| SvenKieske | wondering if this issue/bugfix qualifies as a security issue and if we should publish a security notice for it? https://bugs.launchpad.net/python-openstackclient/+bug/2054629 | 12:22 |
|---|---|---|
| fungi | SvenKieske: i'm missing crucial details about the impact of that bug. is it that if you use osc to create a new sg and tell it not to base it on the default sg, it does so anyway? | 12:28 |
| fungi | if so, i guess the risk is that people creating security groups might think they're not based on their default security group when they really are, potentially exposing systems to the internet in unwanted ways? | 12:59 |
| SvenKieske | fungi: the linked patch has more details: https://review.opendev.org/c/openstack/python-openstackclient/+/909815 " | 13:19 |
| SvenKieske | Currently the Default setting for CustomSG Rule | 13:19 |
| SvenKieske | is set to True, this means all new SGs inherit | 13:19 |
| SvenKieske | these rules, with no way for user to override | 13:20 |
| SvenKieske | this behavior." | 13:20 |
| fungi | SvenKieske: okay, so revisiting the scenario then, osc doesn't currently provide users with a way to create security groups which don't inherit rules from the default security group, and it's being improved to make that possible. that sounds like a new feature to me, not a fix for an exploitable vulnerability | 13:21 |
| SvenKieske | so if a custom insecure SG Rule is created, which might be okay for VM $foo or project $bar you could open up your env $x to unwanted network attention, at least that is my understanding. | 13:21 |
| SvenKieske | mhm, of course you could read it also as a new feature. not sure, that's why I'm asking here first :) | 13:22 |
| fungi | SvenKieske: also, the change you linked doesn't seem to update any documentation at all (not even a release note?), nor add any new options, it's just changing the behavior of the existing options. that's surprising | 13:23 |
| SvenKieske | yeah, I was also wondering about that, but it's not my main opendev project, so I don't know about the standards there about breaking changes to defaults..*shrugs* | 13:24 |
| SvenKieske | I agree I would have insisted on a reno there :) | 13:24 |
| SvenKieske | I guess I'll ping artem | 13:25 |
| SvenKieske | done that | 13:27 |
| fungi | so if you're asking whether a behavior change like that in a security-relevant part of a project deserves to be communicated to users, i feel like the answer is yes. but there are probably better ways to communicate this than trying to turn it into a security advisory about a vulnerability | 13:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!