| tobias-urdin | we were able to trace that microsoft was marking the pre-OSSA emails, specifically those from gouthamr as spam :( we've added his email address to our allowlist | 14:07 |
|---|---|---|
| fungi | tobias-urdin: thanks for confirming, and reminding me that it's likely a case of needing to turn on dmarc mitigation in that list's configuration | 14:08 |
| fungi | we should probably do similar on openstack-announce too, for the same reasons | 14:09 |
| gouthamr | is there anything i'm missing client side? | 14:22 |
| fungi | since these messages are openpgp-signed (typically with pgp-mime encapsulation), we would probably want to use mailman's "wrap the message in an outer message From: the list" instead of merely "replace From: with the list address" | 14:23 |
| fungi | gouthamr: i expect the problem is that your mail provider is adding a dkim signature across a hash of things the mailing list modifies, like the subject line and message body, and publishes dmarc rules in dns for that domain, so any dmarc-enforcing recipients are considering the message forged since the dkim signature doesn't validate | 14:25 |
| fungi | dmarc enforcement is based on the address in the From: header, so the typical mitigations involve having the mailing list's address as From: on the message, either by replacing the original From: header completely or wrapping the original message in one with a different From: header | 14:27 |
| JayF | https://bugs.launchpad.net/ironic/+bug/2150624 https://bugs.launchpad.net/ironic/+bug/2148333 https://bugs.launchpad.net/ironic/+bug/2148319 are all now public | 14:27 |
| fungi | standing by to review | 14:28 |
| gouthamr | https://bugs.launchpad.net/mistral/+bug/2147178 is now public | 14:33 |
| gouthamr | https://bugs.launchpad.net/mistral/+bug/2146554 is now public | 14:34 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2026-017, OSSA-2026-018, OSSA-2026-019 https://review.opendev.org/c/openstack/ossa/+/991424 | 14:44 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2026-017, OSSA-2026-018, OSSA-2026-019 https://review.opendev.org/c/openstack/ossa/+/991424 | 14:45 |
| JayF | gouthamr: fungi: ^ -- I've also asked coresec to review | 14:47 |
| JayF | *ironic coresec | 14:47 |
| fungi | thanks, i'm also going through double-checking all the urls go to the expected bugs/changes | 14:47 |
| JayF | please yes | 14:52 |
| gouthamr | tobias-urdin: o/ got your subscription request for a mistral bug, but i just opened it up to the public | 14:52 |
| opendevreview | Goutham Pacha Ravi proposed openstack/security-doc master: Add OSSN-0098: Mistral workflow context exposes auth token https://review.opendev.org/c/openstack/security-doc/+/991428 | 14:53 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-020 (CVE-2026-41283) https://review.opendev.org/c/openstack/ossa/+/991430 | 14:56 |
| fungi | JayF: 017/018/019 lgtm. gouthamr: i'm going through the urls for 020 now | 15:00 |
| tobias-urdin | gouthamr: ack | 15:01 |
| fungi | zuul's preview builds for all 4 advisories lgtm too | 15:09 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2026-017, OSSA-2026-018, OSSA-2026-019 https://review.opendev.org/c/openstack/ossa/+/991424 | 15:12 |
| fungi | still lgtm after that last revision | 15:13 |
| opendevreview | Merged openstack/ossa master: Add OSSA-2026-020 (CVE-2026-41283) https://review.opendev.org/c/openstack/ossa/+/991430 | 16:15 |
| JayF | 991424 still doesn't have a node for the gate job :| | 16:18 |
| gouthamr | it does now | 16:19 |
| fungi | just got one | 16:19 |
| JayF | \o/ | 16:21 |
| fungi | at least https://security.openstack.org/ossa/OSSA-2026-020.html is already up on the site | 16:22 |
| fungi | so the others shouldn't be much longer | 16:22 |
| JayF | I'm drafting the emails up now | 16:23 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-017, OSSA-2026-018, OSSA-2026-019 https://review.opendev.org/c/openstack/ossa/+/991424 | 16:24 |
| gouthamr | \o/ | 16:24 |
| fungi | and the next afs vos release should happen in about 30 seconds | 16:24 |
| fungi | oh, though i think it raced the promote job | 16:25 |
| fungi | so we're looking at 16:30 utc for it to be live | 16:25 |
| fungi | yeah, it just got pushed into the rw volume so ro replicas will have it on the next vos release | 16:26 |
| JayF | going to send the emails now() then | 16:28 |
| gouthamr | JayF: perfect, when you're back, i've https://review.opendev.org/c/openstack/security-doc/+/991428 to tack on | 16:29 |
| JayF | gouthamr: you are making sure these end up in wiki too, right? | 16:30 |
| gouthamr | yes | 16:30 |
| JayF | +2a | 16:30 |
| fungi | they do include wiki links in the content ;) | 16:30 |
| JayF | https://wiki.openstack.org/wiki/OSSN/OSSN-0098 is empty right now, is why I ask | 16:31 |
| JayF | which that points to | 16:31 |
| gouthamr | ah, i do that after merge | 16:31 |
| fungi | got it | 16:31 |
| fungi | i'll admit, that's one url i didn't actually test | 16:31 |
| fungi | good call | 16:31 |
| gouthamr | try now | 16:33 |
| fungi | gouthamr: you have 2 copies of the 020 advisory in the openstack-announce moderation queue, i assume you accidentally sent twice? | 16:34 |
| gouthamr | ugh, WHY is this happening | 16:34 |
| JayF | MITRE notified about the publication of the three Ironic CVEs | 16:34 |
| fungi | gouthamr: i'll accept the first one and discard the second, if that's okay | 16:34 |
| gouthamr | yes please | 16:34 |
| opendevreview | Merged openstack/security-doc master: Add OSSN-0098: Mistral workflow context exposes auth token https://review.opendev.org/c/openstack/security-doc/+/991428 | 16:42 |
| gouthamr | fungi: thanks for the explanation on the dmarc enforcement.. is it required on openstack-discuss too? | 16:55 |
| gouthamr | the mitigation you mentioned | 16:55 |
| fungi | on openstack-discuss we take a different approach: we turn off all mailman features that would modify the messages on the way through | 17:02 |
| fungi | so no list name prepended to subject lines, no footer with list information appended to the message body, no reply-to header altering to send replies to the list, et cetera | 17:03 |
| gouthamr | ah! | 17:04 |
| fungi | it works out well enough for a discussion list, and very few people have dkim signatures that don't validate on the resulting messages (we run into occasional issues where dkim is signing a header it really shouldn't or some weird encoding normalization breaks the hash for the message body) | 17:06 |
| fungi | but for announcement-style lists we can't really get away with not modifying the messages, so one of the other mitigations will make more sense i think | 17:07 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-021 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/991514 | 22:19 |
| JayF | I want to reply to that email about the cloud provider running rocky or stein with just an email going AAAAAAAHHHHHHHHHHHHHHHHHHH | 22:51 |
| gouthamr | :( | 22:52 |
| fungi | accompanied by looping gif of kermit the frog flailing his muppet arms | 22:57 |
| JayF | I couldn't trust myself to reply in a manner which would come off productive, but someone should lol | 22:57 |
| gouthamr | don't think he's asking one of us though | 22:58 |
| gouthamr | operator needs a bar, and a friendly shoulder | 22:58 |
| fungi | or group therapy | 23:00 |
| fungi | some sort of coping mechanism anyway | 23:01 |
| JayF | or a strong enough statement from a trusted open source leader that they can use to justify the upgrade project their boss has been putting off for ages | 23:01 |
| fungi | "sorry mate, you're effed" | 23:02 |
| gouthamr | https://bugs.launchpad.net/ossn/+bug/2152109 is now public | 23:17 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!