15:01:43 #startmeeting security 15:01:44 Meeting started Thu Oct 8 15:01:43 2020 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:45 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:48 The meeting name has been set to 'security' 15:02:01 #link https://etherpad.opendev.org/p/security-agenda agenda 15:03:53 o/ 15:04:46 hey there 15:05:18 fungi: hey o/ 15:05:47 #link https://launchpad.net/bugs/1895688 Authenticated RCE in blazar-dashboard 15:05:48 Launchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau) 15:06:08 Hi o/ 15:06:09 er, sorry, was prepping an entry and had a stray newline in there :/ 15:06:35 didn't mean to jump into the topic early 15:07:03 no worries haha 15:07:20 #topic Authenticated RCE in blazar-dashboard via python expression in POST parameters 15:07:27 #link https://bugs.launchpad.net/blazar/+bug/1895688 15:07:29 Launchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau) 15:08:02 priteau took care of that very quickly once he got access to blazar's private bugs 15:08:10 That was the hard part :-) 15:08:20 nice 15:08:35 To be fair, credit goes to the discover of the issue who shared a patch 15:10:12 The patch was backported to victoria, ussuri, train, stein 15:10:35 New releases produced for ussuri, train, stein 15:11:00 ok cool 15:11:08 I wanted to ask what is the next step, should we produce an OSSA? 15:11:50 As I mentioned to fungi in private discussions, there is quite likely very few users of this software 15:12:02 it's probably a good idea, though if you're not in a hurry you could file a request for a cve assignment via mitre's web form first 15:12:37 but really it's up to you. if you feel like the impact is extremely limited then it may not be worth the trouble 15:13:59 I would like to do things properly, it can be useful to know 15:14:27 sure. in that case we have instructions... lemme get the link 15:14:40 https://security.openstack.org/vmt-process.html#send-cve-request 15:14:46 priteau ^ 15:15:03 #link https://security.openstack.org/vmt-process.html#send-cve-request cve request instructions 15:15:05 yep 15:15:10 :) 15:15:26 and then after, or in parallel, you can start working on a yaml file addition to the ossa repo: 15:16:00 #link https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa template for ossa metadata 15:17:14 stuff like $DESCRIPTION_CONTENT and $AFFECTED_VERSIONS are part of the impact description, which there's also a template for in that document 15:17:37 but feel free to ask in #openstack-security if you have questions and we're happy to guide you 15:18:19 In the cve form, do I need to list each affected version as a separate entry? 15:19:43 or just comma-separate them? 15:20:00 we usually comma-separate version ranges 15:20:07 I believe I just comma separated them last time I submitted one 15:20:10 i'll get you an example 15:21:23 #link https://security.openstack.org/ossa/OSSA-2020-006.html#affects example affected version ranges list 15:21:37 Thanks 15:22:31 "<1.3.1, ==2.0.0, ==3.0.0" 15:23:09 yeah, assuming 1.3.1, 2.0.1 and 3.0.1 are the fixed releases 15:23:56 They are 15:24:08 then that looks entirely correct 15:26:14 I think I've got enough information to request the CVE. I'll do it a bit later today. 15:27:16 sounds good! 15:27:19 they usually get back to you by e-mail with the cve number they've assigned within a day or two 15:27:28 "usually" 15:27:40 but yeah, don't get worried if you don't hear from them until monday or tuesday 15:28:03 you'll generally get a confirmation e-mail for the submission itself straight away though 15:29:37 fungi priteau: anything else for this topic? 15:30:08 Not for now, I'll ask in the security channel if I run into problems 15:30:18 we're all happy to help 15:30:23 ^^ 15:30:48 #topic horizon bug 15:30:53 #link https://bugs.launchpad.net/horizon/+bug/1898465 15:30:54 Launchpad bug 1898465 in OpenStack Dashboard (Horizon) "In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage" [Undecided,New] 15:30:59 This was made public 15:31:41 yeah, i marked it as a security hardening opportunity for now 15:32:47 there's another public horizon bug for an open redirect which will likely get an ossa soon 15:33:06 the stable/ussuri backport for it merged today, but older stable branches still need backports i think 15:36:44 thanks fungi 15:36:49 #topic open discussion 15:36:55 Anything else for this week? 15:37:27 it might be nice to get some renewed movement on the memcached socket pileup 15:38:04 agreed 15:38:20 #link https://bugs.launchpad.net/keystonemiddleware/+bug/1892852 15:38:21 Launchpad bug 1892852 in OpenStack Security Advisory "memcached socket not released upon lbaas API request " [Undecided,Incomplete] 15:38:47 that's the duplicate one 15:38:50 #link https://bugs.launchpad.net/keystonemiddleware/+bug/1883659 15:38:51 Launchpad bug 1883659 in oslo.cache "keystonemiddleware connections to memcached from neutron-server grow beyond configured values" [Undecided,Confirmed] 15:38:52 there's a theoretical fix for oslo.cache but it's not seen any updates for a month or two 15:39:18 it's probably also a duplicate of 1888394 15:39:41 which was opened in july 15:41:35 heh 15:41:57 looks like that's the only one referred to by the fix change, so i'll add some comments in it about being a duplicate as well 15:42:05 and let the devs sort it out 15:42:49 right now reviewers arriving at https://review.opendev.org/742193 don't have any clear indication that there are outstanding security bugs for it 15:44:00 hmm 15:44:39 that might poke them along 15:45:21 fungi priteau: thanks! I need to run, have a good rest of the week! 15:45:26 #endmeeting