<div dir="ltr"><div class="gmail_extra">Hi Thierry</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks for the response.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><span style="font-family:arial,sans-serif;font-size:13px">>So in summary... yes this is currently harder than it should be and I'd</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">>like to fix that. Yes you're welcome to edit [1] so that it's made more</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">>current. If you think it has value I can retroactively mention past</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">>OSSAs in [2]. And you should have a look at [3] :)</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">>[1] </span><a href="https://wiki.openstack.org/wiki/SecurityAdvisories" target="_blank" style="font-family:arial,sans-serif;font-size:13px">https://wiki.openstack.org/wiki/SecurityAdvisories</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">>[2] </span><a href="https://bugs.launchpad.net/ossa/+cve" target="_blank" style="font-family:arial,sans-serif;font-size:13px">https://bugs.launchpad.net/ossa/+cve</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">>[3] </span><a href="http://secstack.org/2013/04/openstack-common-vulnerability-database/" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://secstack.org/2013/04/openstack-common-vulnerability-database/</a></div>
<div class="gmail_extra"><br></div><div class="gmail_extra">I'll have a go at [1], definitely (anything to help out). Will include a link to [2] on there. </div><div class="gmail_extra"><br></div><div class="gmail_extra" style>
Agree that a more 'official' looking page will be of benefit. </div><div class="gmail_extra"><br></div><div class="gmail_extra">Personally I would think taking [2] back to the Folsom release cycle would be a good idea, but that's a call for you and</div>
<div class="gmail_extra" style>the rest of the Vulnerability Management team (Not sure how much work is involved for you in doing that).</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>I'll have a look at [3] as well, fantastic.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>Thanks again</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>Jolyon Brown</div><div class="gmail_extra" style><a href="mailto:jolyon@limilo.com">jolyon@limilo.com</a></div>
<div class="gmail_extra" style><a href="http://www.limilo.com">www.limilo.com</a></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 5, 2013 at 11:43 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">Jolyon Brown wrote:<br>
> In my (day) job (not Limilo!) we're currently evaluating an IBM product<br>
> which is underpinned by OpenStack. During review our InfoSec people<br>
> claimed many (22) open CVE vulnerabilities for the underlying version of<br>
> OpenStack used (Folsom). I don't believe this to be the case, as<br>
> Launchpad lists only 3 CVE bugs. However it's not clear at a glance if<br>
> these 3 have been back ported, which versions are affected etc. While I<br>
> know my way around enough to find out, new people investigating<br>
> OpenStack might not, so I was looking for a summary page of open<br>
> vulnerabilities broken down per release.<br>
><br>
> Now I know the community does a great job regarding security related<br>
> bugs, both finding and fixing, and Thierry in particular is working<br>
> wonders regarding CVE notification. A quick google for OpenStack CVE<br>
> though brings up <a href="https://wiki.openstack.org/wiki/SecurityAdvisories" target="_blank">https://wiki.openstack.org/wiki/SecurityAdvisories</a> in<br>
> the first few results which looks as though it may have been the<br>
> intended place for this kind of summary info, but it looks a bit<br>
> neglected. Given that this may be the first query someone tries when<br>
> evaluating OpenStack I think it might need a bit of an update.<br>
><br>
> Is there somewhere else that contains this kind of info in an easily<br>
> summarised up to date format?<br>
><br>
> Or should the wiki page mentioned be the one to be updated?<br>
<br>
</div>Hi!<br>
<br>
The official source are the published (and signed) OpenStack Security<br>
Advisories (OSSA), but I agree it can take a bit of effort to get<br>
historical information about them, and we need to improve on that.<br>
<br>
We published OSSAs to this list from the beginning, and starting in July<br>
2012 we also published them to openstack-announce for easier access.<br>
<br>
There is a community-maintained wiki page[1] listing them, but I would<br>
like to transition that to a more "official" (and less prone to editing)<br>
area on the main <a href="http://openstack.org" target="_blank">openstack.org</a> website.<br>
<br>
We also started recently to create "ossa" tasks on Launchpad, and I<br>
retroactively created them for all 2013 advisories. Together with<br>
Launchpad CVE linking features, that gives you a nice list you can<br>
access at [2] -- maybe it would make sense to retroactively create ossa<br>
links for all advisories ever published.<br>
<br>
Matt Joyce also started working on an OpenStack Common Vulnerability<br>
Database [3] which may help in accessing more structured data.<br>
<br>
So in summary... yes this is currently harder than it should be and I'd<br>
like to fix that. Yes you're welcome to edit [1] so that it's made more<br>
current. If you think it has value I can retroactively mention past<br>
OSSAs in [2]. And you should have a look at [3] :)<br>
<br>
[1] <a href="https://wiki.openstack.org/wiki/SecurityAdvisories" target="_blank">https://wiki.openstack.org/wiki/SecurityAdvisories</a><br>
[2] <a href="https://bugs.launchpad.net/ossa/+cve" target="_blank">https://bugs.launchpad.net/ossa/+cve</a><br>
[3] <a href="http://secstack.org/2013/04/openstack-common-vulnerability-database/" target="_blank">http://secstack.org/2013/04/openstack-common-vulnerability-database/</a><br>
<br>
Hope this helps,<br>
<span class=""><font color="#888888"><br>
--<br>
Thierry Carrez (ttx)<br>
Release Manager, OpenStack<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</font></span></blockquote></div><br></div></div>