| fungi | this bug report was just brought to my attention: https://bugzilla.redhat.com/show_bug.cgi?id=2105419 | 11:33 |
|---|---|---|
| fungi | looks like red hat assigned a cve for it, but never reported it upstream to keystone | 11:33 |
| *** blarnath is now known as d34dh0r53 | 12:27 | |
| fungi | reminder that we're holding our monthly meeting in roughly 10 minutes | 14:49 |
| fungi | #startmeeting security | 15:01 |
| opendevmeet | Meeting started Thu Oct 6 15:01:11 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'security' | 15:01 |
| fungi | apologies, i'll be a bit slow chairing since i'm quite unprepared. it's been a busy week! | 15:01 |
| fungi | #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda | 15:03 |
| fungi | i'll add a section there real fast ;) | 15:03 |
| fungi | #topic Prior Actions | 15:04 |
| fungi | #link https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.html (previous minutes) | 15:05 |
| fungi | fungi propose xstatic discussion topic on horizon ptg agenda | 15:05 |
| fungi | i haven't done that, though at this point i'm unsure what the interest is from the horizon side, but i'll do that real fast | 15:06 |
| fungi | though it doesn't appear they've made an etherpad for proposed discussion topics | 15:08 |
| fungi | so maybe i'll follow up with them first | 15:08 |
| fungi | #action fungi propose xstatic discussion topic on horizon ptg agenda | 15:09 |
| fungi | readded for now | 15:09 |
| fungi | fungi add new volunteers to embargo-notice ml | 15:09 |
| fungi | i've done that | 15:09 |
| fungi | fungi update ossn/security-doc members in gerrit and launchpad | 15:09 |
| fungi | i've started on that but not finished yet, noting that some of those groups are waaaaaay out of date and need substantial cleanup of alumni who haven't been contributing actively for years. i'll readd the action for now | 15:10 |
| fungi | #action fungi update ossn/security-doc members in gerrit and launchpad | 15:10 |
| fungi | fungi reach out to nova reviewers about 850003 | 15:10 |
| fungi | #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed | 15:11 |
| fungi | seems that has merged as of september 10 | 15:12 |
| fungi | fixed in zed, with backports proposed for all supported stable branches (so back as far as stable/wallaby) | 15:13 |
| fungi | d34dh0r53: if you wanted to pick this back up, we could probably get a draft ossa proposed in gerrit with links to all the backports now and a (more final) list of affected versions | 15:14 |
| fungi | we probably shouldn't move forward with publication until the backports merge, though we probably can as long as they seem to be getting positive reviews and passing tests | 15:14 |
| fungi | we've never really set a strict policy on timing for ossa publication with regard to already public vulnerability reports, aside from being able to point to the available patches somewhere (even if they haven't merged) | 15:16 |
| fungi | it's more a judgement call in order to potentially save ourselves extra work with subsequent errata | 15:16 |
| fungi | and given those backports are all failing tests and have no code reviews yet, it's probably best we hold off a little longer still | 15:17 |
| fungi | but there was some activity on them as recently as last week, so i don't think we need any new action item coming out of the meeting for that | 15:18 |
| fungi | fungi switch bug 1981813 to class b1 for now | 15:18 |
| fungi | #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394) | 15:18 |
| fungi | we can drop this, as it's apparent some attempt at backporting is underway | 15:19 |
| fungi | fungi switch advisory tasks for old public security bugs to won't fix for now | 15:19 |
| fungi | i haven't completely made an attempt at this yet, but i've punted it to our ptg topics (i'll cover that in a few minutes), so not readding the action item | 15:20 |
| fungi | fungi schedule an hour at the ptg for the security sig | 15:20 |
| fungi | i've done that, we're set for an hour starting at 15:00 utc on wednesday of the ptg | 15:21 |
| fungi | #topic Public Bug Reports | 15:22 |
| fungi | #link https://storyboard.openstack.org/#!/story/2010004 Remote code execution: Trove backup | 15:23 |
| fungi | #link https://launchpad.net/bugs/1989008 Lax rulesets leading to privilege escalation vulnerabilities | 15:24 |
| fungi | #link https://bugzilla.redhat.com/show_bug.cgi?id=2105419 Application credential token remains valid longer than expected | 15:25 |
| fungi | that last one doesn't seem to have a corresponding upstream bug report, even though red hat assigned it a cve | 15:26 |
| gagehugo | o/ | 15:26 |
| gagehugo | apologies for being late | 15:26 |
| fungi | no worries! we have logs ;) | 15:26 |
| fungi | #topic PTG Planning | 15:27 |
| fungi | so, as mentioned a few minutes ago, we have an hour (15:00 utc on wednesday) | 15:27 |
| fungi | i can always add another one if that's a conflict for people who had things they want to cover | 15:28 |
| fungi | i've started a list of proposed discussion topics and activities, though it's far from chiseled in stone: | 15:28 |
| fungi | #link https://etherpad.opendev.org/p/oct2022-ptg-openstack-security | 15:28 |
| fungi | i figured if nothing else, we can debate some of the currently public security bugs and maybe close some out if we can determine they're no longer relevant (or at least close out our security advisory tasks if it looks like they're unneeded or unlikely to happen any time soon) | 15:29 |
| fungi | also we could work on getting some old ossg stuff moved off the wiki, or at least plan and divvy up tasks for that | 15:30 |
| fungi | if anybody has anything else to bring up, please add it | 15:31 |
| fungi | #topic Open Discussion | 15:32 |
| fungi | a couple of things to note... first is that i did a quick cleanup of our sig's main page on the wiki | 15:33 |
| fungi | #link https://wiki.openstack.org/wiki/Security-SIG | 15:33 |
| fungi | i took a hatchet to a lot of old ossg info, as well as anything which was redundant with what we've got on the current security.o.o site | 15:33 |
| fungi | also there's a security-related post to the openstack-discuss ml from today: | 15:34 |
| fungi | #link https://lists.openstack.org/pipermail/openstack-discuss/2022-October/030755.html Openstack Security Assessments | 15:35 |
| fungi | i made an initial attempt to answer it, but in short, some security folks are looking at openstack security from the end-user guidance perspective, which i don't think we've really done any coordinated attempt at documenting | 15:35 |
| fungi | as i note in my reply, most of our focus has been on fixing vulnerabilities in the software and discussing how to securely deploy and operate it | 15:36 |
| fungi | but not much i'm aware of telling users the dos and don'ts about using the services securely | 15:37 |
| fungi | anyway, if anybody has more to add, please follow up to that ml thread | 15:37 |
| fungi | anything else anyone wants to bring up before we close the meeting? | 15:38 |
| gagehugo | nothing from me | 15:41 |
| fungi | thanks gagehugo! | 15:45 |
| fungi | #endmeeting | 15:45 |
| opendevmeet | Meeting ended Thu Oct 6 15:45:34 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:45 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/security/2022/security.2022-10-06-15.01.html | 15:45 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-10-06-15.01.txt | 15:45 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/security/2022/security.2022-10-06-15.01.log.html | 15:45 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!