On Tue, Nov 6, 2018 at 2:04 PM Julia Kreger
wrote:
>
>
> On Tue, Nov 6, 2018 at 5:07 AM Doug Hellmann
> wrote:
>
>> Sean McGinnis writes:
>>
>> > I'm interested in some feedback from the community, particularly those
>> running
>> > OpenStack deployments, as to whether FIPS compliance [0][1]
On Mon, 30 Jul 2018, 21:19 Jeremy Stanley, wrote:
> On 2018-07-30 15:23:57 +0700 (+0700), Luke Hinds wrote:
> > Security is a SIG and no longer a project (changed as of rocky cycle).
>
> Technically it's still both at the moment, which is why I proposed
> https://review.op
Hi,
Security is a SIG and no longer a project (changed as of rocky cycle).
Regards
Luke
On Mon, 30 Jul 2018, 08:36 Tony Breeds, wrote:
> Hello all,
>
> A quick reminder that we are in the last hours for PTL candidate
> nominations.
>
> If you want to stand for PTL, don't delay, follow the
I can
send out a correction to the lists.
>
>
>>
>> On Tue, Jul 10, 2018 at 10:41 AM Jim Rollenhagen
>> wrote:
>>
>>> On Tue, Jul 10, 2018 at 4:20 AM, Luke Hinds wrote:
>>>
>>>> Data retained after deletion of a ScaleIO volume
Data retained after deletion of a ScaleIO volume
---
### Summary ###
Certain storage volume configurations allow newly created volumes to
contain previous data. This could lead to leakage of sensitive
information between tenants.
### Affected Services / Software ###
Cinder releases up to and
Data retained after deletion of a ScaleIO volume
---
### Summary ###
Certain storage volume configurations allow newly created volumes to
contain previous data. This could lead to leakage of sensitive
information between tenants.
### Affected Services / Software ###
Cinder releases up to and
On Thu, Jul 5, 2018 at 6:17 PM, Doug Hellmann wrote:
> Excerpts from Jim Rollenhagen's message of 2018-07-05 12:53:34 -0400:
> > On Thu, Jul 5, 2018 at 12:40 PM, Nishant Kumar E <
> > nishant.e.ku...@ericsson.com> wrote:
> >
> > > Hi,
> > >
> > >
> > >
> > > I have registered a blueprint for
On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret
wrote:
> Hello guys!
>
> I'm currently working on python-tripleoclient in order to squash the
> dreadful "NOPASSWD:ALL" allowed to the "stack" user.
>
> The start was an issue with the rights on some files being wrong (owner
> by root instead of
On Tue, May 22, 2018 at 8:24 AM, Cédric Jeanneret <cjean...@redhat.com>
wrote:
>
>
> On 05/22/2018 09:08 AM, Luke Hinds wrote:
> >
> >
> > On Tue, May 22, 2018 at 5:27 AM, Cédric Jeanneret <cjean...@redhat.com
> > <mailto:cjean...@redhat.com>>
On Tue, May 22, 2018 at 5:27 AM, Cédric Jeanneret <cjean...@redhat.com>
wrote:
>
>
> On 05/21/2018 03:49 PM, Luke Hinds wrote:
> > A few operators have requested if its possible to limit sudo's coverage
> > on both the under / overcloud. There is concern over `ALL=(ALL
n-security
[1] https://gist.github.com/lukehinds/4cdb1bf4de526a049c51f05698b8b04f
--
Luke Hinds
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subj
Keystone policy rule "identity:get_identity_providers" was ignored
---
### Summary ###
A policy rule in Keystone did not behave as intended leading to a less
secure configuration than would be expected.
### Affected Services / Software ###
OpenStack Identity Service (Keystone) versions through
Keystone policy rule "identity:get_identity_providers" was ignored
---
### Summary ###
A policy rule in Keystone did not behave as intended leading to a less
secure configuration than would be expected.
### Affected Services / Software ###
OpenStack Identity Service (Keystone) versions through
All,
Please note that Bandits code and issues / docs will be migrated from
OpenStack to PyCQA.
This is expected to happen next week.
No changes are required in any projects or CI, as Bandit will still be
available via pypi and projects / CI are set up to use Bandit in that way
via tox.
READMEs
of including Ian on replies, who may not be subscribed
the the -dev list.
--
Luke Hinds
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
g as well.
>
> On Wed, Mar 14, 2018 at 1:35 PM, Luke Hinds <lhi...@redhat.com> wrote:
>
>> Hello,
>>
>> Something has come up that determines I won't be able to attend the
>> meeting tomorrow and more importantly chair it.
>>
>> However I would not w
Hello,
Something has come up that determines I won't be able to attend the meeting
tomorrow and more importantly chair it.
However I would not want to be a bottleneck to good progress underway.
If someone would like to step up and chair for just this meeting, the
agenda is below:
On Tue, Mar 6, 2018 at 1:37 PM, Jeremy Stanley wrote:
> On 2018-03-06 14:40:53 +0200 (+0200), Juan Antonio Osorio wrote:
> > As mentioned in the PTG, I would like to start a Security Squad
> > for TripleO, with the goal of working with the security aspects
> > and challenges
Hi All,
As agreed during the PTG, we will switch Thursdays meetings from 17:00 UTC,
to 15:00 UTC.
--
Luke
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
contributors / feedback etc. We did this with projects such
as Bandit before, until it found its own legs and momentum.
Cheers,
Luke
On Mon, Feb 12, 2018 at 8:45 AM, Luke Hinds <lhi...@redhat.com> wrote:
>
>
> On Sun, Feb 11, 2018 at 4:01 PM, Pino de Candia <
> giuseppe.deca
gt;>> [1] https://docs.google.com/spreadsheets/d/
>>> 1J2MRdVQzSyakz9HgTHfwYPe49PaoTypX66eNURsopQY/edit?usp=sharing
>>>
>>>
>>>
>>>
> __
> OpenStack Develo
On Sat, Feb 24, 2018 at 12:15 AM, Emilien Macchi <emil...@redhat.com> wrote:
>
>
> On Fri, Feb 23, 2018 at 10:28 AM, Juan Antonio Osorio <jaosor...@gmail.com
> > wrote:
>
>> Could we change the Security talk to a day before Friday (both Thursday
>> and Wedn
gt;>
>> On Tue, Feb 6, 2018 at 10:52 AM, Giuseppe de Candia <
>> giuseppe.decan...@gmail.com> wrote:
>>
>>> Hi Luke,
>>>
>>> Fantastic! An hour would be great if the schedule allows - there are
>>> lots of different aspects we can dive into
On Wed, Feb 7, 2018 at 4:23 PM, Matthew Thode
wrote:
> Hi all,
>
> it looks like some of your projects may need to cut a queens
> branch/release. Is there anything we can do to move it along?
>
> The following is the list I'm working off of (will be updated as
>
ore time for presenting and post discussion?
We will be meeting in an allocated room on Monday (details to follow).
https://etherpad.openstack.org/p/security-ptg-rocky
Luke
>
>
> On Wed, Jan 31, 2018 at 12:03 PM, Luke Hinds <lhi...@redhat.com> wrote:
>
>>
>> On Mo
On Mon, Feb 5, 2018 at 3:07 PM, Thierry Carrez <thie...@openstack.org>
wrote:
> Luke Hinds wrote:
> > I had been monitoring for PTG room allocations, but I missed this email
> > which was the important one.
> >
> > The security SIG plans to meet at the PTG to
On Tue, Jan 30, 2018 at 2:11 PM, Thierry Carrez
wrote:
> Thierry Carrez wrote:
> > Here is the proposed pre-allocated track schedule for the Dublin PTG:
> >
> > https://docs.google.com/spreadsheets/d/e/2PACX-1vRmqAAQZA1rIzlNJpVp-X60-
>
On Mon, Jan 29, 2018 at 2:29 PM, Adam Young <ayo...@redhat.com> wrote:
> Bug 968696 and System Roles. Needs to be addressed across the Service
> catalog.
>
Thanks Adam, will add it to the list. I see it's been open since 2012!
>
> On Mon, Jan 29, 2018 at 7:3
at 3:33 PM, Luke Hinds <lhi...@redhat.com> wrote:
> Hello All,
>
> I am seeking topics for the PTG from all projects, as this will be where
> we try out are new form of being a SIG.
>
> For this PTG, we hope to facilitate more cross project collaboration
> topics now th
Hello,
I won't be able to attend the security project meeting today, and as there
are no hot topics I suggest we postpone until next week (if there are, then
feel free to #startmeeting and I will catch up tomorrow through meetbot
logs).
Cheers,
Luke
On Mon, Jan 15, 2018 at 5:04 PM, Kendall Nelson
wrote:
> Election details: https://governance.openstack.org/election/
>
> Please read the stipulations and timelines for candidates and electorate
> contained in this governance documentation.
>
> Be aware, in the PTL
do use the security SIG room where a larger audience
may be present to help solve problems and gain x-project consensus.
Please see our PTG planning pad [0] where I encourage you to add to the
topics.
[0] https://etherpad.openstack.org/p/security-ptg-rocky
--
Luke Hinds
Security Project PTL
Hi All,
Following on from the mailing list discussion [0], we now plan to change
the Security Project into a Special Interest Group (The Security SIG).
SIGs are a good match for an activity that centers around a topic or
practice that spans all the community (developers, operators, end
On Sat, Nov 18, 2017 at 8:34 PM, Jeremy Stanley <fu...@yuggoth.org> wrote:
> On 2017-11-03 07:49:05 + (+0000), Luke Hinds wrote:
> [...]
> > One thing came to mind on Jeremy's points around the VMT, is
> > OSSN's
> >
> > We often get a workflow where Sec-Co
This will need the VMT's attention, so please raise as an issue on
launchpad and we can tag it as for the vmt members as a possible OSSA.
Apologies for top post, replying from phone.
On 17 Nov 2017 12:34 pm, "Adam Heczko" wrote:
> Thanks TommyLike for this bug report.
On Mon, Oct 30, 2017 at 1:53 PM, Thierry Carrez <thie...@openstack.org>
wrote:
> Luke Hinds wrote:
> > On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley <fu...@yuggoth.org
> > <mailto:fu...@yuggoth.org>> wrote:
> >
> >> On 2017-10-27 15:30:34 +0200 (+
On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley wrote:
> On 2017-10-27 15:30:34 +0200 (+0200), Thierry Carrez wrote:
> [...]
> > I think the Security project team would benefit from becoming a
> > proper SIG.
> [...]
>
> I tend to agree, though it's worth also considering what
...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
__
On Thu, Oct 5, 2017 at 11:37 PM, Mike Perez wrote:
> On 15:27 Oct 05, Mike Perez wrote:
> > On 02:59 Oct 05, Puneet Jain wrote:
> > > Hello all,
> > >
> > > I am a graduate student and have intermediate knowledge and huge in
> cloud
> > > computing. I am looking for a project
###
Operators should update the dnsmasq service using the affected nodes
operating systems packaging tools to version 2.78 and later, or a
distribution packaged version that contains relevant backports for these
vulnerabilities.
### Contacts / References ###
Author: Luke Hinds <lhi...@redhat.com>
Thi
###
Operators should update the dnsmasq service using the affected nodes
operating systems packaging tools to version 2.78 and later, or a
distribution packaged version that contains relevant backports for these
vulnerabilities.
### Contacts / References ###
Author: Luke Hinds <lhi...@redhat.com>
Thi
On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia <
giuseppe.decan...@gmail.com> wrote:
> Hi Folks,
>
>
> Are there any documented conventions regarding the security model for
> MetaData?
>
>
> Note that CloudInit allows passing user and ssh service public/private
> keys via MetaData service
On Fri, Sep 29, 2017 at 5:31 PM, Jay Pipes <jaypi...@gmail.com> wrote:
> On 09/29/2017 06:19 AM, Luke Hinds wrote:
>
>> On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
>> scott.mcclym...@verizonwireless.com <mailto:scott.mcclymont@verizo
>> nwir
On Fri, Sep 29, 2017 at 2:40 AM, Clark Boylan wrote:
> On Wed, Sep 27, 2017, at 03:24 PM, Monty Taylor wrote:
> > Hey everybody,
> >
> > We're there. It's ready.
> >
> > We've worked through all of the migration script issues and are happy
> > with the results. The cutover
On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
scott.mcclym...@verizonwireless.com> wrote:
> Hey All,
>
> I've got a spec up for a change I want to implement in Glance for Queens
> to enhance the current checksum (md5) functionality with a stronger hash
> algorithm. I'm going to do this
On Fri, Sep 29, 2017 at 3:08 AM, Brian Rosmaita
wrote:
> Hello API WG,
>
> I've got a patch up for a proposal to fix OSSN-0075 by introducing a
> new policy. There are concerns that this will introduce an
> interoperability problem in that an API call that works in
that operators upgrade to the Pike release where all
future passwords would be bcrypt hashed.
Operators should also force password changes on all users [1], which
will result in the users newly generated passwords being bcrypt hashed.
### Contacts / References ###
Author: Luke Hinds <lhi...@redhat.com&
that operators upgrade to the Pike release where all
future passwords would be bcrypt hashed.
Operators should also force password changes on all users [1], which
will result in the users newly generated passwords being bcrypt hashed.
### Contacts / References ###
Author: Luke Hinds <lhi...@redhat.com&
Mascena de Sousa Filho <
rmasc...@redhat.com> wrote:
> Hi Luke,
>
> I'll definitely be there, sounds like a great idea, so we can clarify a
> lot of topics and make progress in the community together.
>
> Cheers,
>
>
> On Thu, Aug 17, 2017 at 5:52 AM Luke Hinds <lhi.
r, Red Hat
Author: Luke Hinds, Red Hat
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333
OpenStack Security Project : https://launchpad.net/~open
r, Red Hat
Author: Luke Hinds, Red Hat
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333
OpenStack Security Project : https://launchpad.net/~open
Hi Raildo,
Both Barbican and Security have an interest in custodia and we have it
marked down as a topic / discussion point for the PTG [1]
Would you be interested / willing to join the Barbican room on Thurs / Fri
and propose a walk through / overview etc?
[1]
Hi,
It was decided that the Security Project meeting would not be held next
week, and will instead reconvene on the 17th of August.
Regards,
Luke
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
On Tue, Aug 1, 2017 at 5:28 PM, Dave McCowan (dmccowan) <dmcco...@cisco.com>
wrote:
>
>
> On 8/1/17, 12:21 PM, "Thierry Carrez" <thie...@openstack.org> wrote:
>
> >Luke Hinds wrote:
> >> Thanks Dave, I will let Kendall know that we can free up t
it as vital to keep the security
project afloat, as operators rely so much on the project for
guidance on securing OpenStack clouds.
Regards,
Luke Hinds (lhinds)
__
OpenStack Development Mailing List (not for usage questions
On Tue, Aug 1, 2017 at 2:50 PM, Dave McCowan (dmccowan)
wrote:
>
> Hello Barbican Team,
>
> I believe there were some discussions on room sharing between the security
> project and barbican team.
>
> We are still keen on this in the security project. How would you like to
>
Hello Barbican Team,
I believe there were some discussions on room sharing between the security
project and barbican team.
We are still keen on this in the security project. How would you like to
work out logistics?
Should we share PTG planning etherpads?
We have 4 days between us, not sure if
running qemu version 2.6 or
later, and libvirt version 2.2 or later, are not vulnerable.
No change is required in Nova or Ceph to resolve this issue.
### Contacts / References ###
Author: Luke Hinds, Red Hat
https://access.redhat.com/security/cve/CVE-2015-5160
This OSSN : https://wiki.openstack.org/wiki
On Fri, Jul 7, 2017 at 10:17 PM, James Slagle <james.sla...@gmail.com>
wrote:
> On Fri, Jul 7, 2017 at 5:00 PM, Luke Hinds <lhi...@redhat.com> wrote:
> > I can't offer much in-depth feedback on the pros and cons of each
> scenario.
> > My main point would be to try
On Fri, Jul 7, 2017 at 6:50 PM, James Slagle wrote:
> I proposed a session for the PTG
> (https://etherpad.openstack.org/p/tripleo-ptg-queens) about forming a
> common plan and vision around Ansible in TripleO.
>
> I think it's important however that we kick this
On Thu, May 4, 2017 at 12:37 PM, Rob C wrote:
> Hi All,
>
> I won't be able to make today's meeting as I'm travelling.
>
> I've not found a chair to cover the meeting, please decide if you have a
> quorum and either proceed or go back to "real life" as you see fit.
>
> Cheers
On Wed, Mar 29, 2017 at 10:42 PM, Steven Hardy wrote:
> On Tue, Mar 28, 2017 at 12:09:43PM -0400, Emilien Macchi wrote:
> > Bringing an old topic on the table.
> >
> > We might have noticed:
> >
> > 1. Some tripleo-specs take huge amount of time before getting merged
> > (or
On Wed, Mar 22, 2017 at 12:06 PM, Ian Cordasco
wrote:
> Hi everyone,
>
> Friday 24 March 2017 will be my last day working on OpenStack. I'll remove
> myself from teams (glance, craton, security, hacking) on Friday and
> unsubscribe
> from the OpenStack mailing lists.
>
>
.
Existing deployments can limit policy on `copy_from` by restricting use
to `admin` within `policy.json` as follows:
"copy_from": "role:admin"
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078
Original L
.
Existing deployments can limit policy on `copy_from` by restricting use
to `admin` within `policy.json` as follows:
"copy_from": "role:admin"
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078
Original L
On Sat, Mar 4, 2017 at 6:13 PM, Andre Florath wrote:
> Hello!
>
> Thanks Greg for sharing your thoughts. The idea of splitting off DIB
> from OpenStack is new for me, therefore I collect some pros and
> cons:
>
> Stay in OpenStack:
>
> + Use available OpenStack infrastructure
Users of Glance may be able to replace active image data
---
### Summary ###
When Glance has been configured with the "show_multiple_locations"
option enabled with default policy for set and delete locations, it is
possible for a non-admin user having write access to the image metadata
to replace
Users of Glance may be able to replace active image data
---
### Summary ###
When Glance has been configured with the "show_multiple_locations"
option enabled with default policy for set and delete locations, it is
possible for a non-admin user having write access to the image metadata
to replace
On Tue, Jan 17, 2017 at 10:11 AM, Yolanda Robla Mota
wrote:
> Hi, in previous threads, there have been discussions about enabling FIPS,
> and the problems we are hitting with md5 inside OpenStack:
> http://lists.openstack.org/pipermail/openstack-dev/2016-
>
OpenStack Security Note: 0074
Nova metadata service should not be used for sensitive information
---
### Summary ###
A recent security report has highlighted how users may be using the
metadata service to store security sensitive information.
The Nova metadata service should not be considered
OpenStack Security Note: 0074
Nova metadata service should not be used for sensitive information
---
### Summary ###
A recent security report has highlighted how users may be using the
metadata service to store security sensitive information.
The Nova metadata service should not be considered
On Fri, Nov 18, 2016 at 3:04 PM, Jeremy Stanley <fu...@yuggoth.org> wrote:
> On 2016-11-18 14:38:22 + (+0000), Luke Hinds wrote:
> [...]
> > I proposed raising bugs on launchpad for each instance discovered, so
> that
> > if anything, we at least have an idea o
On Fri, Nov 18, 2016 at 4:14 PM, Dean Troyer <dtro...@gmail.com> wrote:
> > -Original Message-
> > From: Luke Hinds <lhi...@redhat.com>
> [...]
> >> for non security related functions, but when it comes to government
> >> compliance and running
n irc) is whether pycrypto (or if we move to
> > > > > > cryptography) provide FIPS-140-2 compliance.
> > > > >
> > > > > My understanding is that if you need, for example, a FIPS-compliant
> > > > > AES implementation under the hood, then this i
OSSN previously incorrectly stated that the fix was back ported to
Liberty release. This is not the case and the fix was applied only to
Mitaka.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bug
OSSN previously incorrectly stated that the fix was back ported to
Liberty release. This is not the case and the fix was applied only to
Mitaka.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bug
shboard.html
> The Django docs are probably your best bet for information: https://docs.
> djangoproject.com/en/1.10/topics/security/#ssl-https
>
> Rob
>
> On 9 November 2016 at 13:23, Luke Hinds <lhi...@redhat.com> wrote:
>
>> Hi,
>>
>> I have noted that USE_S
Hi,
I have noted that USE_SSL is no longer in local_settings.py
I have not had any luck in having google find the background of why this
was removed for first django (if it has?) and horizon.
>From what I can see, it seems related to django views.
Does anyone understand the context of this
to the role admin only, amend
`/etc/glance/policy.json` accordingly.
"add_image": "role:admin",
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+b
to the role admin only, amend
`/etc/glance/policy.json` accordingly.
"add_image": "role:admin",
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+b
ment Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @
is applies to all MongoDB clusters, and requires a
restart of the trove-api service to change, and cannot be toggled on
running clusters.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bugs.lau
is applies to all MongoDB clusters, and requires a
restart of the trove-api service to change, and cannot be toggled on
running clusters.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bugs.lau
Deleted Glance image IDs may be reassigned
---
### Summary ###
It is possible for image IDs from deleted images to be reassigned to
other images. This creates the possibility that:
- Alice creates a VM that boots from image ID X which has been shared
with her by a trusted party, Bob.
- Bob
Deleted Glance image IDs may be reassigned
---
### Summary ###
It is possible for image IDs from deleted images to be reassigned to
other images. This creates the possibility that:
- Alice creates a VM that boots from image ID X which has been shared
with her by a trusted party, Bob.
- Bob
Horizon dashboard leaks internal information through cookies
---
### Summary ###
When horizon is configured, its URL contains the IP address of
the internal URL of keystone, as the default value for the identity
service is "internalURL".[1]
The cookie "login_region" will be set to the value
/ References ###
Author: Vinay Potluri, Intel & Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652
This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856
Related issue addre
/ References ###
Author: Vinay Potluri, Intel & Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652
This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856
Related issue addre
On Sun, Sep 4, 2016 at 7:44 PM, Turbo Fredriksson wrote:
> On Sep 4, 2016, at 7:25 PM, Karishma Sharma wrote:
>
> > Is it DevStack that I need to build or something else?
>
> _Personally_ I prefer to learn the hard way. That is, install the
> package(s) and configure them
Bandit versions lower than 1.1.0 do not escape HTML in issue reports
---
### Summary ###
Bandit versions lower than 1.1.0 have a bug in the HTML report formatter
that does not escape HTML in issue context snippets. This could lead to
an XSS if HTML reports are hosted as part of a CI pipeline.
Bandit versions lower than 1.1.0 do not escape HTML in issue reports
---
### Summary ###
Bandit versions lower than 1.1.0 have a bug in the HTML report formatter
that does not escape HTML in issue context snippets. This could lead to
an XSS if HTML reports are hosted as part of a CI pipeline.
ity #
https://www.modsecurity.org/
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0068
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1553324
OpenStack Security ML : openstack-secur...@lists.openstack.org
OpenStack Se
ity #
https://www.modsecurity.org/
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0068
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1553324
OpenStack Security ML : openstack-secur...@lists.openstack.org
OpenStack Se
93 matches
Mail list logo