On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote: [...] > I ended up just closing this one for Oslo because it appears that using the > oslo.cache backend actually fixes the bug. Thanks! > I also pushed a patch for a formerly private bug[0] that just bumps our > minimum pyyaml version to avoid a vulnerability. I suspect everyone is > already running newer versions of it, but if not now they know that they > should. :-) > > Strangely, I don't remember getting an email notification about that bug. I > thought coresec team members were notified about private security bugs. I > guess I'll have to keep a closer eye on our bug list from now on. > > 0: https://bugs.launchpad.net/oslo.config/+bug/1839398 Please double-check https://launchpad.net/oslo.config/+sharing and make sure "Private Security: All" is shared with "OpenStack Vulnerability Management team (openstack-vuln-mgmt)" but it's also just possible we missed triaging that report when it was opened. VMT members do periodically check https://launchpad.net/openstack/+bugs?field.information_type%3Alist=PRIVATESECURITY for anything that's slipped through the cracks. Not often, but I'm pretty sure it's not been as long as the ~1.5 years since that bug was opened. -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210218/6c3dd5d9/attachment.sig>