[security-sig] Broken Security Link on Website and general bad discoverability of security related information

Jeremy Stanley fungi at yuggoth.org
Thu Feb 25 15:06:33 UTC 2021

On 2021-02-25 09:21:17 +0000 (+0000), Sven Kieske wrote:
> I just noticed, while researching information regarding these two CVEs:
> https://nvd.nist.gov/vuln/detail/CVE-2021-3177
> https://nvd.nist.gov/vuln/detail/CVE-2021-23336

Yes, those are indeed serious bugs, but OpenStack does not
officially distribute the Python interpreter nor its source code. We
generally recommend sensitive and production users of our software
consume our dependencies from a trusted distributor of those
components (for example, a major GNU/Linux distribution).
OpenStack's Vulnerability Management Team is focused on
vulnerabilities within the software OpenStack produces.

> That the Link to the Security Contacts on the Website is broken:
> https://www.openstack.org/openstack-security/ is a 404 for me.
> I found the dead link here:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

Thanks, it looks like we were embedding some very old URLs in the
footer for our mailing list site which pointed to the foundation's
site for OpenStack rather than the community-managed security
information. I have proposed https://review.opendev.org/777602 to
correct this oversight.

> Another "Bug" imho is, that there is no information how to contact
> the security team on the main website, and the search for "security"
> does not really yield good results how to contact the security team either.

I agree, I've brought this up with the foundation web development
team who maintain that website for us, I'll raise it with them again
and find out if they can work out something for better
discoverability. I'm not sure why it keeps disappearing or getting
moved, but I'll do my best to impress on them that having security
contact information linked from the most prominent pages (of not
every page) is important for our users.

If you'd stumbled onto their page about the "Community" at
https://www.openstack.org/community/ you'd see a "User resources"
section under "Contributor Resources" (yep, that's confusing) in the
footer with a link to "Security advisories" which is a fairly
terrible place for that to be hidden.

> If someone has any information on these vulnerabilities and how
> they affect openstack I'd be delighted to hear from you.

OpenStack is written primarily in Python, so it is entirely possible
for OpenStack to expose bugs in that dependency in a variety of
ways, as would be the case for any of OpenStack's thousands of
dependencies (after all, in most cases OpenStack depends on having
an operating system, and can likely expose bugs just about anywhere
within it for at least some configurations). I won't begin to
pretend I can examine the entire surface area of our millions of
lines of source code to point out the various ways that might
happen. Suffice to say, you should patch or upgrade your Python
interpreter using the packages supplied by your distribution. The
same goes for any vulnerability you're worried about, really.

> a cursory search of gerrit didn't yield anything. If I search the
> website using the integrated search for the CVE the top result is
> some 2021 Board Election..

Again, sorry that you couldn't find the security site, but for
reference it's https://security.openstack.org/ (and we'll get the
incorrect links you found corrected to that in short order). You'll
only find advisories there for vulnerabilities in the software which
is produced by the OpenStack community, so for example advisories
about software produced by the Python community would be somewhere
on or linked from the python.org site instead.

> RedHat and Suse both state that their distributions of openstack
> are affected:
> https://access.redhat.com/security/cve/cve-2021-23336
> https://www.suse.com/security/cve/CVE-2021-23336/
> So I guess the base distro is also affected, as these are core
> openstack components imho?

There is no "base distro" of OpenStack. Red Hat and SUSE both
produce distributions of OpenStack which, strictly speaking, means
OpenStack software combined with other software such as OpenStack's
dependencies and an operating system to run it all on. So in those
cases it's the Python interpreters in their distributions which the
vulnerabilities you linked are affecting, but not the OpenStack
software which they're also including in the distributions.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210225/3e011834/attachment.sig>

More information about the openstack-discuss mailing list