#openstack-meeting log

15:01:54 <gagehugo> #startmeeting security
15:01:55 <openstack> Meeting started Thu Jun 25 15:01:54 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:58 <openstack> The meeting name has been set to 'security'
15:02:44 <fungi> hey there!
15:02:56 <gagehugo> o/
15:03:10 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:03:57 <gagehugo> I was out the last couple days for training so didn't update the agenda much
15:04:33 <fungi> we made a trove bug public
15:04:50 <fungi> other than that i don't think i have much to cover
15:06:43 <gagehugo> I did see that
15:07:24 <gagehugo> I was asked about including a slide for openstack 10 years about the security sig, so I just included a section from the security sig wiki page
15:08:04 <fungi> that sounds good
15:08:09 <gagehugo> but otherwise I don't have anything really
15:08:11 <fungi> oh, on a related note
15:09:18 <fungi> how would folks feel about moving the wiki page into governance-sigs repo? like i did for https://governance.openstack.org/sigs/tact-sig.html
15:09:27 <fungi> #link https://governance.openstack.org/sigs/tact-sig.html sample sig page
15:09:53 <gagehugo> works for me
15:09:58 <gagehugo> I don't mind
15:10:12 <fungi> i'll add that to my to do list
15:13:15 <fungi> on the trove report, that was bug 1884457
15:13:15 <openstack> bug 1884457 in OpenStack DBaaS (Trove) "Remote Code Execution in trove-conductor" [Undecided,New] https://launchpad.net/bugs/1884457
15:13:26 <fungi> #link https://launchpad.net/bugs/1884457 Remote Code Execution in trove-conductor
15:14:06 <fungi> this turned out to be a known risk, trove currently recommends using a service tenant for all the trove instance resources in any deployments where trove users are not trusted
15:15:34 <fungi> otherwise you could do things like attach the trove storage device to a general purpose server instance under the control of the user and inject arbitrary code or grab message bus credentials
15:16:44 <gagehugo> hmm ok
15:18:23 <gagehugo> fungi: anything else?
15:19:00 <fungi> i got nuthin'
15:20:20 <gagehugo> have a good rest of the week!
15:20:23 <gagehugo> #endmeeting