[oslo][security-sig] Please revisit your open vulnerability report

Ben Nemec openstack at nemebean.com
Fri Mar 26 21:52:52 UTC 2021

Finally got back to this. More below.

On 2/18/21 1:13 PM, Jeremy Stanley wrote:
> On 2021-02-18 12:39:52 -0600 (-0600), Ben Nemec wrote:
> [...]
>> Okay, I did that. I think we may need to audit all of the Oslo projects
>> because the spot check I did on oslo.policy also did not have the needed
>> sharing, and did have someone who doesn't even work on OpenStack anymore
>> with access to private security bugs(!). I don't appear to have permission
>> to change that either. :-/
> Aha, thanks, that explains why the VMT members wouldn't have been
> notified (or even able to see the bug at all).
> If you put together a list of which ones need fixing, I think I have
> a backdoor via being a member of the group which is the owner of the
> groups which are listed as maintainer or owner of many of those
> projects, so should be able to temporarily add myself to a group
> which has access to adjust the sharing on them. Also at the moment,
> the only Oslo deliverables which are listed as having explicit VMT
> oversight are castellan and oslo.config. If there are others you
> want our proactive help with, please add this tag to them:
> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html

I'll bring up VMT again with the Oslo team. I know it came up a few 
years ago, but I can't remember why it never happened. Probably I just 
never followed up.

I have added the openstack-vuln-mgmt team to most of the Oslo projects. 
I apparently don't have permission to change settings in oslo.policy, 
oslo.windows, and taskflow, so I will need help with that. After going 
through all of the projects, my guess is that the individual people who 
have access to the private security bugs are the ones who created the 
project in the first place. I guess that's fine, but there's an argument 
to be made that some of those should be cleaned up too.

I also noticed that oslo-coresec is not listed in most of the projects. 
Is there any sort of global setting that should give coresec memebers 
access to private security bugs, or do I need to add that to each project?

More information about the openstack-discuss mailing list