On 2/18/21 11:03 AM, Jeremy Stanley wrote:
On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote: [...]
I ended up just closing this one for Oslo because it appears that using the oslo.cache backend actually fixes the bug.
Thanks!
I also pushed a patch for a formerly private bug[0] that just bumps our minimum pyyaml version to avoid a vulnerability. I suspect everyone is already running newer versions of it, but if not now they know that they should. :-)
Strangely, I don't remember getting an email notification about that bug. I thought coresec team members were notified about private security bugs. I guess I'll have to keep a closer eye on our bug list from now on.
Please double-check https://launchpad.net/oslo.config/+sharing and make sure "Private Security: All" is shared with "OpenStack Vulnerability Management team (openstack-vuln-mgmt)" but it's also just possible we missed triaging that report when it was opened. VMT members do periodically check https://launchpad.net/openstack/+bugs?field.information_type%3Alist=PRIVATES... for anything that's slipped through the cracks. Not often, but I'm pretty sure it's not been as long as the ~1.5 years since that bug was opened.
Okay, I did that. I think we may need to audit all of the Oslo projects because the spot check I did on oslo.policy also did not have the needed sharing, and did have someone who doesn't even work on OpenStack anymore with access to private security bugs(!). I don't appear to have permission to change that either. :-/ The other issue is probably that the Oslo projects are not part of the openstack org on launchpad. We did that because of the number of projects made it easier to keep track of them if they were their own org, but it does mean they wouldn't show up under a query for the openstack org, unfortunately. I thought I remembered getting a notification from launchpad itself when a private security bug was opened, but it's been long enough since that last would have happened that I may be wrong.