#openstack-meeting log

15:00:17 <gagehugo> #startmeeting security
15:00:18 <openstack> Meeting started Thu Jun 11 15:00:17 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:22 <openstack> The meeting name has been set to 'security'
15:00:34 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:01:50 <gagehugo> o/
15:02:30 <fungi> ohai
15:02:37 <fungi> also listening to the board meeting
15:03:57 <gagehugo> fungi: o/
15:04:13 <gagehugo> #topic refresh security-doc-core
15:04:34 <fungi> ahh, yeah, so this came up last week with the cinder ossn
15:04:50 <gagehugo> we've discussed this before as well iirc
15:04:55 <fungi> basically we have folks submit ossn additions to the security guide
15:05:05 <fungi> however it no longer has any active reviewers
15:05:39 <fungi> folks interested in reviewing and approving these additions, at least ossn, should be added to the group in gerrit
15:06:00 <fungi> in the meantime we fall back on pestering the doc-core reviewers to approve changes
15:06:01 <gagehugo> sure
15:07:51 <gagehugo> last time when we reached out to those listed, a lot of the emails were invalid
15:09:05 <fungi> right, we probably ought to remove them
15:10:11 <fungi> i suggest we ask the docs team to empty out that group and add new folks who initially volunteer to be reviewers for it
15:10:31 <fungi> i'm happy to put my name in there, at least to help get ossn changes merged
15:10:44 <gagehugo> ok, I can reach out and ask
15:11:54 <gagehugo> Is there a link to the cinder ossn discussion from last week I can reference?
15:14:05 <gagehugo> otherwise I'll just mention it
15:14:28 <gagehugo> #topic meeting times
15:14:43 <gagehugo> So we discussed last week about changing both the meeting time and frequency for the security sig
15:15:22 <gagehugo> I'd be up for making a poll on the mailing list to gauge interest in timeslots
15:16:56 <fungi> oh, discussion with the docs team? yeah, let me get you a link
15:17:53 <gagehugo> cool
15:19:08 <fungi> #link http://eavesdrop.openstack.org/irclogs/%23openstack-doc/%23openstack-doc.2020-06-03.log.html#t2020-06-03T17:25:07 security-doc-core discussion with tech writing sig
15:20:13 <gagehugo> nice
15:20:56 <gagehugo> #topic security sig newsletter
15:21:16 <gagehugo> I will start getting these out when I can, might change it up a bit, not sure yet
15:21:55 <gagehugo> some months nothing happens, others is a whole lot more exciting
15:22:03 <fungi> meh, it's not critical
15:22:18 <gagehugo> yeah, it's a nice to have
15:22:28 <fungi> the sig governance requirements aren't specific on how frequently we need to report (or even how)
15:22:53 <gagehugo> I basically copied it from keystone anyway when we used to do weekly reports
15:22:59 <fungi> i agree the newsletters are nice, but if they aren't at a regular frequency i don't see that as a problem
15:23:23 <gagehugo> I think after someone from the PTG in Denver asked if we could do something like that
15:24:03 <gagehugo> anyway
15:24:11 <gagehugo> #topic clean up security wiki/docs
15:24:40 <gagehugo> As per discussions from last week, the wiki/docs for the security sig have a lot of outdated info on them, mostly software projects that are no longer under the sig
15:24:56 <gagehugo> we can clean those up when time allows
15:25:07 <gagehugo> #topic open discussion
15:25:12 <gagehugo> fungi: anything else for this week?
15:25:34 <fungi> there was an ossn published last week
15:26:35 <gagehugo> #link Clean up Security SIG Wiki and Guide pages
15:26:38 <gagehugo> whoops
15:26:40 <fungi> #link https://wiki.openstack.org/wiki/OSSN/OSSN-0086 Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure
15:26:45 <gagehugo> thanks
15:28:34 <fungi> also i opened up a couple more expired embargoes
15:29:09 <fungi> #link https://launchpad.net/bugs/1866614 CSV Injection in instance edit form in the name field
15:29:09 <openstack> Launchpad bug 1866614 in OpenStack Security Advisory "CSV Injection in instance edit form in the name field" [Undecided,Incomplete]
15:29:36 <fungi> #link https://launchpad.net/bugs/1866725 DVR denial of service observed when using DVR+VLAN project networks
15:29:36 <openstack> Launchpad bug 1866725 in OpenStack Security Advisory "DVR denial of service observed when using DVR+VLAN project networks" [Undecided,Incomplete]
15:30:26 <fungi> and the manila team also opened up an old private report since fixed in ussuri
15:30:46 <fungi> no, sorry, mistral
15:31:26 <fungi> #link https://launchpad.net/bugs/1785657 Denial of service through YAML anchors expansion (Billion Laughs)
15:31:26 <openstack> Launchpad bug 1785657 in Mistral "Denial of service through YAML anchors expansion (Billion Laughs)" [High,Fix released] - Assigned to Eyal B (eyalb1)
15:31:59 <fungi> i think that's the only other news i'm aware of besides the ptg discussions we had
15:32:18 <fungi> i still have a to do item to propose barbican as an openstack "base service"
15:33:09 * redrobot sneaks in through the back
15:35:05 <gagehugo> ok
15:35:13 <gagehugo> thanks fungi: have a good rest of the week
15:35:16 <gagehugo> #endmeeting