subject:"\[openstack\-dev\] \[Openstack\-security\] \[Security\]abandoned OSSNs\?"

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Matt Fischer

Thanks Michael,

I'm following the thread and I've asked Thierry for this tag to be
subscribable here if we're not using openstack-security anymore so that I
can receive the follow-ups.



On Mon, Apr 11, 2016 at 8:28 AM, Michael Xin 
wrote:

> Matt:
> Thanks for asking this. I forwarded this email to the new email list so
> that folks with better knowledge can answer this.
>
>
> Thanks and have a great day.
>
> Yours,
> Michael
>
>
>
> -
> Michael Xin | Manager, Security Engineering - US
> Product Security  |Rackspace Hosting
> Office #: 501-7341   or  210-312-7341
> Mobile #: 210-284-8674
> 5000 Walzem Road, San Antonio, Tx 78218
>
> 
> Experience fanatical support
>
> From: Matt Fischer 
> Date: Monday, April 11, 2016 at 9:19 AM
> To: "openstack-secur...@lists.openstack.org" <
> openstack-secur...@lists.openstack.org>
> Subject: [Openstack-security] abandoned OSSNs?
>
> Some folks from our security team here asked me to ensure them that our
> services were patched for all the OSSNs that are listed here:
> https://wiki.openstack.org/wiki/Security_Notes
>
> Most of these are straight-forward, but there are some OSSNs that have
> been allocated an ID but then abandoned. There is no detailed wiki page and
> my best google efforts lead me to a possible IRC mention and maybe an
> abandoned review. The two specifically are OSSN-50/51.
>
> So what am I to do with an "abandoned" OSSN? Has it been decided that
> there is no issue anymore? These are pretty old if I look at the dates
> framing the other OSSNs (49/52), so I assume they aren't urgent. Can we
> ignore these? They sound somewhat scary, for example, "keystonemiddleware
> can allow access after token revocation" but I have no means to say whether
> it affects us or how we can mitigate without more info.
>
> Thoughts?
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Dave Walker

Hi,

I believe 50 and 51 were both assigned to me.  They were closely linked,
but seperate issues.

I wrote 50 up here:
https://review.openstack.org/#/c/200303/2

After discussion in a security meeting, my memory is that it was agreed
that they probably weren't required.

I'd have to pull out the meeting log to be certain, but I'd also continue
them if the mood has now changed.

--
Kind Regards,
Dave Walker

On 11 Apr 2016 16:06, "Clark, Robert Graham" <robert.cl...@hpe.com> wrote:
>
> Thanks Matt, Michael,
>
>
>
> To start with, lets look quickly at the more recent OSSNs that are marked
as work in progress, namely 63,64,65 and 66 – these should all be published
within a week or so.
>
>
>
> Looking further back we have the more difficult OSSNs 50 and 51, I’m not
100% sure what the blockers are on these.  I believe
https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 and
is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it looks to
me like OSSN-0056 was written during a mid-cycle and could be the right one.
>
>
>
> I’m struggling to work out the story behind OSSN-0050 – I’m adding Nathan
Kinder who might be able to shed more light on this.
>
>
>
> -Rob
>
>
>
>
>
>
>
> From: Michael Xin [mailto:michael@rackspace.com]
> Sent: 11 April 2016 15:28
> To: Matt Fischer; OpenStack Development Mailing List (not for usage
questions)
> Subject: Re: [openstack-dev] [Openstack-security] [Security]abandoned
OSSNs?
>
>
>
> Matt:
>
> Thanks for asking this. I forwarded this email to the new email list so
that folks with better knowledge can answer this.
>
>
>
>
>
> Thanks and have a great day.
>
>
>
> Yours,
>
> Michael
>
>
>
>
>
>
-
>
> Michael Xin | Manager, Security Engineering - US
>
> Product Security  |Rackspace Hosting
>
> Office #: 501-7341   or  210-312-7341
>
> Mobile #: 210-284-8674
>
> 5000 Walzem Road, San Antonio, Tx 78218
>
>

>
> Experience fanatical support
>
>
>
> From: Matt Fischer <m...@mattfischer.com>
> Date: Monday, April 11, 2016 at 9:19 AM
> To: "openstack-secur...@lists.openstack.org" <
openstack-secur...@lists.openstack.org>
> Subject: [Openstack-security] abandoned OSSNs?
>
>
>
> Some folks from our security team here asked me to ensure them that our
services were patched for all the OSSNs that are listed here:
https://wiki.openstack.org/wiki/Security_Notes
>
>
>
> Most of these are straight-forward, but there are some OSSNs that have
been allocated an ID but then abandoned. There is no detailed wiki page and
my best google efforts lead me to a possible IRC mention and maybe an
abandoned review. The two specifically are OSSN-50/51.
>
>
>
> So what am I to do with an "abandoned" OSSN? Has it been decided that
there is no issue anymore? These are pretty old if I look at the dates
framing the other OSSNs (49/52), so I assume they aren't urgent. Can we
ignore these? They sound somewhat scary, for example, "keystonemiddleware
can allow access after token revocation" but I have no means to say whether
it affects us or how we can mitigate without more info.
>
>
>
> Thoughts?
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Nathan Kinder



On 04/11/2016 08:04 AM, Clark, Robert Graham wrote:
> Thanks Matt, Michael,
> 
>  
> 
> To start with, lets look quickly at the more recent OSSNs that are
> marked as work in progress, namely 63,64,65 and 66 – these should all be
> published within a week or so.
> 
>  
> 
> Looking further back we have the more difficult OSSNs 50 and 51, I’m not
> 100% sure what the blockers are on these.  I believe
> https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051
> and is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it
> looks to me like OSSN-0056 was written during a mid-cycle and could be
> the right one.
> 
>  
> 
> I’m struggling to work out the story behind OSSN-0050 – I’m adding
> Nathan Kinder who might be able to shed more light on this.

It looks like that one was added to the wiki by 'Davewalker' in this
revision:


https://wiki.openstack.org/w/index.php?title=Security_Notes=next=85312

I searched all open and closed OSSN bugs, and did not see one that
matches this issue.

-NGK

> 
>  
> 
> -Rob
> 
>  
> 
>  
> 
>  
> 
> *From:*Michael Xin [mailto:michael@rackspace.com]
> *Sent:* 11 April 2016 15:28
> *To:* Matt Fischer; OpenStack Development Mailing List (not for usage
> questions)
> *Subject:* Re: [openstack-dev] [Openstack-security] [Security]abandoned
> OSSNs?
> 
>  
> 
> Matt:
> 
> Thanks for asking this. I forwarded this email to the new email list so
> that folks with better knowledge can answer this. 
> 
>  
> 
>  
> 
> Thanks and have a great day. 
> 
>  
> 
> Yours,
> 
> Michael 
> 
>  
> 
>  
> 
> -
> 
> Michael Xin | Manager, Security Engineering - US 
> 
> Product Security  |Rackspace Hosting
> 
> Office #: 501-7341   or  210-312-7341
> 
> Mobile #: 210-284-8674 
> 
> 5000 Walzem Road, San Antonio, Tx 78218
> 
> 
> 
> Experience fanatical support
> 
>  
> 
> *From: *Matt Fischer <m...@mattfischer.com <mailto:m...@mattfischer.com>>
> *Date: *Monday, April 11, 2016 at 9:19 AM
> *To: *"openstack-secur...@lists.openstack.org
> <mailto:openstack-secur...@lists.openstack.org>"
> <openstack-secur...@lists.openstack.org
> <mailto:openstack-secur...@lists.openstack.org>>
> *Subject: *[Openstack-security] abandoned OSSNs?
> 
>  
> 
> Some folks from our security team here asked me to ensure them that our
> services were patched for all the OSSNs that are listed
> here: https://wiki.openstack.org/wiki/Security_Notes
> 
>  
> 
> Most of these are straight-forward, but there are some OSSNs that have
> been allocated an ID but then abandoned. There is no detailed wiki page
> and my best google efforts lead me to a possible IRC mention and maybe
> an abandoned review. The two specifically are OSSN-50/51.
> 
>  
> 
> So what am I to do with an "abandoned" OSSN? Has it been decided that
> there is no issue anymore? These are pretty old if I look at the dates
> framing the other OSSNs (49/52), so I assume they aren't urgent. Can we
> ignore these? They sound somewhat scary, for example,
> "keystonemiddleware can allow access after token revocation" but I have
> no means to say whether it affects us or how we can mitigate without
> more info.
> 
>  
> 
> Thoughts?
> 

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Clark, Robert Graham

Thanks Matt, Michael,

To start with, lets look quickly at the more recent OSSNs that are marked as 
work in progress, namely 63,64,65 and 66 – these should all be published within 
a week or so.

Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% 
sure what the blockers are on these.  I believe 
https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 and is 
rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it looks to me 
like OSSN-0056 was written during a mid-cycle and could be the right one.

I’m struggling to work out the story behind OSSN-0050 – I’m adding Nathan 
Kinder who might be able to shed more light on this.

-Rob



From: Michael Xin [mailto:michael@rackspace.com]
Sent: 11 April 2016 15:28
To: Matt Fischer; OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Matt:
Thanks for asking this. I forwarded this email to the new email list so that 
folks with better knowledge can answer this.


Thanks and have a great day.

Yours,
Michael


-
Michael Xin | Manager, Security Engineering - US
Product Security  |Rackspace Hosting
Office #: 501-7341   or  210-312-7341
Mobile #: 210-284-8674
5000 Walzem Road, San Antonio, Tx 78218

Experience fanatical support

From: Matt Fischer <m...@mattfischer.com<mailto:m...@mattfischer.com>>
Date: Monday, April 11, 2016 at 9:19 AM
To: 
"openstack-secur...@lists.openstack.org<mailto:openstack-secur...@lists.openstack.org>"
 
<openstack-secur...@lists.openstack.org<mailto:openstack-secur...@lists.openstack.org>>
Subject: [Openstack-security] abandoned OSSNs?

Some folks from our security team here asked me to ensure them that our 
services were patched for all the OSSNs that are listed here: 
https://wiki.openstack.org/wiki/Security_Notes

Most of these are straight-forward, but there are some OSSNs that have been 
allocated an ID but then abandoned. There is no detailed wiki page and my best 
google efforts lead me to a possible IRC mention and maybe an abandoned review. 
The two specifically are OSSN-50/51.

So what am I to do with an "abandoned" OSSN? Has it been decided that there is 
no issue anymore? These are pretty old if I look at the dates framing the other 
OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound 
somewhat scary, for example, "keystonemiddleware can allow access after token 
revocation" but I have no means to say whether it affects us or how we can 
mitigate without more info.

Thoughts?
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Michael Xin

Matt:
Thanks for asking this. I forwarded this email to the new email list so that 
folks with better knowledge can answer this.


Thanks and have a great day.

Yours,
Michael


-
Michael Xin | Manager, Security Engineering - US
Product Security  |Rackspace Hosting
Office #: 501-7341   or  210-312-7341
Mobile #: 210-284-8674
5000 Walzem Road, San Antonio, Tx 78218

Experience fanatical support

From: Matt Fischer >
Date: Monday, April 11, 2016 at 9:19 AM
To: 
"openstack-secur...@lists.openstack.org"
 
>
Subject: [Openstack-security] abandoned OSSNs?

Some folks from our security team here asked me to ensure them that our 
services were patched for all the OSSNs that are listed here: 
https://wiki.openstack.org/wiki/Security_Notes

Most of these are straight-forward, but there are some OSSNs that have been 
allocated an ID but then abandoned. There is no detailed wiki page and my best 
google efforts lead me to a possible IRC mention and maybe an abandoned review. 
The two specifically are OSSN-50/51.

So what am I to do with an "abandoned" OSSN? Has it been decided that there is 
no issue anymore? These are pretty old if I look at the dates framing the other 
OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound 
somewhat scary, for example, "keystonemiddleware can allow access after token 
revocation" but I have no means to say whether it affects us or how we can 
mitigate without more info.

Thoughts?
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

5 matches

Site Navigation

Mail list logo

Footer information