[oslo][security-sig] Please revisit your open vulnerability report
openstack at nemebean.com
Thu Feb 18 16:36:52 UTC 2021
On 2/18/21 8:49 AM, Jeremy Stanley wrote:
> Please help the OpenStack Vulnerability Management Team by taking a
> look at the following report:
> keystonemiddleware connections to memcached from neutron-server
> grow beyond configured values
> Can it be exploited by a nefarious actor, and if so, how? Is it
> likely to be fixable in all our supported stable branches,
> respecting stable backport policy? What deployment configurations
> and options might determine whether a particular installation is
> susceptible? This is the sort of feedback we depend on to make
> determinations regarding whether and how to keep the public
> notified, so they can make informed decisions.
> Thanks for doing your part to keep our users safe!
I ended up just closing this one for Oslo because it appears that using
the oslo.cache backend actually fixes the bug.
I also pushed a patch for a formerly private bug that just bumps our
minimum pyyaml version to avoid a vulnerability. I suspect everyone is
already running newer versions of it, but if not now they know that they
Strangely, I don't remember getting an email notification about that
bug. I thought coresec team members were notified about private security
bugs. I guess I'll have to keep a closer eye on our bug list from now on.
More information about the openstack-discuss