Thursday, 2021-08-05

gagehugo#startmeeting security15:01
opendevmeetMeeting started Thu Aug  5 15:01:54 2021 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'security'15:01
fungiahoy!15:03
gagehugoo/15:03
gagehugo#link https://etherpad.opendev.org/p/security-agenda agenda15:04
gagehugoNothing really on the agenda15:04
gagehugo#topic open discussion15:04
gagehugoI need to update the irc meeting references still15:04
fungiyeah, i'm hoping to start on that keystone ossa today15:05
fungithe pci-dss account oracle one15:05
gagehugoyup15:05
gagehugoping me when you get it up and I'll review it15:06
fungido you generally agree with the direction i was going with my last comment on that one?15:06
gagehugoI think so, lemme double check15:06
fungi(not including account lockout as an actual bug)15:06
gagehugook yeah15:07
gagehugothe lockout part is not the bug focus15:07
gagehugomore on the oracle15:07
fungiokay, cool. i'll focus on the other two points with the impact description15:08
fungi#link https://launchpad.net/bugs/1688137 PCI-DSS account lock out DoS and account UUID lookup oracle15:09
fungiso i'll retitle the bug and leave the "account lock out DoS" part out of the impact description15:10
gagehugosounds good15:11
gagehugooh15:13
gagehugoI'll reserve a timeslot for the PTG as well15:13
gagehugohopefully it's not too late15:16
fungii'm sure they'll be able to squeeze us in, thanks15:17
fungiand sorry i'm so quiet, trying to do three meetings at once again15:18
gagehugoI am double booked right now too, no worries haha15:18
fungii'll try to get another set of reminders out to the ml about unresolved public vulnerability reports next week, time permitting15:19
fungithough our list is pretty small now, and there's a couple more about the incomplete rbac situation i plan on marking won't fix for advisory tasks15:19
gagehugohmm ok15:20
gagehugoI need to hop on another call, thanks as always fungi15:20
gagehugo#endmeeting15:20
opendevmeetMeeting ended Thu Aug  5 15:20:51 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:20
opendevmeetMinutes:        https://meetings.opendev.org/meetings/security/2021/security.2021-08-05-15.01.html15:20
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/security/2021/security.2021-08-05-15.01.txt15:20
opendevmeetLog:            https://meetings.opendev.org/meetings/security/2021/security.2021-08-05-15.01.log.html15:20
fungithanks gagehugo!15:21
fungii probably should have mentioned during the meeting that we published our first two advisories of the year last month:15:26
fungihttps://security.openstack.org/ossa/OSSA-2021-001.html Anti-spoofing bypass for Open vSwitch networks15:27
fungihttps://security.openstack.org/ossa/OSSA-2021-002.html Open Redirect in noVNC proxy15:27
opendevreviewJeremy Stanley proposed openstack/ossa master: Add OSSA-2021-002 (TBD)  https://review.opendev.org/c/openstack/ossa/+/80364018:28
fungigagehugo: ^ one thing i'm unclear on is whether there are ways to have a login attempt raise AccountLocked without setting lockout_failure_attempts in the config18:29
fungii assumed there are other ways an account might be locked (for example, manually by an admin?), but if lockout_failure_attempts is really the only way to do that then we can change the last sentence of the description to indicate that's a mitigating factor18:30
fungiassuming the description looks sane, i'll request a cve from mitre for that18:30
fungiunrelated, i've closed our advisory bugtasks as "won't fix" on the following public reports:18:37
fungihttps://launchpad.net/bugs/1784259 Neutron RBAC not working for multiple extensions18:37
fungihttps://launchpad.net/bugs/1933269 Project admin gets treated as Global Admin with Secure RBAC18:38
gagehugoIll look once I get home18:46
fungithanks! the sooner i know one way or the other, the sooner i can get the cve request going for that one18:47
fungibut no rush, i can always rejigger the publication date. this bug was opened more than four years ago, a few more days won't make a difference18:48
gagehugoI don't think AccountLocked can be raised if that setting is not set19:16
gagehugoI know it doesn't get raised with an LDAP backend19:16
gagehugojust local users19:16
gagehugoI am also pretty sure an admin can't "lock" a user, they can disable a user though but that is different19:17

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!