| fungi | JayF: gouthamr: in the cve request form additional notes i usually indicate whether the bug is under private embargo or is already public. it's helped in the past, but if you've done that and it's not helping i'm unsurprised, they're dealing with the same deluge we are, after all | 00:48 |
|---|---|---|
| gouthamr | fungi: ack, i've been doing that too; my problem's been that the form fails silently and i need to keep trying different things to get a confirmation :D | 14:38 |
| gouthamr | but cid could confirm how his request was filed | 14:38 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-010]: Ironic conf mold token leak https://review.opendev.org/c/openstack/ossa/+/986863 | 14:56 |
| JayF | gouthamr: rosmaita: https://review.opendev.org/c/openstack/ossa/+/986863 edited for review feedback; I will announce this version in about an hour if there's no negative feedback | 14:57 |
| rosmaita | looking | 14:57 |
| rosmaita | JayF: looks like you have an extra blank line at the bottom, but also i'd prefer you explicitly say it will not appear in the Hibiscus release | 15:01 |
| JayF | leave that comment and I'll update, I'm in a meeting | 15:08 |
| JayF | ty | 15:08 |
| rosmaita | ack | 15:12 |
| JayF | https://bugs.launchpad.net/ironic/+bug/2148307 is now public | 15:23 |
| opendevreview | cid proposed openstack/ossa master: [OSSA-2026-010]: Ironic conf mold token leak https://review.opendev.org/c/openstack/ossa/+/986863 | 15:41 |
| rosmaita | gouthamr: ^^ is a minor update, if you want to renew your +2 and approve the patch | 15:49 |
| gouthamr | done rosmaita | 15:56 |
| rosmaita | thanks! | 15:56 |
| opendevreview | Merged openstack/ossa master: [OSSA-2026-010]: Ironic conf mold token leak https://review.opendev.org/c/openstack/ossa/+/986863 | 15:57 |
| JayF | I'm sending announcements for OSSA-2026-010 now | 16:39 |
| gouthamr | ++ | 16:40 |
| JayF | AHA! That's what screwed up my last email! | 16:40 |
| JayF | copy paste from https://a1110360d0aa5b1915ef-de0170061a4c33caf35d62b404ee94ad.ssl.cf5.rackcdn.com/openstack/d1743bf2e3bb48aa9eba6542304af42f/docs/_sources/ossa/OSSA-2026-010.rst.txt -> email compose window | 16:40 |
| JayF | text formatting (white, because dark mode) copied over | 16:40 |
| gouthamr | accepted on openstack-announce, ty JayF | 16:44 |
| fungi | https://www.djangoproject.com/weblog/2026/may/05/security-releases/ is likely of interest to people operating horizon | 20:32 |
| gouthamr | i brain dumped some tribal knowledge about bug tracking on launchpad here: https://review.opendev.org/c/openstack/project-team-guide/+/987433 | 21:30 |
| gouthamr | would appreciate a review | 21:30 |
| gouthamr | i asked questions and fixed manila's trackers for security/VMT conformance.. other people may have the same issues | 21:31 |
| fungi | this paramiko audit may be of interest, especially since its continued use has come up in the context of the nascent pqc pop-up team: https://ostif.org/paramiko-audit-complete/ | 22:33 |
| gouthamr | that's a great find, fungi | 22:45 |
| fungi | i can't take credit, it got mentioned on oss-security | 22:45 |
| gouthamr | they claim all their HIGH and MEDIUM findings are getting addressed in 4.0.0 | 22:45 |
| gouthamr | after* | 22:48 |
| gouthamr | 4.0.0 was Aug 2025 | 22:48 |
| fungi | yeah, 5.0.0 it said, i think? | 22:52 |
| fungi | coming later this month | 22:52 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!