[oslo][security-sig] Please revisit your open vulnerability report
Ben Nemec
openstack at nemebean.com
Thu Feb 18 18:39:52 UTC 2021
On 2/18/21 11:03 AM, Jeremy Stanley wrote:
> On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote:
> [...]
>> I ended up just closing this one for Oslo because it appears that using the
>> oslo.cache backend actually fixes the bug.
>
> Thanks!
>
>> I also pushed a patch for a formerly private bug[0] that just bumps our
>> minimum pyyaml version to avoid a vulnerability. I suspect everyone is
>> already running newer versions of it, but if not now they know that they
>> should. :-)
>>
>> Strangely, I don't remember getting an email notification about that bug. I
>> thought coresec team members were notified about private security bugs. I
>> guess I'll have to keep a closer eye on our bug list from now on.
>>
>> 0: https://bugs.launchpad.net/oslo.config/+bug/1839398
>
> Please double-check https://launchpad.net/oslo.config/+sharing and
> make sure "Private Security: All" is shared with "OpenStack
> Vulnerability Management team (openstack-vuln-mgmt)" but it's also
> just possible we missed triaging that report when it was opened. VMT
> members do periodically check
> https://launchpad.net/openstack/+bugs?field.information_type%3Alist=PRIVATESECURITY
> for anything that's slipped through the cracks. Not often, but I'm
> pretty sure it's not been as long as the ~1.5 years since that bug
> was opened.
>
Okay, I did that. I think we may need to audit all of the Oslo projects
because the spot check I did on oslo.policy also did not have the needed
sharing, and did have someone who doesn't even work on OpenStack anymore
with access to private security bugs(!). I don't appear to have
permission to change that either. :-/
The other issue is probably that the Oslo projects are not part of the
openstack org on launchpad. We did that because of the number of
projects made it easier to keep track of them if they were their own
org, but it does mean they wouldn't show up under a query for the
openstack org, unfortunately.
I thought I remembered getting a notification from launchpad itself when
a private security bug was opened, but it's been long enough since that
last would have happened that I may be wrong.
More information about the openstack-discuss
mailing list