15:01:15 #startmeeting security 15:01:16 Meeting started Thu Oct 17 15:01:15 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:17 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:20 The meeting name has been set to 'security' 15:01:39 #link https://etherpad.openstack.org/p/security-agenda agenda 15:01:50 greetings 15:03:52 light agenda today 15:05:00 i've been wrapped up in other things this past week, so not sure what there is to discuss 15:05:19 same 15:05:25 though we skipped last week 15:05:53 a busy october unfortunately 15:06:13 so we could talk about the octavia ossa 15:06:47 that was week before last 15:06:55 sure 15:07:03 #link https://security.openstack.org/ossa/OSSA-2019-005.html OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate 15:07:12 i thought this was actually a really cool first 15:07:44 yeah, the team there managed the process themselves for the most part 15:07:49 the octavia team followed the openstack vmt's process themselves, since that deliverable doesn't have a vulnerability:managed governance tag 15:08:21 so, yeah, the vmt just reviewed the ossa, octavia took care of the rest 15:08:36 it can't have been easy, so big kudos to them 15:08:56 fungi: I'll pass it on! Very cool. 15:09:12 * njohnston works closely with those folks 15:09:19 o/ 15:09:25 also i think it's our first ossa to link a story in storyboard instead of a bug in launchpad 15:10:24 \o/ 15:11:37 in more general news, there's quite a few patches proposed/merged/released for security hardening opportunities this month: 15:11:44 #link http://lists.openstack.org/pipermail/openstack-security/2019-October/thread.html 15:12:06 not sure if anyone has any in particular they want to call out 15:13:21 #link https://launchpad.net/bugs/1842749 CSV Injection Possible in Compute Usage History 15:13:21 Launchpad bug 1842749 in OpenStack Dashboard (Horizon) "CSV Injection Possible in Compute Usage History" [High,Fix released] - Assigned to Adam Harwell (adam-harwell) 15:14:02 that one was determined to be a security hardening opportunity 5 days ago, and the fix for it merged to master a few days later 15:15:08 * gagehugo will take a look 15:15:46 oh that's the windows one 15:16:11 yeah, i thought that was a rather obscure report, but nice to see folks thinking creatively about attack vectors 15:18:39 yeah, it's valid 15:21:28 what with everyone focused on train release prep the past few weeks, i expect there's just not much for us to talk about today 15:21:32 anything else for this week? 15:21:37 probbaly 15:21:41 probably* 15:21:59 We can go ahead and cancel the meeting during the summit as well 15:22:57 that's likely for the best. thursday the 7th 15:23:11 of november 15:23:40 i also doubt i'll be around for the meeting thursday october 31st as i'll be on my way to catch a flight to shanghai 15:24:11 technically the one on november 7 is during the ptg not the summit, but close enough 15:24:17 yeah 15:24:37 I'll also be out the 21st of Nov 15:24:51 it's getting to be that time of year 15:25:07 yup 15:25:18 winter is coming 15:25:27 so anyway, plan to meet next week as usual, i'll miss the week after that, and then the following week is summit/ptg 15:25:51 sounds good 15:26:26 anything else? floor is open 15:28:54 thanks everyone, have a good rest of the week! 15:28:57 #endmeeting