#openstack-security log

15:01:19 <fungi> #startmeeting security
15:01:19 <opendevmeet> Meeting started Thu Feb  2 15:01:19 2023 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:19 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:19 <opendevmeet> The meeting name has been set to 'security'
15:01:41 <fungi> #link Agenda is at https://etherpad.opendev.org/p/security-agenda
15:01:56 <fungi> #topic Picking a new meeting schedule
15:02:20 <fungi> i set up a couple of polls and sent a message to the mailing list about this last week
15:02:31 <fungi> #link     Polls to work out a new meeting schedule https://lists.openstack.org/pipermail/openstack-discuss/2023-January/031908.html
15:03:20 <fungi> the first poll is to try to figure out if people prefer a change in meeting frequency
15:03:58 <fungi> the second is to get a feel for what days of the week are generally better for people than others
15:04:28 <fungi> once i've got some data for those questions, i'll create another poll with more specific times to select from
15:04:57 <fungi> the first two polls close a week from today (2023-02-09)
15:05:46 <fungi> anybody have any questions?
15:05:56 <fungi> if not i'll move on to the next topic on the agenda
15:06:31 <fungi> #topic Virtual PTG
15:07:19 <fungi> i'll send a message to the mailing list about this after the meeting, but just wanted to give anyone interested a heads up that i signed the security sig up for the virtual openinfra ptg in march
15:07:30 <fungi> #link Virtual PTG March 27-31 https://openinfra.dev/ptg
15:07:46 <fungi> please remember to register if you plan to participate in the ptg
15:08:18 <fungi> we can brainstorm discussion topics in an etherpad and then use that same pad to take notes during our discussions
15:09:11 <fungi> #link     Brainstorming topics https://etherpad.opendev.org/p/mar2023-ptg-openstack-security
15:09:36 <fungi> anybody have any questions related to the ptg?
15:10:24 <fungi> #topic Recent OSSAs
15:10:57 <fungi> as most of you are no doubt aware, the vmt published two ossas earlier this month
15:11:10 <fungi> #link Arbitrary file access through custom S3 XML entities https://security.openstack.org/ossa/OSSA-2023-001.html
15:11:21 <fungi> #link Arbitrary file access through custom VMDK flat descriptor https://security.openstack.org/ossa/OSSA-2023-002.html
15:13:31 <fungi> given these were higher-severity bugs which got fixes developed under our embargoed report process, and the first advisories we've published since 2021-09-09, it seems to have generated renewed interest in our processes
15:14:01 <fungi> i've been contacted by a bunch of organizations requesting addition to our advance notification list, which is great
15:15:09 <fungi> just a reminder, if you've got a reason to need advance copies of embargoed patches, please reach out
15:15:27 <fungi> #link Downstream stakeholders https://security.openstack.org/vmt-process.html#downstream-stakeholders
15:15:48 <fungi> does anyone have any questions or comments about the recent advisories?
15:16:03 <fungi> or regarding our vulnerability management process more generally?
15:18:46 <fungi> #topic Newly public bug reports
15:19:54 <fungi> after feedback from horizon security reviewers, i switched this one to public and marked it as a duplicate
15:20:22 <fungi> #link CVE-2019-10768 in Angular libs < 1.7.9 https://launchpad.net/bugs/1997545 duplicate of https://launchpad.net/bugs/1955556
15:21:06 <fungi> that's the omnibus report about outdated js libs
15:21:41 <fungi> anybody have anything to add on that? or about other public bugs?
15:22:47 <fungi> #topic Anything else?
15:23:07 <fungi> i'll leave discussion open for the next 7 minutes in case anyone has something to bring up
15:24:06 <fungi> i'm still planning to push readme updates to horizon's xstatic packages warning users and package maintainers about the state of their embedded javascript and discouraging use directly in production
15:29:42 <fungi> #info Please remember to fill out the surveys in the ML post linked earlier so we can find a better time when people will be able to participate
15:30:01 <fungi> #endmeeting