9h5uPUTjsL3PYRTGlZaHp7oCe1PR02KMT7y4eGUta01nw 5mdTk2ExeCZ+GZ6HnsM6abhEqTQ07Nv9kjIZNUMTdo3NFi6OAHz6LuG4hhcloFGW CeeSWT3uJDpx3RemOXaC =mjLd -----END PGP SIGNATURE----- From robert.clark at hp.com Tue Apr 23 09:49:03 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 23 Apr 2013 09:49:03 +0000 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: <517647FC.1050807@openstack.org> Message-ID: Thanks Thierry, Request is in: https://answers.launchpad.net/launchpad/+question/227284 On 23/04/2013 09:36, "Thierry Carrez" wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Clark, Robert Graham wrote: >> This has actually been bugging me for a while but it's a pita to >> change. >> >> I'll get on it when I'm back from vacation. I don't think you can >> change a LP group url once it's setup so we will need to create a >> new one and migrate what we can over, probably. > >You can ask a LP admin to do that rename for you, through a question >on "Launchpad itself" at https://answers.launchpad.net/launchpad > >Example @ https://answers.launchpad.net/launchpad/+question/75458 > >- -- >Thierry Carrez (ttx) >Release Manager, OpenStack >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.11 (GNU/Linux) >Comment: Using GnuPG with undefined - http://www.enigmail.net/ > >iQIcBAEBCAAGBQJRdkf4AAoJEFB6+JAlsQQjP/EP/jg4Ydt6+aO8wPFiq+qQxzF4 >g4N25On6EFJT0Bl63iAwYVttZR7gqaB7ro3en7Q5MKrqI9j9JoF+DnEjdu6QHQO3 >Fpq4tpLoOP2g1cn94+KwFHGXnUPCUFGIiw7XAIE/tvJC3hRAqQJaFuhgcQlzQSrg >a3YyjICTGwFlhBP03qCOmxYgWgQOF3DKScBlPrPVyNC7d6cu4nlnIv8M12iN9vR3 >3aAQPPABgbp8gqF9o5+OGOWBfgdxJNba8G11bNzwz8sSfCYQ/O+vvJj7uG8FttAU >pNrdw43APbthn6ilJloQp+TsCbMm7Boj9Mf4fq+/KzbAjoWtjU5Pq+OeQw1AsZSS >mFOlGrevJErXfmtNGCAwNcXMq7HpOFmoCGtM88+UDGrFDSgk9slrnfaJwfmfMlrA >5s86lULD/kG+LOH4x1IFRW83If6omS9nM06eLYTH1PSaVG8Ar8OnHmKZYHmAgcxP >0uaFlCb3Jl8o3CdEU6U6GCFcOpaVwqFu4inoAl/pSXLwrtLDrgUdM53PnJ/s0qH+ >YYnRWsEMJ+Z91p5t1K5/TTjfzkRhu0e+/bQq9HmCvKu/ebUh71HUVG3eyQDfVNZj >7GXtHAFl/aKeQlNDJclahqTPc/ZqL7azUYfCk1f0YqOt++ApjVR4M+eY5FBYPiZr >+qh+9OXO+k2l5JFtzQf+ >=yhHe >-----END PGP SIGNATURE----- > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From robert.clark at hp.com Tue Apr 23 10:01:58 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 23 Apr 2013 10:01:58 +0000 Subject: [Openstack-security] OSN vs OSSA In-Reply-To: Message-ID: Ok, we're now issuing OSSNs the LP has changed and links on the OSSG have been changed. On 23/04/2013 10:49, "Clark, Robert Graham" wrote: >Thanks Thierry, > >Request is in: https://answers.launchpad.net/launchpad/+question/227284 > >On 23/04/2013 09:36, "Thierry Carrez" wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA256 >> >>Clark, Robert Graham wrote: >>> This has actually been bugging me for a while but it's a pita to >>> change. >>> >>> I'll get on it when I'm back from vacation. I don't think you can >>> change a LP group url once it's setup so we will need to create a >>> new one and migrate what we can over, probably. >> >>You can ask a LP admin to do that rename for you, through a question >>on "Launchpad itself" at https://answers.launchpad.net/launchpad >> >>Example @ https://answers.launchpad.net/launchpad/+question/75458 >> >>- -- >>Thierry Carrez (ttx) >>Release Manager, OpenStack >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.4.11 (GNU/Linux) >>Comment: Using GnuPG with undefined - http://www.enigmail.net/ >> >>iQIcBAEBCAAGBQJRdkf4AAoJEFB6+JAlsQQjP/EP/jg4Ydt6+aO8wPFiq+qQxzF4 >>g4N25On6EFJT0Bl63iAwYVttZR7gqaB7ro3en7Q5MKrqI9j9JoF+DnEjdu6QHQO3 >>Fpq4tpLoOP2g1cn94+KwFHGXnUPCUFGIiw7XAIE/tvJC3hRAqQJaFuhgcQlzQSrg >>a3YyjICTGwFlhBP03qCOmxYgWgQOF3DKScBlPrPVyNC7d6cu4nlnIv8M12iN9vR3 >>3aAQPPABgbp8gqF9o5+OGOWBfgdxJNba8G11bNzwz8sSfCYQ/O+vvJj7uG8FttAU >>pNrdw43APbthn6ilJloQp+TsCbMm7Boj9Mf4fq+/KzbAjoWtjU5Pq+OeQw1AsZSS >>mFOlGrevJErXfmtNGCAwNcXMq7HpOFmoCGtM88+UDGrFDSgk9slrnfaJwfmfMlrA >>5s86lULD/kG+LOH4x1IFRW83If6omS9nM06eLYTH1PSaVG8Ar8OnHmKZYHmAgcxP >>0uaFlCb3Jl8o3CdEU6U6GCFcOpaVwqFu4inoAl/pSXLwrtLDrgUdM53PnJ/s0qH+ >>YYnRWsEMJ+Z91p5t1K5/TTjfzkRhu0e+/bQq9HmCvKu/ebUh71HUVG3eyQDfVNZj >>7GXtHAFl/aKeQlNDJclahqTPc/ZqL7azUYfCk1f0YqOt++ApjVR4M+eY5FBYPiZr >>+qh+9OXO+k2l5JFtzQf+ >>=yhHe >>-----END PGP SIGNATURE----- >> >>_______________________________________________ >>Openstack-security mailing list >>Openstack-security at lists.openstack.org >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From chricker at cisco.com Tue Apr 23 12:47:47 2013 From: chricker at cisco.com (Christopher Ricker (chricker)) Date: Tue, 23 Apr 2013 12:47:47 +0000 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <51762B42.4040105@redhat.com> Message-ID: <4CA1F721B8455042844DC2A696ED4B2119E191@xmb-aln-x14.cisco.com> On 4/23/13 2:33 AM, "Kurt Seifried" wrote: > >So if it's ok with you guys I'd like to make sure that all OpenStack >security issues get CVE's assigned regardless of whether or not they >are going to be fixed in code (e.g. addressed with a security note, >maybe a config change, a documentation change, whatever). Request seconded -- this will be helpful for the various down streams packaging OpenStack From robert.clark at hp.com Tue Apr 23 14:47:48 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Tue, 23 Apr 2013 14:47:48 +0000 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <4CA1F721B8455042844DC2A696ED4B2119E191@xmb-aln-x14.cisco.com> Message-ID: +1 also makes it easier for vulnerability scanners to check for missing updates, as they do for many other CVEs On 23/04/2013 13:47, "Christopher Ricker (chricker)" wrote: >On 4/23/13 2:33 AM, "Kurt Seifried" wrote: >> >>So if it's ok with you guys I'd like to make sure that all OpenStack >>security issues get CVE's assigned regardless of whether or not they >>are going to be fixed in code (e.g. addressed with a security note, >>maybe a config change, a documentation change, whatever). > >Request seconded -- this will be helpful for the various down streams >packaging OpenStack > > > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From kseifried at redhat.com Tue Apr 23 17:35:05 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Tue, 23 Apr 2013 11:35:05 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <4CA1F721B8455042844DC2A696ED4B2119E191@xmb-aln-x14.cisco.com> References: <4CA1F721B8455042844DC2A696ED4B2119E191@xmb-aln-x14.cisco.com> Message-ID: <5176C649.80700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/23/2013 06:47 AM, Christopher Ricker (chricker) wrote: > On 4/23/13 2:33 AM, "Kurt Seifried" wrote: >> >> So if it's ok with you guys I'd like to make sure that all >> OpenStack security issues get CVE's assigned regardless of >> whether or not they are going to be fixed in code (e.g. addressed >> with a security note, maybe a config change, a documentation >> change, whatever). > > Request seconded -- this will be helpful for the various down > streams packaging OpenStack Can you or anyone else go through the previous security related issues and post the ones needing a CVE? I've been meaning to do this for weeks but keep getting hit with other things. Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRdsZJAAoJEBYNRVNeJnmTBrsQALDO7fBiv2oM7S7IeAfe2Ts9 f07N20gdygmlGEHbBi3tupq1FRdb3WWw4ooFDrkYo2FtEQeUIj39tPXmJe3dBS96 qHW6lSFFkdC4FPKhqGPuDDQl1q3R051Mjpf/sa1JF453YDF/ukuLnwv9/Q9ZLn6c CJWAIPKLrpZyOMk0uBpYO7NQlwAqeOdTVN57OO4BTqerW0Kq58M5bNBE7cK2t75h yvwKPrw1w6k6zuWTF48NHDowC3dG+FuodW4oUr+jJErR5nIddTx+H6BY89EWxOe5 ev4PPBFYd4y9JuZvmhBxn2rzQRNunTbSUoH9SmpByZQoWb/q6S4fhIY5QaXhuJ7M Z8NRDGvX0UvITUH8AHAK8d23wsYGNVRJ+Zf6ujBJ8sO03k4pHwgNsqYsfbrhYkw3 m1z6BnPpDWOsyOrXph5ssrIQcrKiBNCgYCVJxJ99KdnlD3klXBXIC6rvFvRcPWUh DkjdLjyt26B32mi+AhdQYnGgE57uTNhJj6VdsVyZK0GVDbAGeOWGxc48oEc3DN59 gFp9t2srzk7YP7eCBQxqsm8gUP/i73P8P2mXQXZqNt5VFK7rO3mLomYnt4uwl/zn 8SngwE8Mwd+tZPf4QJYO6RIhDXLMqA7Yj0jDde1TWPb39EdBjlbGSfOSScrDAkDr UieTNCx23n0HHK9/LqUF =McM+ -----END PGP SIGNATURE----- From matt.joyce at cloudscaling.com Tue Apr 23 21:18:38 2013 From: matt.joyce at cloudscaling.com (Matt Joyce) Date: Tue, 23 Apr 2013 14:18:38 -0700 Subject: [Openstack-security] Vulnerability Database / API Message-ID: So I talked about this during the summit. But my plan for this release is to build out a vulnerability database. I put some more descriptive info on that work effort here: http://secstack.org/2013/04/havana/ I don't have anything blueprint worthy yet. Right now I am working on setting up a schema for datasets. When I have that laid out I'll ping the list again looking for input and I'll probably start building wiki space out on the openstack wiki at that time. Right now I am doing dataset collection and investigation to help me design an extensible schema. The ultimate goal is to have a database of vulnerability information that tracks openstack core, openstack candidates, and secondary dependency vulnerabilities. Then we can provide an REST API for interfacing with that database. This should allow deployers and packaging at distributors ( redhat, cloudscaling, etc ) to poll as a gate test against the db for possible vulnerabilities applicable to them. There are some fundamental questions about scope of what data to include. It can get dicey when we start talking about redhat specific vulnerabilities and nebula or piston specific vulnerabilities. So I'd love to hear thoughts on that. Anyways. I am already working on schemas. I'll post updates shortly. Just wanted to keep the list in the loop. Not everyone is at the summit. -Matt Joyce -------------- next part -------------- An HTML attachment was scrubbed... URL: From kseifried at redhat.com Fri Apr 26 08:08:04 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Fri, 26 Apr 2013 02:08:04 -0600 Subject: [Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting In-Reply-To: <51764848.9080901@openstack.org> References: <516F86B4.5000209@redhat.com> <517532CB.30704@openstack.org> <51762B42.4040105@redhat.com> <51764848.9080901@openstack.org> Message-ID: <517A35E4.4070303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/23/2013 02:37 AM, Thierry Carrez wrote: > Kurt Seifried wrote: >> So if it's ok with you guys I'd like to make sure that all >> OpenStack security issues get CVE's assigned regardless of >> whether or not they are going to be fixed in code (e.g. addressed >> with a security note, maybe a config change, a documentation >> change, whatever). > > Makes sense to me. Ok assigned a CVE for the keystone header issue, and another thing in LauynchPad and left some queries on other bugs but now I can't find them (launch pad search... grrr). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRejXjAAoJEBYNRVNeJnmT3sYP/i7IlSxzfPN/8dIUpMc+Jj4G PFxguE+xu8ilAXfx5RVbdNblZBKoJWWB1tYFYqd6Q1hhT+9tYNqNlAZqjNf6FAAG EmcNFU3v6nm2Aof2s4RUxhZ283vgp1ssqXfK3I/5OePRdPC4lidkfcClIFgYAfjx ZE28TXqmZuApgIyayg9dEhHH4biC9IZ2nDAgPy9324PuS12i67R/EwHo0UJ3SxIL Z5Bw5Zp58qUbd/Lu/3MxuX/W26lwtJbQ0YsoZEAQJVeKf36lEj6uUX0IpjXj70KY E2Ucg75heAcHcyofvxpTJNkBi5Y9fKZUb5aOO5Dzs2fiua8TorT0ZSO3Do2S3bzC RlVayTkoqvSEqdLan/qLnvbiIEqhfSiSB8haSRL2ZWv635l2A0BWcL7fwBbXKMJf sgpmusR+oxmzA7cgK6T3BUoEZac0elofIUye1aP9tXGOf/wV9N4JeSJGdU9wsq1C aTSZkdGJ4OnBM3qOFoMD9LWbBPWEW1w+ktLNDYJc2ZJYHZdoGNmTrTcfS6QkIpCg lThbP3bYmTHWerD7ggqg+lSkd6XvoNzTT00FheOCBR5MmdfuNLO5GBXyJ2LKyuYa dHKD1Bjxcj17ZOsEb6OSbbmO39J37qOgd2WdXsJ1RdZAPu5EQS+kNpk2/m0fai0o JzeFDni50l8bgn4EhW+Z =5u1k -----END PGP SIGNATURE----- From noreply at launchpad.net Mon Apr 29 12:53:13 2013 From: noreply at launchpad.net (Launchpad Email Validator) Date: Mon, 29 Apr 2013 12:53:13 -0000 Subject: [Openstack-security] Launchpad: Validate your team's contact email address Message-ID: <20130429125313.10539.92465.launchpad@soybean.canonical.com> Hello The Launchpad user named 'Robert Clark (robert-clark)' requested the registration of 'openstack-security at lists.openstack.org' as the contact email address of team 'OpenStack Security Group'. This request can only be made by a team owner/administrator, so if this change request was unexpected or was not requested by one of the team's administrators, please contact system-error at launchpad.net. If you want to make this email address the contact email of 'OpenStack Security Group', please click on the link below and follow the instructions. https://launchpad.net/token/1blQxTNDmNFzv8JDG0ts Thanks, The Launchpad Team From 1171662 at bugs.launchpad.net Mon Apr 29 12:55:29 2013 From: 1171662 at bugs.launchpad.net (Dolph Mathews) Date: Mon, 29 Apr 2013 12:55:29 -0000 Subject: [Openstack-security] [Bug 1171662] Re: User transaction events are not logged References: <20130423001733.7402.84350.malonedeb@gac.canonical.com> Message-ID: <20130429125529.5281.95184.malone@wampee.canonical.com> Agree with Paul; is there a specific event that keystone does not sufficiently log? ** Changed in: keystone Status: New => Incomplete -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1171662 Title: User transaction events are not logged Status in OpenStack Dashboard (Horizon): Invalid Status in OpenStack Identity (Keystone): Incomplete Bug description: Authentication transaction like successful login, failed login attempt and profile update should be logged. Authorization failure should be logged as well. For example: if user attempts to access resources that they don't have privilege to. This way the logs can be used for security audit, this is importat for enterprise operators for security compliance. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1171662/+subscriptions From robert.clark at hp.com Mon Apr 29 13:12:42 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 29 Apr 2013 13:12:42 +0000 Subject: [Openstack-security] [OSSG][OSSN] DRAFT: Keystone configuration should not be world readable Message-ID: All, please see the draft OSSN below and provide comments or suggest changes before we publish tomorrow. Cheers -Rob Keystone configuration should not be world readable --- ### Summary ### In some deployments keystone.conf which contains confidential information, is set to world readable. ### Affected Services / Software ### Keystone, DevStack ### Discussion ### It is important that deployers of OpenStack ensure that keystone.conf is not world readable. In some deployments the keystone configuration file is readable by all users (and processes) on the installation system. This file should be set with the most restrictive permissions that allow the system to continue proper operations. In particular, the password configuration of the LDAP section and the admin_token contain secret information: ---- being example config snippet ---- [ldap] url = ldap://localhost user = dc=Manager,dc=example,dc=com password = None <- should be secret suffix = cn=example,cn=com use_dumb_member = False allow_subtree_delete = False dumb_member = cn=dumb,dc=example,dc=com [DEFAULT] admin_token = passw0rd <- should be secret ---- end example config snippet ---- ### Recommended Actions ### Ensure that in your deployment keystone.conf uses the most restrictive permissions that allow the system to continue proper operations. ### Contacts / References ### This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252 Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252 OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg From thierry at openstack.org Mon Apr 29 13:16:30 2013 From: thierry at openstack.org (Thierry Carrez) Date: Mon, 29 Apr 2013 15:16:30 +0200 Subject: [Openstack-security] [OSSG][OSSN] DRAFT: Keystone configuration should not be world readable In-Reply-To: References: Message-ID: <517E72AE.5020902@openstack.org> Clark, Robert Graham wrote: > Keystone configuration should not be world readable > [...] > ### Contacts / References ### > This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252 > Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252 > OpenStack Security ML : openstack-security at lists.openstack.org > OpenStack Security Group : https://launchpad.net/~openstack-ossg Looks good, but should probably also reference the CVE: CVE-2013-1977 - OpenStack keystone.conf insecure file permissions Cheers, -- Thierry From robert.clark at hp.com Mon Apr 29 13:20:46 2013 From: robert.clark at hp.com (Clark, Robert Graham) Date: Mon, 29 Apr 2013 13:20:46 +0000 Subject: [Openstack-security] [OSSG][OSSN] DRAFT: Keystone configuration should not be world readable In-Reply-To: <517E72AE.5020902@openstack.org> Message-ID: On 29/04/2013 14:16, "Thierry Carrez" wrote: >Clark, Robert Graham wrote: >> Keystone configuration should not be world readable >> [...] >> ### Contacts / References ### >> This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252 >> Original LaunchPad Bug : >>https://bugs.launchpad.net/devstack/+bug/1168252 >> OpenStack Security ML : openstack-security at lists.openstack.org >> OpenStack Security Group : https://launchpad.net/~openstack-ossg > >Looks good, but should probably also reference the CVE: > >CVE-2013-1977 - OpenStack keystone.conf insecure file permissions > >Cheers, > >-- >Thierry Updated the LP bug, thanks Thierry. -Rob From thierry.carrez+lp at gmail.com Tue Apr 30 16:26:49 2013 From: thierry.carrez+lp at gmail.com (Thierry Carrez) Date: Tue, 30 Apr 2013 16:26:49 -0000 Subject: [Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5 References: <20130429193226.5432.76936.malonedeb@wampee.canonical.com> Message-ID: <20130430162649.8501.51868.malone@wampee.canonical.com> Agreed and opened ** Information type changed from Private Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1174499 Title: Keystone token hashing is MD5 Status in OpenStack Identity (Keystone): Confirmed Bug description: https://github.com/openstack/python- keystoneclient/blob/master/keystoneclient/common/cms.py def cms_hash_token(token_id): """ return: for ans1_token, returns the hash of the passed in token otherwise, returns what it was passed in. """ if token_id is None: return None if is_ans1_token(token_id): hasher = hashlib.md5() hasher.update(token_id) return hasher.hexdigest() else: return token_id MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256. Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1174499/+subscriptions From 1174499 at bugs.launchpad.net Tue Apr 30 16:59:25 2013 From: 1174499 at bugs.launchpad.net (Robert Clark) Date: Tue, 30 Apr 2013 16:59:25 -0000 Subject: [Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5 References: <20130429193226.5432.76936.malonedeb@wampee.canonical.com> Message-ID: <20130430165925.9302.81473.malone@wampee.canonical.com> Would be nice to see support for multiple hash algorithms, certainly we shouldn't be using MD5 any more. While there might not be any obvious attack vectors we should look to harden this. I don't think an OSSN is appropriate here either. -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1174499 Title: Keystone token hashing is MD5 Status in OpenStack Identity (Keystone): Confirmed Bug description: https://github.com/openstack/python- keystoneclient/blob/master/keystoneclient/common/cms.py def cms_hash_token(token_id): """ return: for ans1_token, returns the hash of the passed in token otherwise, returns what it was passed in. """ if token_id is None: return None if is_ans1_token(token_id): hasher = hashlib.md5() hasher.update(token_id) return hasher.hexdigest() else: return token_id MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256. Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1174499/+subscriptions From bdpayne at acm.org Tue Apr 30 17:21:21 2013 From: bdpayne at acm.org (Bryan D. Payne) Date: Tue, 30 Apr 2013 17:21:21 -0000 Subject: [Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5 References: <20130429193226.5432.76936.malonedeb@wampee.canonical.com> Message-ID: <20130430172121.9060.53970.malone@wampee.canonical.com> I suspect that fixing this involves addressing some backwards compatibility changes too? Allowing a user to choose the hash alg would be nice, but I'm not sure if there are assumptions elsewhere based on hash length that could complication this. Any thoughts on the "right" fix here from the Keystone core team? -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1174499 Title: Keystone token hashing is MD5 Status in OpenStack Identity (Keystone): Confirmed Bug description: https://github.com/openstack/python- keystoneclient/blob/master/keystoneclient/common/cms.py def cms_hash_token(token_id): """ return: for ans1_token, returns the hash of the passed in token otherwise, returns what it was passed in. """ if token_id is None: return None if is_ans1_token(token_id): hasher = hashlib.md5() hasher.update(token_id) return hasher.hexdigest() else: return token_id MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256. Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1174499/+subscriptions