15:01:11 <fungi> #startmeeting security 15:01:11 <opendevmeet> Meeting started Thu Oct 6 15:01:11 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:11 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:11 <opendevmeet> The meeting name has been set to 'security' 15:01:50 <fungi> apologies, i'll be a bit slow chairing since i'm quite unprepared. it's been a busy week! 15:03:13 <fungi> #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda 15:03:25 <fungi> i'll add a section there real fast ;) 15:04:13 <fungi> #topic Prior Actions 15:05:01 <fungi> #link https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.html (previous minutes) 15:05:25 <fungi> fungi propose xstatic discussion topic on horizon ptg agenda 15:06:48 <fungi> i haven't done that, though at this point i'm unsure what the interest is from the horizon side, but i'll do that real fast 15:08:42 <fungi> though it doesn't appear they've made an etherpad for proposed discussion topics 15:08:53 <fungi> so maybe i'll follow up with them first 15:09:06 <fungi> #action fungi propose xstatic discussion topic on horizon ptg agenda 15:09:13 <fungi> readded for now 15:09:23 <fungi> fungi add new volunteers to embargo-notice ml 15:09:35 <fungi> i've done that 15:09:47 <fungi> fungi update ossn/security-doc members in gerrit and launchpad 15:10:41 <fungi> i've started on that but not finished yet, noting that some of those groups are waaaaaay out of date and need substantial cleanup of alumni who haven't been contributing actively for years. i'll readd the action for now 15:10:45 <fungi> #action fungi update ossn/security-doc members in gerrit and launchpad 15:10:55 <fungi> fungi reach out to nova reviewers about 850003 15:11:50 <fungi> #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed 15:12:12 <fungi> seems that has merged as of september 10 15:13:24 <fungi> fixed in zed, with backports proposed for all supported stable branches (so back as far as stable/wallaby) 15:14:03 <fungi> d34dh0r53: if you wanted to pick this back up, we could probably get a draft ossa proposed in gerrit with links to all the backports now and a (more final) list of affected versions 15:14:57 <fungi> we probably shouldn't move forward with publication until the backports merge, though we probably can as long as they seem to be getting positive reviews and passing tests 15:16:03 <fungi> we've never really set a strict policy on timing for ossa publication with regard to already public vulnerability reports, aside from being able to point to the available patches somewhere (even if they haven't merged) 15:16:27 <fungi> it's more a judgement call in order to potentially save ourselves extra work with subsequent errata 15:17:37 <fungi> and given those backports are all failing tests and have no code reviews yet, it's probably best we hold off a little longer still 15:18:16 <fungi> but there was some activity on them as recently as last week, so i don't think we need any new action item coming out of the meeting for that 15:18:30 <fungi> fungi switch bug 1981813 to class b1 for now 15:18:59 <fungi> #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394) 15:19:38 <fungi> we can drop this, as it's apparent some attempt at backporting is underway 15:19:50 <fungi> fungi switch advisory tasks for old public security bugs to won't fix for now 15:20:25 <fungi> i haven't completely made an attempt at this yet, but i've punted it to our ptg topics (i'll cover that in a few minutes), so not readding the action item 15:20:33 <fungi> fungi schedule an hour at the ptg for the security sig 15:21:27 <fungi> i've done that, we're set for an hour starting at 15:00 utc on wednesday of the ptg 15:22:31 <fungi> #topic Public Bug Reports 15:23:29 <fungi> #link https://storyboard.openstack.org/#!/story/2010004 Remote code execution: Trove backup 15:24:07 <fungi> #link https://launchpad.net/bugs/1989008 Lax rulesets leading to privilege escalation vulnerabilities 15:25:01 <fungi> #link https://bugzilla.redhat.com/show_bug.cgi?id=2105419 Application credential token remains valid longer than expected 15:26:18 <fungi> that last one doesn't seem to have a corresponding upstream bug report, even though red hat assigned it a cve 15:26:42 <gagehugo> o/ 15:26:47 <gagehugo> apologies for being late 15:26:57 <fungi> no worries! we have logs ;) 15:27:22 <fungi> #topic PTG Planning 15:27:42 <fungi> so, as mentioned a few minutes ago, we have an hour (15:00 utc on wednesday) 15:28:00 <fungi> i can always add another one if that's a conflict for people who had things they want to cover 15:28:25 <fungi> i've started a list of proposed discussion topics and activities, though it's far from chiseled in stone: 15:28:45 <fungi> #link https://etherpad.opendev.org/p/oct2022-ptg-openstack-security 15:29:55 <fungi> i figured if nothing else, we can debate some of the currently public security bugs and maybe close some out if we can determine they're no longer relevant (or at least close out our security advisory tasks if it looks like they're unneeded or unlikely to happen any time soon) 15:30:47 <fungi> also we could work on getting some old ossg stuff moved off the wiki, or at least plan and divvy up tasks for that 15:31:10 <fungi> if anybody has anything else to bring up, please add it 15:32:46 <fungi> #topic Open Discussion 15:33:09 <fungi> a couple of things to note... first is that i did a quick cleanup of our sig's main page on the wiki 15:33:25 <fungi> #link https://wiki.openstack.org/wiki/Security-SIG 15:33:57 <fungi> i took a hatchet to a lot of old ossg info, as well as anything which was redundant with what we've got on the current security.o.o site 15:34:55 <fungi> also there's a security-related post to the openstack-discuss ml from today: 15:35:06 <fungi> #link https://lists.openstack.org/pipermail/openstack-discuss/2022-October/030755.html Openstack Security Assessments 15:35:59 <fungi> i made an initial attempt to answer it, but in short, some security folks are looking at openstack security from the end-user guidance perspective, which i don't think we've really done any coordinated attempt at documenting 15:36:32 <fungi> as i note in my reply, most of our focus has been on fixing vulnerabilities in the software and discussing how to securely deploy and operate it 15:37:03 <fungi> but not much i'm aware of telling users the dos and don'ts about using the services securely 15:37:22 <fungi> anyway, if anybody has more to add, please follow up to that ml thread 15:38:41 <fungi> anything else anyone wants to bring up before we close the meeting? 15:41:13 <gagehugo> nothing from me 15:45:31 <fungi> thanks gagehugo! 15:45:34 <fungi> #endmeeting