[oslo][security-sig] Please revisit your open vulnerability report

Ben Nemec openstack at nemebean.com
Thu Feb 18 16:36:52 UTC 2021

On 2/18/21 8:49 AM, Jeremy Stanley wrote:
> Please help the OpenStack Vulnerability Management Team by taking a
> look at the following report:
>      keystonemiddleware connections to memcached from neutron-server
>          grow beyond configured values
>          https://launchpad.net/bugs/1883659
> Can it be exploited by a nefarious actor, and if so, how? Is it
> likely to be fixable in all our supported stable branches,
> respecting stable backport policy? What deployment configurations
> and options might determine whether a particular installation is
> susceptible? This is the sort of feedback we depend on to make
> determinations regarding whether and how to keep the public
> notified, so they can make informed decisions.
> Thanks for doing your part to keep our users safe!

I ended up just closing this one for Oslo because it appears that using 
the oslo.cache backend actually fixes the bug.

I also pushed a patch for a formerly private bug[0] that just bumps our 
minimum pyyaml version to avoid a vulnerability. I suspect everyone is 
already running newer versions of it, but if not now they know that they 
should. :-)

Strangely, I don't remember getting an email notification about that 
bug. I thought coresec team members were notified about private security 
bugs. I guess I'll have to keep a closer eye on our bug list from now on.

0: https://bugs.launchpad.net/oslo.config/+bug/1839398

More information about the openstack-discuss mailing list