15:01:19 #startmeeting security 15:01:19 Meeting started Thu Feb 2 15:01:19 2023 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:19 The meeting name has been set to 'security' 15:01:41 #link Agenda is at https://etherpad.opendev.org/p/security-agenda 15:01:56 #topic Picking a new meeting schedule 15:02:20 i set up a couple of polls and sent a message to the mailing list about this last week 15:02:31 #link Polls to work out a new meeting schedule https://lists.openstack.org/pipermail/openstack-discuss/2023-January/031908.html 15:03:20 the first poll is to try to figure out if people prefer a change in meeting frequency 15:03:58 the second is to get a feel for what days of the week are generally better for people than others 15:04:28 once i've got some data for those questions, i'll create another poll with more specific times to select from 15:04:57 the first two polls close a week from today (2023-02-09) 15:05:46 anybody have any questions? 15:05:56 if not i'll move on to the next topic on the agenda 15:06:31 #topic Virtual PTG 15:07:19 i'll send a message to the mailing list about this after the meeting, but just wanted to give anyone interested a heads up that i signed the security sig up for the virtual openinfra ptg in march 15:07:30 #link Virtual PTG March 27-31 https://openinfra.dev/ptg 15:07:46 please remember to register if you plan to participate in the ptg 15:08:18 we can brainstorm discussion topics in an etherpad and then use that same pad to take notes during our discussions 15:09:11 #link Brainstorming topics https://etherpad.opendev.org/p/mar2023-ptg-openstack-security 15:09:36 anybody have any questions related to the ptg? 15:10:24 #topic Recent OSSAs 15:10:57 as most of you are no doubt aware, the vmt published two ossas earlier this month 15:11:10 #link Arbitrary file access through custom S3 XML entities https://security.openstack.org/ossa/OSSA-2023-001.html 15:11:21 #link Arbitrary file access through custom VMDK flat descriptor https://security.openstack.org/ossa/OSSA-2023-002.html 15:13:31 given these were higher-severity bugs which got fixes developed under our embargoed report process, and the first advisories we've published since 2021-09-09, it seems to have generated renewed interest in our processes 15:14:01 i've been contacted by a bunch of organizations requesting addition to our advance notification list, which is great 15:15:09 just a reminder, if you've got a reason to need advance copies of embargoed patches, please reach out 15:15:27 #link Downstream stakeholders https://security.openstack.org/vmt-process.html#downstream-stakeholders 15:15:48 does anyone have any questions or comments about the recent advisories? 15:16:03 or regarding our vulnerability management process more generally? 15:18:46 #topic Newly public bug reports 15:19:54 after feedback from horizon security reviewers, i switched this one to public and marked it as a duplicate 15:20:22 #link CVE-2019-10768 in Angular libs < 1.7.9 https://launchpad.net/bugs/1997545 duplicate of https://launchpad.net/bugs/1955556 15:21:06 that's the omnibus report about outdated js libs 15:21:41 anybody have anything to add on that? or about other public bugs? 15:22:47 #topic Anything else? 15:23:07 i'll leave discussion open for the next 7 minutes in case anyone has something to bring up 15:24:06 i'm still planning to push readme updates to horizon's xstatic packages warning users and package maintainers about the state of their embedded javascript and discouraging use directly in production 15:29:42 #info Please remember to fill out the surveys in the ML post linked earlier so we can find a better time when people will be able to participate 15:30:01 #endmeeting