[Openstack-security] FW: OpenSSL Heartblead (CVE-2014-0160)

Nathan Kinder nkinder at redhat.com
Wed Apr 9 22:59:09 UTC 2014 

On 04/09/2014 02:43 PM, Bryan D. Payne wrote:
> If we are going to do something, let's do an OSSN.  Given the discussion
> here, I'm going to flip my opinion and suggest that we cut an OSSN in
> short order.  Who would like to write it up?  I'm traveling today, so
> I'm out.

https://review.openstack.org/#/c/86466/

> 
> -bryan
> 
> 
> On Wed, Apr 9, 2014 at 1:28 PM, Cody Bunch <cody.bunch at rackspace.com
> <mailto:cody.bunch at rackspace.com>> wrote:
> 
>     If not an OSSN a small faq of sorts as it pertains to OpenStack.
> 
>     -C
> 
>     ------------------------------------------------------------------------
>     *From:* Clark, Robert Graham [robert.clark at hp.com
>     <mailto:robert.clark at hp.com>]
>     *Sent:* Wednesday, April 09, 2014 3:24 PM
>     *To:* Bryan D. Payne; Thierry Carrez; Nathan Kinder
> 
>     *Cc:* openstack-security at lists.openstack.org
>     <mailto:openstack-security at lists.openstack.org>
>     *Subject:* Re: [Openstack-security] FW: OpenSSL Heartblead
>     (CVE-2014-0160)
> 
>     I think there may be some value in us creating an OSSN that runs
>     through the issue, it’s coming up a lot on the ML and while I agree
>     with Bryan in principle that it’s not completely within the realm of
>     the OSSN process, there’s value in having one well written summary
>     that people can refer to on the ML and elsewhere rather than having
>     lots of add hock conversations.
> 
>      
> 
>     Thoughts?
> 
>      
> 
>     *From:*Bryan D. Payne [mailto:bdpayne at acm.org <mailto:bdpayne at acm.org>]
>     *Sent:* 09 April 2014 09:35
>     *To:* Thierry Carrez
>     *Cc:* openstack-security at lists.openstack.org
>     <mailto:openstack-security at lists.openstack.org>
>     *Subject:* Re: [Openstack-security] FW: OpenSSL Heartblead
>     (CVE-2014-0160)
> 
>      
> 
>         Should we consider issuing an OSSN describing steps for heartbleed
> 
>         mitigation in OpenStack deployments ? I know it's not very different
>         from other affected SSL services, but I've already answered that
>         question twice on MLs and people are apparently very confused
>         about it
>         so it looks like something that could use a reference official
>         answer :)
> 
>      
> 
>     Unless we have something specifically related to OpenStack to add,
>     I'd suggest just pointing people to http://heartbleed.com/.
> 
>      
> 
>     -bryan
> 
>

More information about the Openstack-security mailing list