[Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
Robert Collins
robertc at robertcollins.net
Mon Jun 3 19:11:40 UTC 2013
What if we were to always do a release after a security advisory?
On 4 Jun 2013 06:25, "Jeremy Stanley" <fungi at yuggoth.org> wrote:
> On 2013-06-03 10:51:19 -0700 (-0700), Lloyd Dewolf wrote:
> [...]
> > Interestingly, the OSSA 2013-014 notice did include
> > "python-keystoneclient fix (will be included in upcoming 0.2.4
> > release)".
>
> I'm going to chalk that up to Thierry knowing the version number at
> that point, since the OSSA 2013-014 fix is what got tagged with
> 0.2.4 the next morning. On the other hand the -013 fix was a
> lower-priority feature enhancement and I didn't want to rely on a
> versioning guess a week ahead. Client releases are handled a bit
> more independently compared to OpenStack server components (where we
> can predict release milestone dates fairly accurately).
>
> As a general rule I'm going to try to include the release version
> numbers in advance when I can do so safely, and otherwise rely on
> subsequent release announcements.
> --
> Jeremy Stanley
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130604/ef6c9bd6/attachment.html>
More information about the Openstack
mailing list