Thanks Matt, Michael, To start with, lets look quickly at the more recent OSSNs that are marked as work in progress, namely 63,64,65 and 66 – these should all be published within a week or so.
Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% sure what the blockers are on these. I believe https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 and is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it looks to me like OSSN-0056 was written during a mid-cycle and could be the right one. I’m struggling to work out the story behind OSSN-0050 – I’m adding Nathan Kinder who might be able to shed more light on this. -Rob From: Michael Xin [mailto:michael....@rackspace.com] Sent: 11 April 2016 15:28 To: Matt Fischer; OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs? Matt: Thanks for asking this. I forwarded this email to the new email list so that folks with better knowledge can answer this. Thanks and have a great day. Yours, Michael ----------------------------------------------------------------------------- Michael Xin | Manager, Security Engineering - US Product Security |Rackspace Hosting Office #: 501-7341 or 210-312-7341 Mobile #: 210-284-8674 5000 Walzem Road, San Antonio, Tx 78218 ---------------------------------------------------------------------------- Experience fanatical support From: Matt Fischer <m...@mattfischer.com<mailto:m...@mattfischer.com>> Date: Monday, April 11, 2016 at 9:19 AM To: "openstack-secur...@lists.openstack.org<mailto:openstack-secur...@lists.openstack.org>" <openstack-secur...@lists.openstack.org<mailto:openstack-secur...@lists.openstack.org>> Subject: [Openstack-security] abandoned OSSNs? Some folks from our security team here asked me to ensure them that our services were patched for all the OSSNs that are listed here: https://wiki.openstack.org/wiki/Security_Notes Most of these are straight-forward, but there are some OSSNs that have been allocated an ID but then abandoned. There is no detailed wiki page and my best google efforts lead me to a possible IRC mention and maybe an abandoned review. The two specifically are OSSN-50/51. So what am I to do with an "abandoned" OSSN? Has it been decided that there is no issue anymore? These are pretty old if I look at the dates framing the other OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound somewhat scary, for example, "keystonemiddleware can allow access after token revocation" but I have no means to say whether it affects us or how we can mitigate without more info. Thoughts?
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
