On Fri, Mar 12, 2021 at 2:27 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2021-03-11 14:22:21 -0600 (-0600), Ghanshyam Mann wrote: [...]
In a quick search, interop certification guidelines 1] also does not use these API capabilities so changing to admin should be fine from interop and so does from Tempest test modification point of view. [...]
Yep, if you check out the original bug reports leading up to the OSSN, we did at least confirm these were not part of any trademark program requirement before recommending that access be blocked. That was one of our deciding factors in the disclosure timeline. -- Jeremy Stanley
Thanks to Sean and Belmiro for confirming how and where metadefs are used. I think it makes more sense now to keep these metadef create/update/delete APIs admin-only and grant read-only access to normal users. In the advisory we should also specify that there is still a possibility of information leak in this case. Thanks and Regards, Abhishek Kekane