15:01:09 #startmeeting security 15:01:10 Meeting started Thu Sep 20 15:01:09 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:11 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:13 The meeting name has been set to 'security' 15:01:19 #chair lhinds 15:01:20 Current chairs: gagehugo lhinds 15:01:38 * fungi is around, but also in tc office hour 15:02:18 ping eeiden fungi gagehugo lhinds nickthetait browne redrobot 15:02:21 o/ 15:02:31 #link https://etherpad.openstack.org/p/security-agenda 15:02:33 agenda 15:04:34 #topic OSSN/OSSA 15:05:56 There has been discussion about: https://bugs.launchpad.net/neutron/+bug/1461054 15:05:56 Launchpad bug 1461054 in neutron kilo "[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)" [Critical,Fix committed] - Assigned to Tristan Cacqueray (tristan-cacqueray) 15:06:13 yeah, i just switched that to public a couple hours ago 15:06:46 ah 15:06:52 consensus seems to be that documentation somewhere should mention this as a potential foot cannon 15:07:02 and probably also warrants an ossn 15:07:16 wait 15:07:23 #link https://bugs.launchpad.net/neutron/+bug/1793029 15:07:23 Launchpad bug 1793029 in OpenStack Security Notes "adding 0.0.0.0/0 address pair to a port bypasses all other vm security groups" [Undecided,New] 15:07:27 wrong bug :p 15:07:36 oh, yep! 15:07:50 * gagehugo grabbed a stray launchpad link in the thread 15:08:16 it had a very similar-looking title ;) 15:08:23 fooled me for a sec too 15:08:30 heh 15:08:57 other than that, I don't remember seeing anything else 15:09:08 that's the only new public one i'm aware of 15:09:51 there were some oslo library security fixes which i think may have been switched to public just before or during the ptg, but not for deliverables overseen by the vmt 15:10:28 in the future it might be nice to get more of oslo under vmt oversight 15:10:47 good point 15:11:09 do you know which ones are covered currently? 15:11:22 also a semi-vulnerability in openstackclient got posted recently i think (depending on how you use the --password option it may include the password string in its debug logs) 15:12:03 castellan and oslo.config 15:12:10 #link https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#tag-vulnerability-managed 15:12:44 * gagehugo bookmarks 15:13:21 that's also linked from the vmt process document: 15:13:25 #link https://security.openstack.org/vmt-process.html#supported-versions 15:13:46 oslo.cache has a draft up to be covered 15:13:56 but it'd be nice to get the other ones too 15:15:25 #topic documentation 15:15:34 no updates here afaik 15:16:42 #topic vmt managed 15:16:52 oslo.cache draft is here: https://review.openstack.org/#/c/527202/ 15:17:07 along with pycadf: https://review.openstack.org/#/c/529945/ 15:17:19 and keystoneauth: https://review.openstack.org/#/c/526476/ 15:17:54 #topic General Discussion 15:18:16 fungi: any other updates? 15:18:59 nope. did anyone have any highlights from the ptg? 15:19:14 i wasn't able to hang out in the security/barbican room any 15:19:37 I was in there on Tue, only session we had was a presentation about Unified Trust Management 15:19:50 https://etherpad.openstack.org/p/security-stein-ptg 15:19:54 is there a plan to get a summary posted to the -dev ml? 15:20:32 fungi: I will do that today or tomorrow 15:20:42 no rush, just curious. thanks! 15:21:01 * fungi has as a ptl sometimes taken nearly a momth to post ptg summaries, fwiw) 15:21:11 er, month 15:21:18 heh 15:21:27 well it will be a short summary 15:23:44 will give everyone a few mins extra back 15:23:47 fungi: thanks! 15:23:50 #endmeeting