| *** rosmaita1 is now known as rosmaita | 14:45 | |
| gouthamr | https://bugs.launchpad.net/nova/+bug/2158919 is now public | 17:29 |
|---|---|---|
| gouthamr | had a good chat with dansmith about the exploitability of this one ^ and vmt processes... my opinion was that this is exploitable if there was already another exploit in place (phishing).. and that exploit requires in my opinion some social engineering. So C1 seems like an appropriate classification. In general, with the barrage of vulnerability reports we're getting, handling some things in public is a choice we're making | 18:29 |
| gouthamr | C1 bugs may be serious vulnerabilities to some.. and you can convince me/the VMT to change up the classification. but if it remains C1, we won't ship an OSSA | 18:29 |
| dansmith | my opinion is that "can insert things into in-memory config on the server that affect other users in really any way, including exhaust memory" is "exploitable" enough to warrant the label :) | 18:30 |
| gouthamr | ack.. I'm in favor of writing more OSSNs, and this one warrants one.. quite happy to see your/nova team's response on getting this patched up quickly | 18:30 |
| dansmith | and given that CORS is in place to prevent phishing or XSS attacks, breaking CORS seems enough to stand on its own | 18:31 |
| dansmith | but the potentially more interesting part is that I think it was exploitable enough to get a patch written quickly, but not severe enough to warrant the whole embargo process (IMHO) | 18:31 |
| gouthamr | i think we're saying the same thing, differently. The config mutation and memory exhaustion are real, no argument. That's why this warrants a fix, backports, and an OSSN... | 18:35 |
| gouthamr | C1 doesn't mean "not important", it means "not a standalone vulnerability requiring an embargoed advisory." | 18:35 |
| dansmith | ack, I was just arguing (opining) over the exploitable-or-not part not the classification :) | 18:37 |
| gouthamr | we've had others treat our C1s seriously enough to get a CVE assigned.. so that might happen here. i'll accommodate that and work with you on the OSSN for this one.. | 18:38 |
| fungi | we (vmt members) also don't object to third parties assigning a cve identifier to any bug as long as its details are accurate | 22:25 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!