| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-006 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/982169 | 07:35 |
|---|---|---|
| gouthamr | this is ready for review, if you have bandwidth fungi JayF rosmaita tonyb prometheanfire ^ | 07:41 |
| rosmaita | ack | 12:03 |
| fungi | checking | 12:12 |
| rosmaita | gouthamr: left 2 suggestions for you on the review | 12:19 |
| fungi | i got sideswiped by more gitea overload, so dealing with that first | 12:37 |
| fungi | my main feedback so far is that there are a few unnecessary sentences in the description paragraph, and the notes are superfluous as well. the advisory description only needs to explain who discovered the vulnerability, what components are affected, the risks posed by not patching, and any mitigating factors in a deployment. additional details about the bug or patch can be | 12:42 |
| fungi | found in the linked bug, or can go into an accompanying ossn if they're important to summarize | 12:42 |
| fungi | i'll try to get something more thourough into a review comment when my hair's not on fire, but just remember stick to important details and keep it short so people will read and not get lost in information they don't need in order to decide whether they should apply the patch | 12:44 |
| -opendevstatus- NOTICE: Anubis is now deployed on our Gitea backends, and things are back to working normally though you may notice an Anubis screen flash briefly when starting to browse opendev.org; any jobs which failed prior to 15:00 UTC today can be safely rechecked | 15:35 | |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-006 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/982169 | 20:44 |
| fungi | thanks! | 20:46 |
| gouthamr | i think even without the details, the OSSA reads well now | 20:47 |
| fungi | lgtm, i'll wait to approve until after zuul +1's it in case JayF, rosmaita, prometheanfire or tonyb are available to give it a look | 20:47 |
| gouthamr | so i don't think an OSSN is necessary.. i mean, a lot of the detail we removed was how the vulnerability could be exploited.. you can picture that as a consequence of XSS | 20:48 |
| prometheanfire | also +2 | 20:50 |
| fungi | right, i think most of the things you removed from the description were readily apparent from the bug comments and/or patch content, but also we're available to answer questions if anyone has some | 20:50 |
| rosmaita | lgtm also | 20:51 |
| fungi | and zuul came back +1 so i've approved it now. lots of consensus | 20:52 |
| fungi | thanks gouthamr! | 20:52 |
| opendevreview | Merged openstack/ossa master: Add OSSA-2026-006 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/982169 | 20:55 |
| fungi | gouthamr: https://security.openstack.org/ossa/OSSA-2026-006.html is up now, and you can cut-n-paste https://security.openstack.org/_sources/ossa/OSSA-2026-006.rst into e-mails to openstack lists and oss-security. i'm available to approve through openstack-announce moderation. don't forget to notify mitre | 21:00 |
| gouthamr | \o/ you took a question out of my head | 21:01 |
| fungi | only one? you're doing great in that case | 21:02 |
| fungi | remember the template for e-mail subjects and list of ml addresses is at the bottom of https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa | 21:03 |
| JayF | tossed a late +2 on that, thanks | 21:06 |
| gouthamr | ++ ty sent to three lists now | 21:10 |
| gouthamr | filing mitre update, hopefully they get back to me soon-ish | 21:11 |
| gouthamr | and will post an update on the launchpad and keep the OSSA in-progress for the errata? | 21:11 |
| fungi | accepted through the announce moderation queue | 21:12 |
| fungi | the gerrit hook likely closed the ossa bugtask since you included a closes-bug trailer in the ossa change. it's up to you if you want to reopen it for the errata, not strictly necessary | 21:13 |
| gouthamr | ah, no problem, i will track this regardless | 21:18 |
| fungi | i basically just go to sleep on it until mitre wakes me up with a cve assignment and then handle it then, and otherwise hope that i'll remember at some point to follow up if that still hasn't happened | 21:20 |
| gouthamr | :D these problems are very new i hope | 21:20 |
| fungi | but also worst case some good samaritan happens by to point out to us that we have a historical ossa still missing a cve | 21:20 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!