[Bug 1422046] Re: cinder backup-list is always listing all tenants's bug for admin

Correct, we consider that latter case a "security hardening opportunity" and I'm triaging this report as one now (class D in our taxonomy https://security.openstack.org/vmt-process.html#incident-report-taxonomy ). Depending on severity and available time from editors in the Security Team, these

[Bug 1422046] Re: cinder backup-list is always listing all tenants's bug for admin

It looks like bug 1514396 has been opened for the same issue in the V1 API. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-cinderclient in Ubuntu. https://bugs.launchpad.net/bugs/1422046 Title: cinder backup-list is always

[Bug 1422046] Re: cinder backup-list is always listing all tenants's bug for admin

Sounds like we're agreed that this report concerns a serious bug with security implications (insofar as any means of accidentally destroying your environment is), but is not an exploitable vulnerability, does not need a CVE assignment requested by the VMT and won't lead to any official security

[Bug 1422046] Re: cinder backup-list is always listing all tenants's bug for admin

While I agree there is a non-negligible risk presented by this behavior, I don't see how a malicious actor could use this flaw to their advantage. As such, it doesn't seem like something for which the OpenStack Vulnerability Management Team would issue an official security advisory. -- You

[Bug 1422046] Re: cinder backup-list is always listing all tenants's bug for admin

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions. ** Also affects: ossa

[Bug 832507] Re: console.log grows indefinitely

It's now (UTC) Thursday. ** Changed in: ossa Status: Incomplete = Won't Fix ** Tags added: security ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu.

[Bug 832507] Re: console.log grows indefinitely

Agreed, this is class C2 (a vulnerability in some dependency, not in OpenStack code, and so nothing we're going to fix with a patch to OpenStack security supported projects nor anything for which we should issue a security advisory). If there are no disagreements, I'll switch this to a regular

[Bug 832507] Re: console.log grows indefinitely

** Changed in: ossa Assignee: hzxiongwenwu (xwwzzy) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/832507 Title: console.log grows indefinitely To manage

[Bug 1379201] Re: openvswitch-datapath-dkms 1.4.6-0ubuntu1.12.04.3: openvswitch kernel module failed to build

** Also affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1379201 Title: openvswitch-datapath-dkms

[Bug 1284718] Re: interface-attach to external network a) works and b) results in undeletable instances

Seems there's consensus that this is not an exploitable vulnerability. Also, the bug was originally, even if only very briefly, public when it was first opened (thus broader exposure has already compromised any effective embargo). ** Changed in: ossa Status: Incomplete = Invalid **