#openstack-meeting log

15:01:09 <gagehugo> #startmeeting security
15:01:10 <openstack> Meeting started Thu Sep 20 15:01:09 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:13 <openstack> The meeting name has been set to 'security'
15:01:19 <gagehugo> #chair lhinds
15:01:20 <openstack> Current chairs: gagehugo lhinds
15:01:38 * fungi is around, but also in tc office hour
15:02:18 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot
15:02:21 <gagehugo> o/
15:02:31 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:02:33 <gagehugo> agenda
15:04:34 <gagehugo> #topic OSSN/OSSA
15:05:56 <gagehugo> There has been discussion about: https://bugs.launchpad.net/neutron/+bug/1461054
15:05:56 <openstack> Launchpad bug 1461054 in neutron kilo "[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)" [Critical,Fix committed] - Assigned to Tristan Cacqueray (tristan-cacqueray)
15:06:13 <fungi> yeah, i just switched that to public a couple hours ago
15:06:46 <gagehugo> ah
15:06:52 <fungi> consensus seems to be that documentation somewhere should mention this as a potential foot cannon
15:07:02 <fungi> and probably also warrants an ossn
15:07:16 <gagehugo> wait
15:07:23 <gagehugo> #link https://bugs.launchpad.net/neutron/+bug/1793029
15:07:23 <openstack> Launchpad bug 1793029 in OpenStack Security Notes "adding 0.0.0.0/0 address pair to a port bypasses all other vm security groups" [Undecided,New]
15:07:27 <gagehugo> wrong bug :p
15:07:36 <fungi> oh, yep!
15:07:50 * gagehugo grabbed a stray launchpad link in the thread
15:08:16 <fungi> it had a very similar-looking title ;)
15:08:23 <fungi> fooled me for a sec too
15:08:30 <gagehugo> heh
15:08:57 <gagehugo> other than that, I don't remember seeing anything else
15:09:08 <fungi> that's the only new public one i'm aware of
15:09:51 <fungi> there were some oslo library security fixes which i think may have been switched to public just before or during the ptg, but not for deliverables overseen by the vmt
15:10:28 <fungi> in the future it might be nice to get more of oslo under vmt oversight
15:10:47 <gagehugo> good point
15:11:09 <gagehugo> do you know which ones are covered currently?
15:11:22 <fungi> also a semi-vulnerability in openstackclient got posted recently i think (depending on how you use the --password option it may include the password string in its debug logs)
15:12:03 <fungi> castellan and oslo.config
15:12:10 <fungi> #link https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#tag-vulnerability-managed
15:12:44 * gagehugo bookmarks
15:13:21 <fungi> that's also linked from the vmt process document:
15:13:25 <fungi> #link https://security.openstack.org/vmt-process.html#supported-versions
15:13:46 <gagehugo> oslo.cache has a draft up to be covered
15:13:56 <gagehugo> but it'd be nice to get the other ones too
15:15:25 <gagehugo> #topic documentation
15:15:34 <gagehugo> no updates here afaik
15:16:42 <gagehugo> #topic vmt managed
15:16:52 <gagehugo> oslo.cache draft is here: https://review.openstack.org/#/c/527202/
15:17:07 <gagehugo> along with pycadf: https://review.openstack.org/#/c/529945/
15:17:19 <gagehugo> and keystoneauth: https://review.openstack.org/#/c/526476/
15:17:54 <gagehugo> #topic General Discussion
15:18:16 <gagehugo> fungi: any other updates?
15:18:59 <fungi> nope. did anyone have any highlights from the ptg?
15:19:14 <fungi> i wasn't able to hang out in the security/barbican room any
15:19:37 <gagehugo> I was in there on Tue, only session we had was a presentation about Unified Trust Management
15:19:50 <gagehugo> https://etherpad.openstack.org/p/security-stein-ptg
15:19:54 <fungi> is there a plan to get a summary posted to the -dev ml?
15:20:32 <gagehugo> fungi: I will do that today or tomorrow
15:20:42 <fungi> no rush, just curious. thanks!
15:21:01 * fungi has as a ptl sometimes taken nearly a momth to post ptg summaries, fwiw)
15:21:11 <fungi> er, month
15:21:18 <gagehugo> heh
15:21:27 <gagehugo> well it will be a short summary
15:23:44 <gagehugo> will give everyone a few mins extra back
15:23:47 <gagehugo> fungi: thanks!
15:23:50 <gagehugo> #endmeeting