15:00:26 #startmeeting security 15:00:27 Meeting started Thu Oct 15 15:00:26 2020 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:28 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:30 The meeting name has been set to 'security' 15:01:25 o/ 15:04:48 Not much on the agenda today 15:04:54 #topic Next 2 meetings cancelled 15:05:15 Next week is the summit, and the following is the PTG, so I am proposing cancelling the next 2 weeks of meetings 15:05:49 * redrobot nods 15:06:30 oh, hi, sorry, firefighting right now 15:06:47 i mentioned some bugs in #openstack-security 15:07:31 fungi: no worries 15:07:36 and yes, cancelling the next two weeks sounds good 15:08:23 I'll send out an email today about cancelling them 15:08:30 #topic bug updates 15:08:41 #link https://bugs.launchpad.net/nova/+bug/1799298 15:08:42 Launchpad bug 1799298 in OpenStack Compute (nova) rocky "Metadata API cross joining instance_metadata and instance_system_metadata" [Medium,Triaged] 15:08:59 This was switched to public security today, thanks fungi 15:09:13 also this merged last night 15:09:16 #link https://review.opendev.org/#/c/757465/ 15:09:17 patch 757465 - ossa - Add OSSA-2020-007 (CVE-2020-26943) (MERGED) - 1 patch set 15:10:36 priteau isn't around today i guess, but the rst version can be copied from https://security.openstack.org/_sources/ossa/OSSA-2020-007.rst if he wants to send that to any of the mailing lists mentioned at the end of https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa 15:10:38 #topic PTG Agenda 15:10:45 oh whoops 15:10:53 fungi: sure 15:11:21 #link https://launchpad.net/bugs/1899229 Nova compute log can get the password info from the user_data 15:11:22 Launchpad bug 1899229 in OpenStack Compute (nova) "Nova compute log can get the password info from the user_data" [Wishlist,Confirmed] 15:11:29 that was also switched to public in the past week 15:12:10 ok 15:13:09 #link https://etherpad.opendev.org/p/security-sig-wallaby-ptg 15:13:20 ^ agenda for the PTG, if anyone wants to add topics 15:13:39 I will send that out in the mailing list as well 15:14:00 fungi: if priteau isn't around by EoD, do we want to send out the email then regardless? 15:14:05 I can do that 15:15:21 gagehugo: it can probably wait until he's around to confirm 15:15:33 ok 15:15:41 #topic open discussion 15:15:47 Anything else for this week? 15:15:48 he seemed to think that there was probably only one user of that feature, and he helped them mitigate it before the bug became public 15:15:54 ah ok 15:16:04 we can let him confirm it then 15:16:15 so circulating the advisory more widely is likely not urgent 15:18:09 i didn't have anything else really 15:18:46 fungi: thanks, have a good rest of the week 15:18:50 #endmeeting