| gouthamr | https://bugs.launchpad.net/glance/+bug/2152110 is now public | 05:15 |
|---|---|---|
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-022 (CVE-2026-46448) https://review.opendev.org/c/openstack/ossa/+/993606 | 14:11 |
| gouthamr | https://bugs.launchpad.net/nova/+bug/2151252 is now public | 14:12 |
| zigo | Thanks, pushing fixes to osbpo.debian.net | 14:19 |
| gouthamr | zigo++ | 14:19 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-024]: IPA Binary Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/ossa/+/986850 | 14:29 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 14:29 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 14:29 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-024]: IPA Binary Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/ossa/+/986850 | 14:29 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 14:40 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-024]: IPA Binary Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/ossa/+/986850 | 14:40 |
| fungi | gouthamr: since we've got a backlog for test resources in zuul (there were problems with ovh regions over the past day), i went ahead and confirmed the docs build for 993606 locally and then manually enqueued it into the gate pipeline to get things moving sooner | 14:43 |
| gouthamr | thought that was you | 14:43 |
| gouthamr | i was staring at the zuul console :) ty fungi | 14:44 |
| gouthamr | i have a local render copied, will send the email as soon as this merges | 14:44 |
| fungi | sounds great, thanks! | 14:44 |
| fungi | rax-dfw is finally building the node for the request | 14:55 |
| fungi | oh, actually zuul moved the request to raxflex-dfw3 after giving up waiting on rax-dfw | 14:55 |
| fungi | yay! running | 14:56 |
| gouthamr | \o/ | 14:57 |
| opendevreview | Merged openstack/ossa master: Add OSSA-2026-022 (CVE-2026-46448) https://review.opendev.org/c/openstack/ossa/+/993606 | 14:58 |
| * gouthamr sends emails | 14:58 | |
| fungi | approved the openstack-announce copy now | 14:59 |
| gouthamr | thanks fungi! | 14:59 |
| sean-k-mooney | so https://bugs.launchpad.net/nova/+bug/2151252 is now public but i not cat while it was embargo the poc was publicly aviable on https://gist.github.com/ so does that mean the embargo was breahced by the very fact this was posted to an external tool/trakcer outside of launchpad | 18:24 |
| sean-k-mooney | yes you needed ot know the exact url because it marked as secret | 18:25 |
| sean-k-mooney | but under our vmt proces my understaing is we shoudl not have any external docs or tracker even if they are prviate via obscurity like that | 18:25 |
| fungi | we should avoid doing things like that, yes, but the vmt makes pragmatic determinations on a case-by-case basis | 18:27 |
| fungi | if it's unlikely that someone could come across the url anywhere or find it through simple scanning/crawling, then we tend to act as if it's effectively still private | 18:28 |
| fungi | but we'd prefer not to have to do that at all, of course | 18:29 |
| sean-k-mooney | ya its secuirty though obsquitiy a least the rnadom assiment looks liek its maybe a uuid without the - | 18:30 |
| sean-k-mooney | so its not eially guessabel | 18:30 |
| fungi | so in summary, don't do that, but if it happens anyway we have a hard decision to make and it's not necessarily assumed that the embargo is officially broken and ended | 18:33 |
| sean-k-mooney | well it migh be beter ot move the artifact if it can be removed to an attachment nad update teh description | 18:34 |
| sean-k-mooney | but ya ill just review the backprot | 18:34 |
| sean-k-mooney | with that said we need to get beter at making sure we dont skip release notes with secuirt fixes... | 18:35 |
| fungi | the vmt doesn't have any policy mandating it (we don't really have that level of control over project maintainer decisions to begin with), but yes better consistency around that is always helpful to operators/users | 18:35 |
| sean-k-mooney | right but we woudl normlaly expect one at the project level | 18:36 |
| sean-k-mooney | if this wasnt a secuirty backport i was ask for it to be added ot follow our normal process | 18:36 |
| fungi | we could add it as guidance in https://security.openstack.org/#security-information-for-openstack-developers | 18:36 |
| fungi | eitehr in the "How to propose and review a security patch" section or "Secure development guidelines" or maybe some new section entirely | 18:37 |
| sean-k-mooney | https://github.com/openstack/reno/blob/master/reno/defaults.py#L58-L71 | 18:38 |
| sean-k-mooney | we have cirtical/secuirt section in the default reno template | 18:38 |
| sean-k-mooney | presices for this type of bug | 18:38 |
| sean-k-mooney | it more imporant to fix the issue | 18:39 |
| sean-k-mooney | but its very little addtional work to also docuemnt it so operator can knwo what is incldued in a given release | 18:39 |
| opendevreview | Jeremy Stanley proposed openstack/ossa master: Retitle and clarify embargoed patch guidelines https://review.opendev.org/c/openstack/ossa/+/993654 | 18:47 |
| JayF | Can I get reviews on https://review.opendev.org/c/openstack/ossa/+/993465 ? I can get OSSA-2026-023 out once it lands | 19:33 |
| JayF | I'll note -024 is changing to an OSSN, so I abandoned that PR | 19:33 |
| JayF | fungi: ^ /me playing channel-hopscotch :D | 19:35 |
| * gouthamr looks | 19:35 | |
| gouthamr | is this for tomorrow? | 19:36 |
| JayF | for right-now if you approve it | 19:37 |
| JayF | :) | 19:37 |
| gouthamr | oh, fix date then :) | 19:37 |
| fungi | looking | 19:37 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 19:38 |
| fungi | i'm good with getting it out today, reviewing now | 19:38 |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 19:39 |
| fungi | and then i'll review the ossn next | 19:39 |
| JayF | OSSN is getting W-1 from me, I'm still waiting on some of the backports to get posted | 19:40 |
| gouthamr | posted some comments JayF | 19:42 |
| JayF | gouthamr: I avoid use of the term "master" when possible in technical contexts in lieu of more inclusive language, like "development". It also mirrors our release language. | 19:43 |
| fungi | as did i | 19:44 |
| gouthamr | ack | 19:44 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 19:46 |
| JayF | gouthamr: fungi: Comments addressed, except the one noted above and the nitpick about short form urls | 19:48 |
| gouthamr | ty JayF | 19:48 |
| fungi | thanks! i haven't tested the urls yet to make sure they go to the right changes, but will do that momentarily | 19:49 |
| * gouthamr loves hashtags and started putting the CVE as one to link everything.. | 19:52 | |
| fungi | convenient! | 19:52 |
| JayF | I am too busy with these things to provide bells and whistles :) | 19:52 |
| JayF | although I encourage the folks writing the fixes to do that | 19:52 |
| gouthamr | :P let me, i've the OCD | 19:52 |
| JayF | running OSS*s basically run my executive function to zero | 19:53 |
| JayF | and that would be pulling more from that pool | 19:53 |
| opendevreview | Merged openstack/ossa master: [OSSA-2026-023] Ironic: Volume props unredacted (CVE-2026-54421) https://review.opendev.org/c/openstack/ossa/+/993465 | 19:59 |
| fungi | JayF: announce at will | 20:00 |
| fungi | it's also live on the security site as of ~20.05 utc | 20:07 |
| fungi | approved through the openstack-announce moderator queue just now too | 20:08 |
| JayF | thank you | 20:09 |
| JayF | hopefully OSSN-0100 can get out today as well, Clif is working on the backports | 20:09 |
| fungi | my avilability will be spotty coming up while i cook/eat dinner, but i'll try to be around to review and approve that as well | 20:10 |
| JayF | I'll poke gouthamr for reviews, he's in my TZ | 20:11 |
| fungi | that'll likely be more timely but i'm still happy to serve as a less responsive fallback option this evening just in case | 20:12 |
| JayF | I'll say this as clearly as possible: I never ever want your attention or code review on something not-urgent outside of your normal working hours and/or when you are at dinner/family/whatever-else-not-work time :D | 20:13 |
| JayF | If we can't take a whole month off like Curl, we sure as hell can take 16 hours off a day :) | 20:14 |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:21 |
| gouthamr | ++ what he said | 20:21 |
| fungi | appreciated! though i'm also around odd hours and take breaks, so i don't feel bad keeping an eye on things sometimes anyway | 20:27 |
| fungi | but yes, the curl summer sure is tempting | 20:27 |
| * fungi makes terrible bananarama/karate kid reference | 20:28 | |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:32 |
| JayF | gouthamr: ^ that should be the final edition | 20:32 |
| gouthamr | ah | 20:32 |
| gouthamr | i was just reviewing that | 20:32 |
| gouthamr | can you look at my comments on the prior PS, still a concern | 20:33 |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:33 |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:35 |
| JayF | gouthamr: ^ okay, nice catch | 20:35 |
| opendevreview | Jay Faulkner proposed openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:36 |
| JayF | (just removed another trailing space :C) | 20:36 |
| gouthamr | good stuff | 20:37 |
| fungi | so ironic 37.0.0 included the patch? | 20:37 |
| JayF | yes it did | 20:37 |
| JayF | Clif found it, when I couldn't, when he tried to backport it | 20:38 |
| JayF | so ironic and ipa latest bugfix branches have the fix already | 20:38 |
| fungi | got it | 20:39 |
| gouthamr | lgtm | 20:39 |
| fungi | lgtm, but holding in case ironic reviewers want to do a last pass | 20:39 |
| JayF | Land it, clif looked at it and Julia's plate is super full | 20:40 |
| JayF | get'r'done | 20:40 |
| * gouthamr celebrates one hundred security notes | 20:40 | |
| JayF | gouthamr: https://www.youtube.com/watch?v=CQeezCdF4mk | 20:41 |
| fungi | approved in that case | 20:41 |
| gouthamr | :P | 20:41 |
| JayF | Is there a trick for the conversion to wiki format? | 20:42 |
| JayF | Or is it just manual? I did it by hand in -0099 | 20:42 |
| gouthamr | we can script this; i did this manually too.. basically "#" becomes "=" for mediawiki.. | 20:43 |
| fungi | i think we've often done it the other way around, just copy the wiki markup view directly into the file in the security-doc repo | 20:43 |
| JayF | Yeah, I am always going git first :) | 20:44 |
| JayF | sounds like # -> = and fixing up the lists by hand is all that's needed, that's all I did in the past | 20:44 |
| JayF | https://wiki.openstack.org/wiki/OSSN/OSSN-0100 published | 20:45 |
| * JayF fixing footer layout | 20:45 | |
| gouthamr | ++ | 20:45 |
| opendevreview | Merged openstack/security-doc master: [OSSN-0100] IPA Command Injection (CVE-2026-43003) https://review.opendev.org/c/openstack/security-doc/+/993668 | 20:53 |
| gouthamr | would anyone complain if we wrote OSSNs in rst, like OSSAs? | 20:54 |
| gouthamr | pseudo markdown is painful to read :P | 20:54 |
| JayF | sarhiri is working on a change right now (while also onboarding generally to GR-OSS) to make OSSN/security-notes behave more similarly to OSSAs | 20:54 |
| gouthamr | w00t, you found someone! | 20:55 |
| fungi | gouthamr: more preferably yaml, but yes just like ossas | 20:55 |
| gouthamr | ++ yes | 20:56 |
| JayF | yeah, she's a full timer at GR-OSS working on developer relations, and stuff like the security-note migration is in scope for the work | 20:56 |
| JayF | (and getting more listeners to my podcast :D) | 20:56 |
| gouthamr | that's great! | 20:56 |
| JayF | some tasks are more achievable than others lol | 20:56 |
| fungi | (yaml with the possibility for embedded rst, which is then converted to an rst doc on the fly) | 20:56 |
| JayF | my instruction to sarhiri was more or less "make it like OSSA" | 20:57 |
| JayF | with the note that almost anything in a docs build would be better than what we have now lol | 20:57 |
| fungi | yes, precisely. thanks for finding someone! | 20:57 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!