[openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Michael Xin michael.xin at RACKSPACE.COM
Mon Apr 11 14:28:11 UTC 2016


Matt:
Thanks for asking this. I forwarded this email to the new email list so that folks with better knowledge can answer this.


Thanks and have a great day.

Yours,
Michael


-----------------------------------------------------------------------------
Michael Xin | Manager, Security Engineering - US
Product Security  |Rackspace Hosting
Office #: 501-7341   or  210-312-7341
Mobile #: 210-284-8674
5000 Walzem Road, San Antonio, Tx 78218
----------------------------------------------------------------------------
Experience fanatical support

From: Matt Fischer <matt at mattfischer.com<mailto:matt at mattfischer.com>>
Date: Monday, April 11, 2016 at 9:19 AM
To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Subject: [Openstack-security] abandoned OSSNs?

Some folks from our security team here asked me to ensure them that our services were patched for all the OSSNs that are listed here: https://wiki.openstack.org/wiki/Security_Notes

Most of these are straight-forward, but there are some OSSNs that have been allocated an ID but then abandoned. There is no detailed wiki page and my best google efforts lead me to a possible IRC mention and maybe an abandoned review. The two specifically are OSSN-50/51.

So what am I to do with an "abandoned" OSSN? Has it been decided that there is no issue anymore? These are pretty old if I look at the dates framing the other OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound somewhat scary, for example, "keystonemiddleware can allow access after token revocation" but I have no means to say whether it affects us or how we can mitigate without more info.

Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160411/79541a82/attachment.html>


More information about the OpenStack-dev mailing list