[keystone] Freeze exception
Hi,
This is me with my Vulnerability Management team hat on.
We have a number of security issues in keystone where the patch landed on master and just needs an icehouse backport:
https://bugs.launchpad.net/ossa/+bug/1348820 https://bugs.launchpad.net/ossa/+bug/1349597 https://bugs.launchpad.net/ossa/+bug/1347961
It might be worth including those security fixes in 2014.1.2 (rather than land them a few days after)...
We are working on getting backports proposed for those.
Cheers,
A backport for the first bug is now in review:
https://bugs.launchpad.net/ossa/+bug/1348820 master https://review.openstack.org/#/c/109747/ (merged) stable/icehouse https://review.openstack.org/#/c/111772/
But at the moment, we're actually still working to land complete fixes for the second two in master.
https://bugs.launchpad.net/ossa/+bug/1349597 master https://review.openstack.org/#/c/109820/ (gating at this moment; this also should have been Closes-Bug)
https://bugs.launchpad.net/ossa/+bug/1347961 master https://review.openstack.org/#/c/111106/ (gating at this moment)
On Mon, Aug 4, 2014 at 9:57 AM, Thierry Carrez thierry@openstack.org wrote:
Hi,
This is me with my Vulnerability Management team hat on.
We have a number of security issues in keystone where the patch landed on master and just needs an icehouse backport:
https://bugs.launchpad.net/ossa/+bug/1348820 https://bugs.launchpad.net/ossa/+bug/1349597 https://bugs.launchpad.net/ossa/+bug/1347961
It might be worth including those security fixes in 2014.1.2 (rather than land them a few days after)...
We are working on getting backports proposed for those.
Cheers,
-- Thierry Carrez (ttx)
Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 04/08/14 21:46, Dolph Mathews wrote:
A backport for the first bug is now in review:
https://bugs.launchpad.net/ossa/+bug/1348820 master https://review.openstack.org/#/c/109747/ (merged) stable/icehouse https://review.openstack.org/#/c/111772/
I don't like the way you've backported that one. You've merged two commits from master into single one. Why not backporting them separately?
But at the moment, we're actually still working to land complete fixes for the second two in master.
https://bugs.launchpad.net/ossa/+bug/1349597 master https://review.openstack.org/#/c/109820/ (gating at this moment; this also should have been Closes-Bug)
https://bugs.launchpad.net/ossa/+bug/1347961 master https://review.openstack.org/#/c/111106/ (gating at this moment)
Please send links to reviews when they are available.
/Ihar
Dolph Mathews wrote:
A backport for the first bug is now in review:
https://bugs.launchpad.net/ossa/+bug/1348820 master https://review.openstack.org/#/c/109747/ (merged) stable/icehouse https://review.openstack.org/#/c/111772/
Ihar has a comment that you merged two patches in a single review.. any chance you could decouple the two and propose them separately ?
But at the moment, we're actually still working to land complete fixes for the second two in master.
https://bugs.launchpad.net/ossa/+bug/1349597 master https://review.openstack.org/#/c/109820/ (gating at this moment; this also should have been Closes-Bug)
https://bugs.launchpad.net/ossa/+bug/1347961 master https://review.openstack.org/#/c/111106/ (gating at this moment)
Those two just landed. Could you propose backports for them now ? I'll get the approvals lined up.
Thanks for your help!
On Tue, Aug 5, 2014 at 5:01 AM, Thierry Carrez thierry@openstack.org wrote:
Dolph Mathews wrote:
A backport for the first bug is now in review:
https://bugs.launchpad.net/ossa/+bug/1348820 master https://review.openstack.org/#/c/109747/ (merged) stable/icehouse https://review.openstack.org/#/c/111772/
Ihar has a comment that you merged two patches in a single review.. any chance you could decouple the two and propose them separately ?
But at the moment, we're actually still working to land complete fixes for the second two in master.
https://bugs.launchpad.net/ossa/+bug/1349597 master https://review.openstack.org/#/c/109820/ (gating at this moment; this also should have been Closes-Bug)
https://bugs.launchpad.net/ossa/+bug/1347961 master https://review.openstack.org/#/c/111106/ (gating at this moment)
Those two just landed. Could you propose backports for them now ? I'll get the approvals lined up.
The fixes made to Juno are proposed as backports to stable/icehouse:
https://review.openstack.org/#/c/111845/ - Don't override tox envdir for pep8 https://review.openstack.org/#/c/112082/ - Add tests related to V2 token issued_at time changing https://review.openstack.org/#/c/111772/ - Fix for V2 token issued_at time changing https://review.openstack.org/#/c/112083/ - Correct revocation event test for domain_id https://review.openstack.org/#/c/112084/ - Fix revoking domain-scoped tokens https://review.openstack.org/#/c/112085/ - Add a test for revoking a scoped token from an unscoped https://review.openstack.org/#/c/112086/ - Fix revoking a scoped token from an unscoped token https://review.openstack.org/#/c/112102/ - Make test_revoke expiry times distinct https://review.openstack.org/#/c/112087/ - Fix revocation event handling with MySQL
There were some minor-looking conflicts. There's also an issue where the tox envdir was shared and this was causing reviews to fail (111845), and there had been an earlier fix for the revocation tests that I picked up to get the unit tests to pass (112102).
- Brant
Brant Knudson wrote:
The fixes made to Juno are proposed as backports to stable/icehouse:
https://review.openstack.org/#/c/111845/ - Don't override tox envdir for pep8 https://review.openstack.org/#/c/112082/ - Add tests related to V2 token issued_at time changing https://review.openstack.org/#/c/111772/ - Fix for V2 token issued_at time changing https://review.openstack.org/#/c/112083/ - Correct revocation event test for domain_id https://review.openstack.org/#/c/112084/ - Fix revoking domain-scoped tokens https://review.openstack.org/#/c/112085/ - Add a test for revoking a scoped token from an unscoped https://review.openstack.org/#/c/112086/ - Fix revoking a scoped token from an unscoped token https://review.openstack.org/#/c/112102/ - Make test_revoke expiry times distinct https://review.openstack.org/#/c/112087/ - Fix revocation event handling with MySQL
There were some minor-looking conflicts. There's also an issue where the tox envdir was shared and this was causing reviews to fail (111845), and there had been an earlier fix for the revocation tests that I picked up to get the unit tests to pass (112102).
Thanks! All +2ed, waiting for a second one and APRV.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 04/08/14 16:57, Thierry Carrez wrote:
Hi,
This is me with my Vulnerability Management team hat on.
We have a number of security issues in keystone where the patch landed on master and just needs an icehouse backport:
https://bugs.launchpad.net/ossa/+bug/1348820 https://bugs.launchpad.net/ossa/+bug/1349597 https://bugs.launchpad.net/ossa/+bug/1347961
It might be worth including those security fixes in 2014.1.2 (rather than land them a few days after)...
I think we should consider all known security fixes as critical. From Red Hat perspective, we backport all security fixes to our packaging. I expect other distributions to do the same. So by merging the fixes in upstream, we avoid additional multiplied burden downstream.
Other thoughts?
We are working on getting backports proposed for those.
Please post the links to all the backport requests once they are available.
/Ihar
participants (5)
-
Alan Pevec
-
Brant Knudson
-
Dolph Mathews
-
Ihar Hrachyshka
-
Thierry Carrez