| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Update OSSA-2026-016 with assigned CVE-2026-49299 https://review.opendev.org/c/openstack/ossa/+/990590 | 05:30 |
|---|---|---|
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Update OSSA-2026-016 with assigned CVE-2026-49299 https://review.opendev.org/c/openstack/ossa/+/990590 | 05:33 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Update OSSA-2026-016 with assigned CVE-2026-49299 https://review.opendev.org/c/openstack/ossa/+/990590 | 05:36 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: OSSA-2026-016: Errata 1 - add CVE https://review.opendev.org/c/openstack/ossa/+/990590 | 06:35 |
| tobias-urdin | anybody knows what has happend to the embargo notices? it seems very inconsistent right now, we get notices for ironic but not for keystone? | 07:16 |
| bbobrov | i got them all just fine | 11:50 |
| fungi | tobias-urdin: it's possible the senders for the ironic and keystone notices have different dmarc configurations and so when mailman modifies their messages it invalidates the dkim signature for one but not the other and your mta is treating some of them as suspicious? | 12:53 |
| fungi | if the deliveries are being rejected at rcpt time, i can probably find evidence of it in the mta log on the list server | 12:54 |
| fungi | or not, the pre-ossa for the keystone vulnerabilities went out on 2026-05-15 and we only retain 11-12 days of mta log history | 13:01 |
| fungi | but i suspect that's the cause, i've definitely seen some of them have invalid dkim signatures, so i will discuss with the rest of the vmt whether we should turn on some dmarc mitigation on that list's configuration | 13:02 |
| tobias-urdin | fungi: ack, i've asked internally to investigate if they can see anything in logs but it was unfortunate that we had to take action on a friday when embargo was released instead of a couple of days ahead of it going public :( | 13:55 |
| fungi | we don't generally publish advisories on fridays, but i guess you're referring to ossa-2026-015 for ironic that was published yesterday | 14:01 |
| fungi | oh, i guess those happened late enough in the day that they crossed the utc midnight threshold | 14:03 |
| fungi | normally we aim for 15:00 utc, and avoid mondays/fridays/weekends so that's not typical | 14:04 |
| -opendevstatus- NOTICE: Gerrit will be restarted to pick up a bugfix in the replication plugin. You may notice a short outage of a few minutes. | 15:33 | |
| JayF | tobias-urdin: fungi: For a data point, mine was sent from jvf.cc which is hosted on office365 | 16:29 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline again monentarily while we restart for a configuration adjustment, but should return to service within a few minutes | 19:10 | |
| gouthamr | https://bugs.launchpad.net/horizon/+bug/2152240 is now public | 21:35 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: OSSA-2026-014: Errata 1 https://review.opendev.org/c/openstack/ossa/+/990764 | 21:49 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-016: Errata 1 - add CVE https://review.opendev.org/c/openstack/ossa/+/990590 | 22:03 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-014: Errata 1 https://review.opendev.org/c/openstack/ossa/+/990764 | 22:03 |
| fungi | on that horizon bug, at a higher level it may be worth revisiting the "rc file" approach of encouraging users to download and run/source an arbitrary shell script, that's almost a security trope of its own these days. we've had clouds.yaml files for a decade or so now, and with the unified cli/sdk becoming ubiquitous it seems realistic to start phasing out rc files | 22:18 |
| fungi | i'll try to remember to bring that up at the next ptg | 22:18 |
| gouthamr | i agree | 22:18 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!