[Openstack-security] [OSSN] Draft: Nova Baremetal Exposes Previous Tenant Data

Jeremy Stanley fungi at yuggoth.org
Tue Jul 2 19:06:18 UTC 2013


On 2013-07-02 12:53:34 -0600 (-0600), Kurt Seifried wrote:
> Huh? According to: https://wiki.openstack.org/wiki/Baremetal
> 
> "This driver was added to the Grizzly release, but it should be
> considered somewhat experimental at this point. See the Bugs section
> for information and links to the Launchpad bug listings."
> 
> also no mention of any security issues with respect to data not being
> wiped. Now I get that the software hasn't been officially blessed as
> production ready, but it has been released publicly. Unless there isa
> compelling reason not to assign a CVE for this (speak up now!) I'll do
> so later today.

I agree it's unfortunate if security precautions weren't spelled out
in the release notes, so if that qualifies for a CVE then it sounds
like we probably do need one. In your opinion would it have needed a
CVE if the situation were spelled out in the release notes already?

I suppose this drives to a process question for us as a project,
whether we can actually develop work-in-progress/experimental
features in-tree with a timed release schedule, knowing that we may
need to consider either (dangerously) ripping them back out at
release time or announcing known security vulnerabilities in them at
release time instead.
-- 
Jeremy Stanley




More information about the Openstack-security mailing list