[Openstack-security] abandoned OSSNs?
Matt Fischer
matt at mattfischer.com
Mon Apr 11 14:19:50 UTC 2016
Some folks from our security team here asked me to ensure them that our
services were patched for all the OSSNs that are listed here:
https://wiki.openstack.org/wiki/Security_Notes
Most of these are straight-forward, but there are some OSSNs that have been
allocated an ID but then abandoned. There is no detailed wiki page and my
best google efforts lead me to a possible IRC mention and maybe an
abandoned review. The two specifically are OSSN-50/51.
So what am I to do with an "abandoned" OSSN? Has it been decided that there
is no issue anymore? These are pretty old if I look at the dates framing
the other OSSNs (49/52), so I assume they aren't urgent. Can we ignore
these? They sound somewhat scary, for example, "keystonemiddleware can
allow access after token revocation" but I have no means to say whether it
affects us or how we can mitigate without more info.
Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20160411/e93b674a/attachment.html>
More information about the Openstack-security
mailing list