#openstack-meeting log

15:00:12 <gagehugo> #startmeeting security
15:00:13 <openstack> Meeting started Thu Jan 16 15:00:12 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:17 <openstack> The meeting name has been set to 'security'
15:00:21 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:01:12 <fungi> aloha
15:01:13 <gagehugo> o/
15:03:09 <gagehugo> #topic open discussion
15:03:38 <gagehugo> I've not had much upstream time this week unfortunately, so I don't really have much
15:03:49 <gagehugo> fungi: anything new on your end?
15:04:39 <gagehugo> I did see the vmt process change got some more rc votes
15:05:11 <fungi> yeah, it's getting close but hasn't merged yet so i haven't activated my followup todo list tasks for that
15:06:01 <fungi> nothing especially exciting that i can recall. i think there's one public (nova?) vulnerability report which might be close to getting fixed in supported stable branches
15:06:20 <gagehugo> do you have a link handy for that?
15:06:35 <fungi> #link https://launchpad.net/bugs/1492140 consoleauth token displayed in log file
15:06:35 <openstack> Launchpad bug 1492140 in OpenStack Security Advisory "consoleauth token displayed in log file" [Undecided,Triaged] - Assigned to Tristan Cacqueray (tristan-cacqueray)
15:06:38 <gagehugo> danke
15:07:21 <fungi> looks like a fix merged to stable-train a month ago and then a stable/stein fix was put up for review earlier this week
15:08:23 <gagehugo> cool
15:12:59 <gagehugo> I was sent a barbican bug that was created from their architecture review when they applied for vmt coverage
15:13:09 <gagehugo> I'll try to find that link
15:13:25 <redrobot> 👀👀👀
15:13:41 <gagehugo> not sure why it wasn't marked as a security bug
15:13:45 <gagehugo> redrobot: o/
15:14:01 <redrobot> gagehugo, 👋
15:14:30 <gagehugo> I assume those are emojis, haha
15:14:51 * gagehugo makes a note to figure out why emojis aren't working in his irc client
15:15:32 <gagehugo> redrobot: anything you want to talk about?
15:17:43 <redrobot> nothing on my agenda, just curious about that barbican bug
15:19:25 <gagehugo> it was something about ACL modification in the database
15:19:42 <gagehugo> https://review.opendev.org/#/c/357978/13/doc/source/artifacts/barbican/newton/review-findings.rst #1 there
15:19:58 <gagehugo> it's also a "bug" from 2016 haha
15:20:13 <gagehugo> just something that someone internally here sent my way asking about
15:20:33 <redrobot> Oh, hehe, yeah, I remember that now ...
15:21:33 <gagehugo> redrobot: was there any progress on that (that you can remember)?
15:21:49 <gagehugo> it was 4 years ago now haha
15:22:19 <redrobot> I don't think so...
15:22:30 <redrobot> I took an OpenStack break shortly after that
15:22:38 <gagehugo> heh
15:22:58 <redrobot> but I think it's still a concern that the Database could be manipulated by an attacker
15:23:06 <gagehugo> I guess it was only 3 years 3 months
15:23:09 <gagehugo> "only"
15:23:11 <gagehugo> yeah
15:23:39 <gagehugo> although if your database is vulnerable, that's another issue
15:24:22 <redrobot> Right.  IIRC the plan was to implement some integrity checks on data coming from the database
15:24:39 <redrobot> maybe use the crypto backend to hmac the acl table rows
15:24:52 <gagehugo> hmm ok
15:25:42 <gagehugo> sorry got a hard stop here, thanks redrobot fungi!
15:25:44 <redrobot> I'll make a note to bring this up at the Barbican meeting next week.
15:25:54 <gagehugo> redrobot: i'll make a note to attend
15:26:03 <gagehugo> have a good rest of the week everyone
15:26:07 <gagehugo> #endmeeting