#openstack-meeting log

15:01:43 <gagehugo> #startmeeting security
15:01:44 <openstack> Meeting started Thu Oct  8 15:01:43 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:45 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:48 <openstack> The meeting name has been set to 'security'
15:02:01 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:03:53 <gagehugo> o/
15:04:46 <fungi> hey there
15:05:18 <gagehugo> fungi: hey o/
15:05:47 <fungi> #link https://launchpad.net/bugs/1895688 Authenticated RCE in blazar-dashboard
15:05:48 <openstack> Launchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau)
15:06:08 <priteau> Hi o/
15:06:09 <fungi> er, sorry, was prepping an entry and had a stray newline in there :/
15:06:35 <fungi> didn't mean to jump into the topic early
15:07:03 <gagehugo> no worries haha
15:07:20 <gagehugo> #topic Authenticated RCE in blazar-dashboard via python expression in POST parameters
15:07:27 <gagehugo> #link https://bugs.launchpad.net/blazar/+bug/1895688
15:07:29 <openstack> Launchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau)
15:08:02 <fungi> priteau took care of that very quickly once he got access to blazar's private bugs
15:08:10 <priteau> That was the hard part :-)
15:08:20 <gagehugo> nice
15:08:35 <priteau> To be fair, credit goes to the discover of the issue who shared a patch
15:10:12 <priteau> The patch was backported to victoria, ussuri, train, stein
15:10:35 <priteau> New releases produced for ussuri, train, stein
15:11:00 <gagehugo> ok cool
15:11:08 <priteau> I wanted to ask what is the next step, should we produce an OSSA?
15:11:50 <priteau> As I mentioned to fungi in private discussions, there is quite likely very few users of this software
15:12:02 <fungi> it's probably a good idea, though if you're not in a hurry you could file a request for a cve assignment via mitre's web form first
15:12:37 <fungi> but really it's up to you. if you feel like the impact is extremely limited then it may not be worth the trouble
15:13:59 <priteau> I would like to do things properly, it can be useful to know
15:14:27 <fungi> sure. in that case we have instructions... lemme get the link
15:14:40 <gagehugo> https://security.openstack.org/vmt-process.html#send-cve-request
15:14:46 <gagehugo> priteau ^
15:15:03 <fungi> #link https://security.openstack.org/vmt-process.html#send-cve-request cve request instructions
15:15:05 <fungi> yep
15:15:10 <gagehugo> :)
15:15:26 <fungi> and then after, or in parallel, you can start working on a yaml file addition to the ossa repo:
15:16:00 <fungi> #link https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa template for ossa metadata
15:17:14 <fungi> stuff like $DESCRIPTION_CONTENT and $AFFECTED_VERSIONS are part of the impact description, which there's also a template for in that document
15:17:37 <fungi> but feel free to ask in #openstack-security if you have questions and we're happy to guide you
15:18:19 <priteau> In the cve form, do I need to list each affected version as a separate entry?
15:19:43 <priteau> or just comma-separate them?
15:20:00 <fungi> we usually comma-separate version ranges
15:20:07 <gagehugo> I believe I just comma separated them last time I submitted one
15:20:10 <fungi> i'll get you an example
15:21:23 <fungi> #link https://security.openstack.org/ossa/OSSA-2020-006.html#affects example affected version ranges list
15:21:37 <priteau> Thanks
15:22:31 <priteau> "<1.3.1, ==2.0.0, ==3.0.0"
15:23:09 <fungi> yeah, assuming 1.3.1, 2.0.1 and 3.0.1 are the fixed releases
15:23:56 <priteau> They are
15:24:08 <fungi> then that looks entirely correct
15:26:14 <priteau> I think I've got enough information to request the CVE. I'll do it a bit later today.
15:27:16 <gagehugo> sounds good!
15:27:19 <fungi> they usually get back to you by e-mail with the cve number they've assigned within a day or two
15:27:28 <gagehugo> "usually"
15:27:40 <fungi> but yeah, don't get worried if you don't hear from them until monday or tuesday
15:28:03 <fungi> you'll generally get a confirmation e-mail for the submission itself straight away though
15:29:37 <gagehugo> fungi priteau: anything else for this topic?
15:30:08 <priteau> Not for now, I'll ask in the security channel if I run into problems
15:30:18 <fungi> we're all happy to help
15:30:23 <gagehugo> ^^
15:30:48 <gagehugo> #topic horizon bug
15:30:53 <gagehugo> #link https://bugs.launchpad.net/horizon/+bug/1898465
15:30:54 <openstack> Launchpad bug 1898465 in OpenStack Dashboard (Horizon) "In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage" [Undecided,New]
15:30:59 <gagehugo> This was made public
15:31:41 <fungi> yeah, i marked it as a security hardening opportunity for now
15:32:47 <fungi> there's another public horizon bug for an open redirect which will likely get an ossa soon
15:33:06 <fungi> the stable/ussuri backport for it merged today, but older stable branches still need backports i think
15:36:44 <gagehugo> thanks fungi
15:36:49 <gagehugo> #topic open discussion
15:36:55 <gagehugo> Anything else for this week?
15:37:27 <fungi> it might be nice to get some renewed movement on the memcached socket pileup
15:38:04 <gagehugo> agreed
15:38:20 <gagehugo> #link https://bugs.launchpad.net/keystonemiddleware/+bug/1892852
15:38:21 <openstack> Launchpad bug 1892852 in OpenStack Security Advisory "memcached socket not released upon lbaas API request " [Undecided,Incomplete]
15:38:47 <gagehugo> that's the duplicate one
15:38:50 <gagehugo> #link https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
15:38:51 <openstack> Launchpad bug 1883659 in oslo.cache "keystonemiddleware connections to memcached from neutron-server grow beyond configured values" [Undecided,Confirmed]
15:38:52 <fungi> there's a theoretical fix for oslo.cache but it's not seen any updates for a month or two
15:39:18 <fungi> it's probably also a duplicate of 1888394
15:39:41 <fungi> which was opened in july
15:41:35 <gagehugo> heh
15:41:57 <fungi> looks like that's the only one referred to by the fix change, so i'll add some comments in it about being a duplicate as well
15:42:05 <fungi> and let the devs sort it out
15:42:49 <fungi> right now reviewers arriving at https://review.opendev.org/742193 don't have any clear indication that there are outstanding security bugs for it
15:44:00 <gagehugo> hmm
15:44:39 <gagehugo> that might poke them along
15:45:21 <gagehugo> fungi priteau: thanks!  I need to run, have a good rest of the week!
15:45:26 <gagehugo> #endmeeting