15:01:54 #startmeeting security 15:01:55 Meeting started Thu Jun 25 15:01:54 2020 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:56 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:58 The meeting name has been set to 'security' 15:02:44 hey there! 15:02:56 o/ 15:03:10 #link https://etherpad.opendev.org/p/security-agenda agenda 15:03:57 I was out the last couple days for training so didn't update the agenda much 15:04:33 we made a trove bug public 15:04:50 other than that i don't think i have much to cover 15:06:43 I did see that 15:07:24 I was asked about including a slide for openstack 10 years about the security sig, so I just included a section from the security sig wiki page 15:08:04 that sounds good 15:08:09 but otherwise I don't have anything really 15:08:11 oh, on a related note 15:09:18 how would folks feel about moving the wiki page into governance-sigs repo? like i did for https://governance.openstack.org/sigs/tact-sig.html 15:09:27 #link https://governance.openstack.org/sigs/tact-sig.html sample sig page 15:09:53 works for me 15:09:58 I don't mind 15:10:12 i'll add that to my to do list 15:13:15 on the trove report, that was bug 1884457 15:13:15 bug 1884457 in OpenStack DBaaS (Trove) "Remote Code Execution in trove-conductor" [Undecided,New] https://launchpad.net/bugs/1884457 15:13:26 #link https://launchpad.net/bugs/1884457 Remote Code Execution in trove-conductor 15:14:06 this turned out to be a known risk, trove currently recommends using a service tenant for all the trove instance resources in any deployments where trove users are not trusted 15:15:34 otherwise you could do things like attach the trove storage device to a general purpose server instance under the control of the user and inject arbitrary code or grab message bus credentials 15:16:44 hmm ok 15:18:23 fungi: anything else? 15:19:00 i got nuthin' 15:20:20 have a good rest of the week! 15:20:23 #endmeeting