On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote: [...]
I ended up just closing this one for Oslo because it appears that using the oslo.cache backend actually fixes the bug.
Thanks!
I also pushed a patch for a formerly private bug[0] that just bumps our minimum pyyaml version to avoid a vulnerability. I suspect everyone is already running newer versions of it, but if not now they know that they should. :-)
Strangely, I don't remember getting an email notification about that bug. I thought coresec team members were notified about private security bugs. I guess I'll have to keep a closer eye on our bug list from now on.
Please double-check https://launchpad.net/oslo.config/+sharing and make sure "Private Security: All" is shared with "OpenStack Vulnerability Management team (openstack-vuln-mgmt)" but it's also just possible we missed triaging that report when it was opened. VMT members do periodically check https://launchpad.net/openstack/+bugs?field.information_type%3Alist=PRIVATES... for anything that's slipped through the cracks. Not often, but I'm pretty sure it's not been as long as the ~1.5 years since that bug was opened. -- Jeremy Stanley