#openstack-security log

15:02:19 <gagehugo> #startmeeting security
15:02:19 <opendevmeet> Meeting started Thu Feb  3 15:02:19 2022 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:19 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:19 <opendevmeet> The meeting name has been set to 'security'
15:02:30 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:02:31 <gagehugo> o/
15:02:52 <fungi> ohai
15:03:17 <fungi> once again, i'm triple-booked today
15:03:21 <fungi> how's things?
15:03:31 <fungi> i saw you got started on the security-specs retirement
15:03:39 <gagehugo> Yeah, doing that in my spare time
15:03:46 <gagehugo> gonna try to get that done this week
15:04:44 <fungi> excellent, thanks for working on it
15:06:11 <dmendiza[m]> 🙋
15:08:24 <fungi> ohai dmendiza[m]
15:09:34 <fungi> from what i understood from monday's meeting, the image encryption spec-lite in glance is still on track for yoga
15:10:47 <dmendiza[m]> Hi friends!
15:10:55 <gagehugo> hey
15:12:39 * fungi tries to remember what else security-relevant is going on
15:13:00 <gagehugo> I believe I don't have any updates
15:13:07 <gagehugo> Just currently watching it snow here
15:13:10 <fungi> the thread about log4j vulnerabilities brought up that monasca and cloudkitty often use elasticsearch as a backend
15:13:30 <fungi> and that kolla-ansible will deploy an elasticsearch container for those or if you ask for centralized logging
15:13:46 <fungi> also sounds like it deploys apache storm, which was affected as well
15:14:36 <fungi> there's probably enough material in that thread if someone wants to draft a security note about it, though i don't know that i'll have time to put it together
15:15:04 <dmendiza[m]> Just a reminder for folks to keep an eye out for Secure RBAC stuff
15:19:52 <fungi> yes, thank you. that's one of the topics i meant to mention
15:20:27 <fungi> seems like more projects are getting on the same page since the big tc discussion before the winter holidays
15:21:30 <gagehugo> fungi: So an OSSN for kolla-ansible, monasca, cloudkitty?
15:21:48 <gagehugo> OSH has an elasticsearch chart as well
15:23:39 <fungi> yeah, i think it would be an overarching ossn talking about places openstack deployments might include (non=openstack) java-based software affected by the recent log4j vulnerabilities, and reminding operators to make sure they update those things
15:24:29 <gagehugo> makes sense
15:24:36 <fungi> for example, someone who deploys kolla-ansible and selects "i want central logging" may not know that's being provided by elasticsearch much less that it's affected
15:25:22 <fungi> so while openstack isn't developing any software which is affected by those vulnerabilities, some openstack installers do deploy affected software written outside openstack
15:29:12 <gagehugo> gotcha
15:29:21 <gagehugo> any other updates for this meeting?
15:29:48 <fungi> i can't think of anything else
15:29:59 <fungi> thanks for chairing, gagehugo!
15:30:18 <fungi> i'll keep an eye out for the remaining specs retirement changes
15:30:39 <gagehugo> Have a good rest of the week everyone!
15:30:41 <gagehugo> #endmeeting