15:01:11 <fungi> #startmeeting security
15:01:11 <opendevmeet> Meeting started Thu Oct  6 15:01:11 2022 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:11 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:11 <opendevmeet> The meeting name has been set to 'security'
15:01:50 <fungi> apologies, i'll be a bit slow chairing since i'm quite unprepared. it's been a busy week!
15:03:13 <fungi> #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda
15:03:25 <fungi> i'll add a section there real fast ;)
15:04:13 <fungi> #topic Prior Actions
15:05:01 <fungi> #link https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.html (previous minutes)
15:05:25 <fungi> fungi propose xstatic discussion topic on horizon ptg agenda
15:06:48 <fungi> i haven't done that, though at this point i'm unsure what the interest is from the horizon side, but i'll do that real fast
15:08:42 <fungi> though it doesn't appear they've made an etherpad for proposed discussion topics
15:08:53 <fungi> so maybe i'll follow up with them first
15:09:06 <fungi> #action fungi propose xstatic discussion topic on horizon ptg agenda
15:09:13 <fungi> readded for now
15:09:23 <fungi> fungi add new volunteers to embargo-notice ml
15:09:35 <fungi> i've done that
15:09:47 <fungi> fungi update ossn/security-doc members in gerrit and launchpad
15:10:41 <fungi> i've started on that but not finished yet, noting that some of those groups are waaaaaay out of date and need substantial cleanup of alumni who haven't been contributing actively for years. i'll readd the action for now
15:10:45 <fungi> #action fungi update ossn/security-doc members in gerrit and launchpad
15:10:55 <fungi> fungi reach out to nova reviewers about 850003
15:11:50 <fungi> #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed
15:12:12 <fungi> seems that has merged as of september 10
15:13:24 <fungi> fixed in zed, with backports proposed for all supported stable branches (so back as far as stable/wallaby)
15:14:03 <fungi> d34dh0r53: if you wanted to pick this back up, we could probably get a draft ossa proposed in gerrit with links to all the backports now and a (more final) list of affected versions
15:14:57 <fungi> we probably shouldn't move forward with publication until the backports merge, though we probably can as long as they seem to be getting positive reviews and passing tests
15:16:03 <fungi> we've never really set a strict policy on timing for ossa publication with regard to already public vulnerability reports, aside from being able to point to the available patches somewhere (even if they haven't merged)
15:16:27 <fungi> it's more a judgement call in order to potentially save ourselves extra work with subsequent errata
15:17:37 <fungi> and given those backports are all failing tests and have no code reviews yet, it's probably best we hold off a little longer still
15:18:16 <fungi> but there was some activity on them as recently as last week, so i don't think we need any new action item coming out of the meeting for that
15:18:30 <fungi> fungi switch bug 1981813 to class b1 for now
15:18:59 <fungi> #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394)
15:19:38 <fungi> we can drop this, as it's apparent some attempt at backporting is underway
15:19:50 <fungi> fungi switch advisory tasks for old public security bugs to won't fix for now
15:20:25 <fungi> i haven't completely made an attempt at this yet, but i've punted it to our ptg topics (i'll cover that in a few minutes), so not readding the action item
15:20:33 <fungi> fungi schedule an hour at the ptg for the security sig
15:21:27 <fungi> i've done that, we're set for an hour starting at 15:00 utc on wednesday of the ptg
15:22:31 <fungi> #topic Public Bug Reports
15:23:29 <fungi> #link https://storyboard.openstack.org/#!/story/2010004 Remote code execution: Trove backup
15:24:07 <fungi> #link https://launchpad.net/bugs/1989008 Lax rulesets leading to privilege escalation vulnerabilities
15:25:01 <fungi> #link https://bugzilla.redhat.com/show_bug.cgi?id=2105419 Application credential token remains valid longer than expected
15:26:18 <fungi> that last one doesn't seem to have a corresponding upstream bug report, even though red hat assigned it a cve
15:26:42 <gagehugo> o/
15:26:47 <gagehugo> apologies for being late
15:26:57 <fungi> no worries! we have logs ;)
15:27:22 <fungi> #topic PTG Planning
15:27:42 <fungi> so, as mentioned a few minutes ago, we have an hour (15:00 utc on wednesday)
15:28:00 <fungi> i can always add another one if that's a conflict for people who had things they want to cover
15:28:25 <fungi> i've started a list of proposed discussion topics and activities, though it's far from chiseled in stone:
15:28:45 <fungi> #link https://etherpad.opendev.org/p/oct2022-ptg-openstack-security
15:29:55 <fungi> i figured if nothing else, we can debate some of the currently public security bugs and maybe close some out if we can determine they're no longer relevant (or at least close out our security advisory tasks if it looks like they're unneeded or unlikely to happen any time soon)
15:30:47 <fungi> also we could work on getting some old ossg stuff moved off the wiki, or at least plan and divvy up tasks for that
15:31:10 <fungi> if anybody has anything else to bring up, please add it
15:32:46 <fungi> #topic Open Discussion
15:33:09 <fungi> a couple of things to note... first is that i did a quick cleanup of our sig's main page on the wiki
15:33:25 <fungi> #link https://wiki.openstack.org/wiki/Security-SIG
15:33:57 <fungi> i took a hatchet to a lot of old ossg info, as well as anything which was redundant with what we've got on the current security.o.o site
15:34:55 <fungi> also there's a security-related post to the openstack-discuss ml from today:
15:35:06 <fungi> #link https://lists.openstack.org/pipermail/openstack-discuss/2022-October/030755.html Openstack Security Assessments
15:35:59 <fungi> i made an initial attempt to answer it, but in short, some security folks are looking at openstack security from the end-user guidance perspective, which i don't think we've really done any coordinated attempt at documenting
15:36:32 <fungi> as i note in my reply, most of our focus has been on fixing vulnerabilities in the software and discussing how to securely deploy and operate it
15:37:03 <fungi> but not much i'm aware of telling users the dos and don'ts about using the services securely
15:37:22 <fungi> anyway, if anybody has more to add, please follow up to that ml thread
15:38:41 <fungi> anything else anyone wants to bring up before we close the meeting?
15:41:13 <gagehugo> nothing from me
15:45:31 <fungi> thanks gagehugo!
15:45:34 <fungi> #endmeeting