Thursday, 2026-05-28

sean-k-mooney	so this is a thing https://www.redhat.com/en/about/press-releases/project-lightwell-secure-open-source https://www.ibm.com/products/lightwell	13:13
sean-k-mooney	its a redhat ibm version of i guess https://www.anthropic.com/glasswing	13:13
sean-k-mooney	no real ideay of what that actully means in practice but this was apprently jsut anouchned	13:14
sean-k-mooney	... i hate when compaiens do joint anouchment that pingpong you from a to b back to a differnt part of a	13:16
sean-k-mooney	https://www.redhat.com/en/lightwell	13:16
sean-k-mooney	readinbg between the line this is perhaps more focused on teh "how do you deleiver the security fix in the old enterpise version" more then just how do you fix it	13:21
sean-k-mooney	so not actully sure how much of this would be applicabel upstream	13:21
sean-k-mooney	"Red Hat scans, backports, tests, signs, and delivers patched artifacts at the customer's pinned version. Patches are contributed upstream simultaneously." that imples that there would be an upstream compoent but woudl not be entrilly correct chronologiclaly as it shoudl eb fixed upstream first with teh cusotemr delviery soon there after	13:23
sean-k-mooney	but then again those sits are defeinly more marketing and custoemr focus then engeinering focused	13:24
fungi	yeah, hard to read between the lines of marketing and hype in those press releases	13:33
JayF	I basically just assume it's all hype. If it's something of value I'll hear about it in a better way than their own press releases.	14:20
gouthamr	https://bugs.launchpad.net/keystone/+bug/2150089 is now public	15:06
gouthamr	https://bugs.launchpad.net/keystone/+bug/2149789 is now public	15:06
gouthamr	https://bugs.launchpad.net/keystone/+bug/2148477 is now public	15:06
gouthamr	https://bugs.launchpad.net/keystone/+bug/2148398 is now public	15:06
gouthamr	https://bugs.launchpad.net/keystone/+bug/2150379 is now public	15:06
gouthamr	these are related to:	15:06
gouthamr	https://bugs.launchpad.net/keystone/+bug/2149775 which has been publicly addressed a while ago	15:06
gouthamr	gtema: thanks for the fixes.. will upload the ossa now, would appreciate a review	15:41
opendevreview	Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-016 (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394) https://review.opendev.org/c/openstack/ossa/+/990524	15:41
gtema	ok, doing it now	15:41
gouthamr	i will have to renumber.. 015 hasn't merged yet	15:43
opendevreview	Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-015 (multiple CVEs) https://review.opendev.org/c/openstack/ossa/+/990526	15:43
* gouthamr fixed the long title, will seek advice from vmt vets if that's okay		15:44
fungi	looking!	15:45
gouthamr	thank you fungi	15:45
fungi	i like the title, good work	15:45
fungi	the impact description is unavoidably lengthy	15:45
fungi	but well-written and comprehensive without including unnecessary detail	15:47
fungi	affected versions list looks correct, double-checked the releases site	15:48
fungi	gouthamr: oh, i was reviewing 990524 which you abandoned. can i assume 990526 is identical aside from the ossa number?	15:51
fungi	i assume you accidentally blew away the change-id in the commit message which caused it to be a new change instead of just a revision to that one	15:52
gouthamr	yes, rookie mistake ten years in	15:52
fungi	nah, happens to me too	15:52
gouthamr	fungi: do you prefer i restore the CVE numbers onto the title?	15:53
fungi	no it's fine	15:53
gouthamr	thank you :)	15:53
fungi	i'll double-check the preview render as soon as zuul reports	15:54
gouthamr	++	15:54
gouthamr	gtema: thank you for your hard work on this!	15:54
gtema	sure	15:55
fungi	also is 990398 ready to review once the ossa number gets incremented?	15:55
gouthamr	yes, i'm editing it now.. will push it back up	15:55
opendevreview	Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-016 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/990398	16:01
opendevreview	Merged openstack/ossa master: Add OSSA-2026-015 (multiple CVEs) https://review.opendev.org/c/openstack/ossa/+/990526	16:16
* gouthamr writes email		16:19
fungi	gouthamr: 990398 has yesterday's date, if you bump that to current i'll reapprove	16:20
gouthamr	yes	16:20
fungi	and yeah, OSSA-2026-015 is live on the security site now as of a few seconds ago	16:20
opendevreview	Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-016 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/990398	16:21
fungi	thanks!	16:21
fungi	that's now on the way in too	16:21
gouthamr	thank you fungi!	16:22
fungi	no, thank you! (and everyone else involved)	16:22
fungi	i did the easy part	16:22
opendevreview	Merged openstack/ossa master: Add OSSA-2026-016 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/990398	16:28
fungi	gouthamr: OSSA-2026-016 is live too as of the past ~10 minutes	16:39
gouthamr	ty, email incoming :)	16:44
* gouthamr informed MITRE about CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394.. will post on the bugs too		16:44
zigo	gouthamr: Are versions of neutron before Epoxy not affected by OSSA-2026-016 ? Or should I also do the backports ?	16:46
gouthamr	zigo: yes, the bug was introduced in 2025.1	16:47
zigo	Ok, thanks.	16:47
fungi	confirmed, i checked that in the bug when reviewing the advisory	16:47
fungi	i suppose it's possible the bug got backported to an earlier stable branch like happened with ossa-2026-014 but i found no evidence that was the case (it came in with feature work so shouldn't have been backport-eligible regardless)	16:48
gouthamr	https://bugs.launchpad.net/ossn/+bug/2150121 is now public	18:16

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!