On 2021-02-25 09:21:17 +0000 (+0000), Sven Kieske wrote:
I just noticed, while researching information regarding these two CVEs:
Yes, those are indeed serious bugs, but OpenStack does not officially distribute the Python interpreter nor its source code. We generally recommend sensitive and production users of our software consume our dependencies from a trusted distributor of those components (for example, a major GNU/Linux distribution). OpenStack's Vulnerability Management Team is focused on vulnerabilities within the software OpenStack produces.
That the Link to the Security Contacts on the Website is broken:
https://www.openstack.org/openstack-security/ is a 404 for me.
I found the dead link here:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce
Thanks, it looks like we were embedding some very old URLs in the footer for our mailing list site which pointed to the foundation's site for OpenStack rather than the community-managed security information. I have proposed https://review.opendev.org/777602 to correct this oversight.
Another "Bug" imho is, that there is no information how to contact the security team on the main website, and the search for "security" does not really yield good results how to contact the security team either.
I agree, I've brought this up with the foundation web development team who maintain that website for us, I'll raise it with them again and find out if they can work out something for better discoverability. I'm not sure why it keeps disappearing or getting moved, but I'll do my best to impress on them that having security contact information linked from the most prominent pages (of not every page) is important for our users. If you'd stumbled onto their page about the "Community" at https://www.openstack.org/community/ you'd see a "User resources" section under "Contributor Resources" (yep, that's confusing) in the footer with a link to "Security advisories" which is a fairly terrible place for that to be hidden.
If someone has any information on these vulnerabilities and how they affect openstack I'd be delighted to hear from you.
OpenStack is written primarily in Python, so it is entirely possible for OpenStack to expose bugs in that dependency in a variety of ways, as would be the case for any of OpenStack's thousands of dependencies (after all, in most cases OpenStack depends on having an operating system, and can likely expose bugs just about anywhere within it for at least some configurations). I won't begin to pretend I can examine the entire surface area of our millions of lines of source code to point out the various ways that might happen. Suffice to say, you should patch or upgrade your Python interpreter using the packages supplied by your distribution. The same goes for any vulnerability you're worried about, really.
a cursory search of gerrit didn't yield anything. If I search the website using the integrated search for the CVE the top result is some 2021 Board Election..
Again, sorry that you couldn't find the security site, but for reference it's https://security.openstack.org/ (and we'll get the incorrect links you found corrected to that in short order). You'll only find advisories there for vulnerabilities in the software which is produced by the OpenStack community, so for example advisories about software produced by the Python community would be somewhere on or linked from the python.org site instead.
RedHat and Suse both state that their distributions of openstack are affected:
https://access.redhat.com/security/cve/cve-2021-23336 https://www.suse.com/security/cve/CVE-2021-23336/
So I guess the base distro is also affected, as these are core openstack components imho?
There is no "base distro" of OpenStack. Red Hat and SUSE both produce distributions of OpenStack which, strictly speaking, means OpenStack software combined with other software such as OpenStack's dependencies and an operating system to run it all on. So in those cases it's the Python interpreters in their distributions which the vulnerabilities you linked are affecting, but not the OpenStack software which they're also including in the distributions. -- Jeremy Stanley