[oslo][security-sig] Please revisit your open vulnerability report

Ben Nemec openstack at nemebean.com
Thu Feb 18 18:39:52 UTC 2021

On 2/18/21 11:03 AM, Jeremy Stanley wrote:
> On 2021-02-18 10:36:52 -0600 (-0600), Ben Nemec wrote:
> [...]
>> I ended up just closing this one for Oslo because it appears that using the
>> oslo.cache backend actually fixes the bug.
> Thanks!
>> I also pushed a patch for a formerly private bug[0] that just bumps our
>> minimum pyyaml version to avoid a vulnerability. I suspect everyone is
>> already running newer versions of it, but if not now they know that they
>> should. :-)
>> Strangely, I don't remember getting an email notification about that bug. I
>> thought coresec team members were notified about private security bugs. I
>> guess I'll have to keep a closer eye on our bug list from now on.
>> 0: https://bugs.launchpad.net/oslo.config/+bug/1839398
> Please double-check https://launchpad.net/oslo.config/+sharing and
> make sure "Private Security: All" is shared with "OpenStack
> Vulnerability Management team (openstack-vuln-mgmt)" but it's also
> just possible we missed triaging that report when it was opened. VMT
> members do periodically check
> https://launchpad.net/openstack/+bugs?field.information_type%3Alist=PRIVATESECURITY
> for anything that's slipped through the cracks. Not often, but I'm
> pretty sure it's not been as long as the ~1.5 years since that bug
> was opened.

Okay, I did that. I think we may need to audit all of the Oslo projects 
because the spot check I did on oslo.policy also did not have the needed 
sharing, and did have someone who doesn't even work on OpenStack anymore 
with access to private security bugs(!). I don't appear to have 
permission to change that either. :-/

The other issue is probably that the Oslo projects are not part of the 
openstack org on launchpad. We did that because of the number of 
projects made it easier to keep track of them if they were their own 
org, but it does mean they wouldn't show up under a query for the 
openstack org, unfortunately.

I thought I remembered getting a notification from launchpad itself when 
a private security bug was opened, but it's been long enough since that 
last would have happened that I may be wrong.

More information about the openstack-discuss mailing list