[oslo][security-sig] Please revisit your open vulnerability report

Jeremy Stanley fungi at yuggoth.org
Thu Feb 18 17:03:19 UTC 2021

On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote:
> I ended up just closing this one for Oslo because it appears that using the
> oslo.cache backend actually fixes the bug.


> I also pushed a patch for a formerly private bug[0] that just bumps our
> minimum pyyaml version to avoid a vulnerability. I suspect everyone is
> already running newer versions of it, but if not now they know that they
> should. :-)
> Strangely, I don't remember getting an email notification about that bug. I
> thought coresec team members were notified about private security bugs. I
> guess I'll have to keep a closer eye on our bug list from now on.
> 0: https://bugs.launchpad.net/oslo.config/+bug/1839398

Please double-check https://launchpad.net/oslo.config/+sharing and
make sure "Private Security: All" is shared with "OpenStack
Vulnerability Management team (openstack-vuln-mgmt)" but it's also
just possible we missed triaging that report when it was opened. VMT
members do periodically check
for anything that's slipped through the cracks. Not often, but I'm
pretty sure it's not been as long as the ~1.5 years since that bug
was opened.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210218/6c3dd5d9/attachment.sig>

More information about the openstack-discuss mailing list