15:01:54 <gagehugo> #startmeeting security 15:01:55 <openstack> Meeting started Thu Dec 20 15:01:54 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:58 <openstack> The meeting name has been set to 'security' 15:02:35 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda 15:03:04 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot 15:03:19 <redrobot> 🙋🏽♂️ 15:04:20 <fungi> ohai 15:04:58 <gagehugo> o/ 15:05:37 <gagehugo> probably will be a quick meeting 15:06:34 <gagehugo> redrobot fungi: any updates? 15:06:50 <gagehugo> I was going to cancel the meeting for next week 15:06:55 <gagehugo> and potentially the week after 15:07:05 <fungi> there's been a cve assigned for that keystone security hardening opportunity 15:07:18 <gagehugo> fungi: yes 15:07:27 <fungi> #link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20170 15:07:48 <gagehugo> we discussed potential changes to make on Monday 15:07:51 <gagehugo> lemme grab a link 15:08:11 <fungi> i disagree with the dispute detail in there, but it was filed by the bug reporter since the vmt doesn't acquire cve assignments for things it doesn't have immediate plans to issue an ossa for 15:08:40 <fungi> i've left some follow-up comments in the bug report to that effect 15:08:44 <gagehugo> yeah 15:09:00 <fungi> #link https://launchpad.net/bugs/1795800 Timing oracle in core auth plugin simplifies brute-forcing usernames 15:09:02 <openstack> Launchpad bug 1795800 in OpenStack Identity (keystone) "Timing oracle in core auth plugin simplifies brute-forcing usernames" [Wishlist,In progress] - Assigned to Gage Hugo (gagehugo) 15:09:28 <gagehugo> fungi: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-17.log.html#t2018-12-17T20:03:41 15:09:34 <gagehugo> #link http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-17.log.html#t2018-12-17T20:03:41 15:09:55 <redrobot> Only update from me is we've been working on adding Barbican + HSM support to TripleO 15:10:13 <fungi> nice! 15:10:23 <redrobot> #link https://review.openstack.org/#/q/topic:add_hsm_parameters 15:10:52 <gagehugo> tl;dr I think the general consensus is to explore a flask hook to make the timings more similar between immediately spitting back an unauthorized vs valid username 15:11:13 <fungi> redrobot: is that focused on the operations end, or for providing access to hsms from guest instances? 15:11:47 <redrobot> fungi, focused on adding support for deploying Barbican on the Overcloud with an HSM as the backend. 15:11:59 <fungi> ahh 15:12:08 <fungi> i know some in the cyborg team expressed an interest in being able to schedule hsm hardware passed through to guests, but that's a whole different can of worms 15:12:13 <gagehugo> interesting 15:18:00 <gagehugo> redrobot fungi: you both ok with canceling the next two weeks meetings? 15:18:17 <redrobot> gagehugo, works for me. 15:18:22 <gagehugo> and picking back up on the 10th 15:19:08 <fungi> yeah, that seems reasonable 15:19:29 <fungi> i'll be around on the 27th and 3rd but i don't see much point in meeting if nobody else will be 15:21:17 <gagehugo> ok 15:22:02 <gagehugo> I should be around on the 3rd, but I figured there (likely) wouldn't be much going on 15:22:28 <gagehugo> fungi redrobot: thanks for coming! have a happy holidays and happy new year! 15:22:48 <redrobot> gagehugo, thank you! same to you! :D 15:22:58 <gagehugo> :D 15:23:02 <gagehugo> #endmeeting