15:01:15 <gagehugo> #startmeeting security 15:01:16 <openstack> Meeting started Thu Oct 17 15:01:15 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:20 <openstack> The meeting name has been set to 'security' 15:01:39 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda 15:01:50 <fungi> greetings 15:03:52 <gagehugo> light agenda today 15:05:00 <fungi> i've been wrapped up in other things this past week, so not sure what there is to discuss 15:05:19 <gagehugo> same 15:05:25 <fungi> though we skipped last week 15:05:53 <gagehugo> a busy october unfortunately 15:06:13 <fungi> so we could talk about the octavia ossa 15:06:47 <fungi> that was week before last 15:06:55 <gagehugo> sure 15:07:03 <fungi> #link https://security.openstack.org/ossa/OSSA-2019-005.html OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate 15:07:12 <fungi> i thought this was actually a really cool first 15:07:44 <gagehugo> yeah, the team there managed the process themselves for the most part 15:07:49 <fungi> the octavia team followed the openstack vmt's process themselves, since that deliverable doesn't have a vulnerability:managed governance tag 15:08:21 <fungi> so, yeah, the vmt just reviewed the ossa, octavia took care of the rest 15:08:36 <fungi> it can't have been easy, so big kudos to them 15:08:56 <njohnston> fungi: I'll pass it on! Very cool. 15:09:12 * njohnston works closely with those folks 15:09:19 <johnsom> o/ 15:09:25 <fungi> also i think it's our first ossa to link a story in storyboard instead of a bug in launchpad 15:10:24 <gagehugo> \o/ 15:11:37 <fungi> in more general news, there's quite a few patches proposed/merged/released for security hardening opportunities this month: 15:11:44 <fungi> #link http://lists.openstack.org/pipermail/openstack-security/2019-October/thread.html 15:12:06 <fungi> not sure if anyone has any in particular they want to call out 15:13:21 <fungi> #link https://launchpad.net/bugs/1842749 CSV Injection Possible in Compute Usage History 15:13:21 <openstack> Launchpad bug 1842749 in OpenStack Dashboard (Horizon) "CSV Injection Possible in Compute Usage History" [High,Fix released] - Assigned to Adam Harwell (adam-harwell) 15:14:02 <fungi> that one was determined to be a security hardening opportunity 5 days ago, and the fix for it merged to master a few days later 15:15:08 * gagehugo will take a look 15:15:46 <gagehugo> oh that's the windows one 15:16:11 <fungi> yeah, i thought that was a rather obscure report, but nice to see folks thinking creatively about attack vectors 15:18:39 <gagehugo> yeah, it's valid 15:21:28 <fungi> what with everyone focused on train release prep the past few weeks, i expect there's just not much for us to talk about today 15:21:32 <gagehugo> anything else for this week? 15:21:37 <gagehugo> probbaly 15:21:41 <gagehugo> probably* 15:21:59 <gagehugo> We can go ahead and cancel the meeting during the summit as well 15:22:57 <fungi> that's likely for the best. thursday the 7th 15:23:11 <fungi> of november 15:23:40 <fungi> i also doubt i'll be around for the meeting thursday october 31st as i'll be on my way to catch a flight to shanghai 15:24:11 <fungi> technically the one on november 7 is during the ptg not the summit, but close enough 15:24:17 <gagehugo> yeah 15:24:37 <gagehugo> I'll also be out the 21st of Nov 15:24:51 <fungi> it's getting to be that time of year 15:25:07 <gagehugo> yup 15:25:18 <gagehugo> winter is coming 15:25:27 <fungi> so anyway, plan to meet next week as usual, i'll miss the week after that, and then the following week is summit/ptg 15:25:51 <gagehugo> sounds good 15:26:26 <gagehugo> anything else? floor is open 15:28:54 <gagehugo> thanks everyone, have a good rest of the week! 15:28:57 <gagehugo> #endmeeting