| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-009 (CVE-2026-43002) https://review.opendev.org/c/openstack/ossa/+/986480 | 06:27 |
|---|---|---|
| gouthamr | a CVE assignment came through for https://review.opendev.org/c/openstack/ossa/+/986480 and the Horizon team has managed to backport the bug fix to the affected release (2026.1). Could use a pair of eyes when you're around JayF rosmaita | 06:29 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-009 (CVE-2026-43002) https://review.opendev.org/c/openstack/ossa/+/986480 | 06:29 |
| oschwart | Hello folks, good day. I am the current Designate PTL and I have just seen Goutham's email from last Friday | 09:27 |
| oschwart | I wasn't added to the https://launchpad.net/~designate-coresec team, can anyone add me? | 09:28 |
| opendevreview | cid proposed openstack/ossa master: Add OSSA-2026-010: Credential Forwarding to URLs https://review.opendev.org/c/openstack/ossa/+/986863 | 19:55 |
| JayF | gouthamr: rosmaita: https://review.opendev.org/c/openstack/ossa/+/986863 is ready for announcement tomorrow, if it LGTY | 20:15 |
| rosmaita | will take a look | 20:16 |
| JayF | actually, have a suggested revision | 20:17 |
| JayF | please wait for my comment, I just found a missing thing,. | 20:17 |
| JayF | nevermind, I'm wrong I believe | 20:18 |
| rosmaita | ack | 20:18 |
| gouthamr | hey JayF! can take a look too | 20:21 |
| gouthamr | JayF: how did the CVE get assigned? did someone else issue it? | 20:21 |
| JayF | CID emailed a request for it based on my instruction. Just delegated it to him since it was a non-embargoed bug and I had shown him the process I followed for the previous unembargoed CVE bug. | 20:22 |
| gouthamr | JayF: since the bug's public, i expected that MITRE would already release the CVE details.. but, https://www.cve.org/CVERecord?id=CVE-2026-42997 thinks it was issued by a CNA? | 20:22 |
| JayF | It may have not been listed as a public one when filed with MITRE, those show up weird until approved. | 20:22 |
| JayF | speaking of, I need to email them about one I did recently, I think -008, actually, and link to the OSSA | 20:23 |
| JayF | I suspect when I did -008 I didn't click a checkbox properly for an embargoed change, and this got copied into his -009 ticket | 20:24 |
| gouthamr | ack, i am still grok-ing some things about the CVE requests | 20:25 |
| gouthamr | i requested one for Keystone several times and never got a notification; seemed super weird. for all i can tell, there's some automation breaking with an error that's not surfaced to the requester, and MITRE doesn't tell you either | 20:26 |
| gouthamr | for this one: https://bugs.launchpad.net/keystone/+bug/2141713 | 20:27 |
| JayF | yep, they are highly inconsistent | 20:28 |
| JayF | including things like making the CVE appear right in their web UI | 20:28 |
| JayF | if it was assigned this morning (I think it was), I'm not shocked it's not displaying as you'd expect on cve.org | 20:28 |
| gouthamr | yes | 20:29 |
| gouthamr | awesome, let's coordinate 009 and 010 then, timing wise | 20:29 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-009 (CVE-2026-43002) https://review.opendev.org/c/openstack/ossa/+/986480 | 20:32 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-009 (CVE-2026-43002) https://review.opendev.org/c/openstack/ossa/+/986480 | 20:33 |
| rosmaita | gouthamr: LGTM, is there any reason not to go ahead and merge it now? | 20:43 |
| gouthamr | no reason rosmaita | 20:44 |
| rosmaita | :D | 20:44 |
| opendevreview | Merged openstack/ossa master: Add OSSA-2026-009 (CVE-2026-43002) https://review.opendev.org/c/openstack/ossa/+/986480 | 20:47 |
| gouthamr | ty rosmaita JayF | 21:11 |
| gouthamr | JayF: when was the "molds" feature deprecated? | 21:11 |
| JayF | long enough ago we should've removed it | 21:12 |
| JayF | issue is with that OSSA: if the driver it's in is enabled, you're vuln whether you use the feature or not | 21:12 |
| gouthamr | ah, i think, because of the way the current statement is written, i'd ask to include that detail | 21:13 |
| JayF | removing that feature from master is in the gate, but our gate is busted, but we won't release Hibiscus with it | 21:13 |
| gouthamr | ack, fair | 21:13 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!