Re: [openstack-dev] [Openstack-operators] FIPS Compliance

On Tue, Nov 6, 2018 at 2:04 PM Julia Kreger wrote: > > > On Tue, Nov 6, 2018 at 5:07 AM Doug Hellmann > wrote: > >> Sean McGinnis writes: >> >> > I'm interested in some feedback from the community, particularly those >> running >> > OpenStack deployments, as to whether FIPS compliance [0][1]

Re: [openstack-dev] [all][Election] Last days for PTL nomination

On Mon, 30 Jul 2018, 21:19 Jeremy Stanley, wrote: > On 2018-07-30 15:23:57 +0700 (+0700), Luke Hinds wrote: > > Security is a SIG and no longer a project (changed as of rocky cycle). > > Technically it's still both at the moment, which is why I proposed > https://review.op

Re: [openstack-dev] [all][Election] Last days for PTL nomination

Hi, Security is a SIG and no longer a project (changed as of rocky cycle). Regards Luke On Mon, 30 Jul 2018, 08:36 Tony Breeds, wrote: > Hello all, > > A quick reminder that we are in the last hours for PTL candidate > nominations. > > If you want to stand for PTL, don't delay, follow the

Re: [openstack-dev] [OSSN-0084] Data retained after deletion of a ScaleIO volume

I can send out a correction to the lists. > > >> >> On Tue, Jul 10, 2018 at 10:41 AM Jim Rollenhagen >> wrote: >> >>> On Tue, Jul 10, 2018 at 4:20 AM, Luke Hinds wrote: >>> >>>> Data retained after deletion of a ScaleIO volume

[Openstack] [OSSN-0084] Data retained after deletion of a ScaleIO volume

Data retained after deletion of a ScaleIO volume --- ### Summary ### Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants. ### Affected Services / Software ### Cinder releases up to and

[openstack-dev] [OSSN-0084] Data retained after deletion of a ScaleIO volume

Data retained after deletion of a ScaleIO volume --- ### Summary ### Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants. ### Affected Services / Software ### Cinder releases up to and

Re: [openstack-dev] [cinder][security][api-wg] Adding http security headers

On Thu, Jul 5, 2018 at 6:17 PM, Doug Hellmann wrote: > Excerpts from Jim Rollenhagen's message of 2018-07-05 12:53:34 -0400: > > On Thu, Jul 5, 2018 at 12:40 PM, Nishant Kumar E < > > nishant.e.ku...@ericsson.com> wrote: > > > > > Hi, > > > > > > > > > > > > I have registered a blueprint for

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret wrote: > Hello guys! > > I'm currently working on python-tripleoclient in order to squash the > dreadful "NOPASSWD:ALL" allowed to the "stack" user. > > The start was an issue with the rights on some files being wrong (owner > by root instead of

Re: [openstack-dev] [tripleo] Limiting sudo coverage of heat-admin / stack and other users.

On Tue, May 22, 2018 at 8:24 AM, Cédric Jeanneret <cjean...@redhat.com> wrote: > > > On 05/22/2018 09:08 AM, Luke Hinds wrote: > > > > > > On Tue, May 22, 2018 at 5:27 AM, Cédric Jeanneret <cjean...@redhat.com > > <mailto:cjean...@redhat.com>>

Re: [openstack-dev] [tripleo] Limiting sudo coverage of heat-admin / stack and other users.

On Tue, May 22, 2018 at 5:27 AM, Cédric Jeanneret <cjean...@redhat.com> wrote: > > > On 05/21/2018 03:49 PM, Luke Hinds wrote: > > A few operators have requested if its possible to limit sudo's coverage > > on both the under / overcloud. There is concern over `ALL=(ALL

[openstack-dev] [tripleo] Limiting sudo coverage of heat-admin / stack and other users.

n-security [1] https://gist.github.com/lukehinds/4cdb1bf4de526a049c51f05698b8b04f -- Luke Hinds __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subj

[Openstack] [OSSN-0083] Keystone policy rule "identity:get_identity_providers" was ignored

Keystone policy rule "identity:get_identity_providers" was ignored --- ### Summary ### A policy rule in Keystone did not behave as intended leading to a less secure configuration than would be expected. ### Affected Services / Software ### OpenStack Identity Service (Keystone) versions through

[openstack-dev] [OSSN-0083] Keystone policy rule "identity:get_identity_providers" was ignored

Keystone policy rule "identity:get_identity_providers" was ignored --- ### Summary ### A policy rule in Keystone did not behave as intended leading to a less secure configuration than would be expected. ### Affected Services / Software ### OpenStack Identity Service (Keystone) versions through

[openstack-dev] Migration of Bandit

All, Please note that Bandits code and issues / docs will be migrated from OpenStack to PyCQA. This is expected to happen next week. No changes are required in any projects or CI, as Bandit will still be available via pypi and projects / CI are set up to use Bandit in that way via tox. READMEs

[openstack-dev] [bandit] Migration to PyCQA

of including Ian on replies, who may not be subscribed the the -dev list. -- Luke Hinds __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Re: [openstack-dev] [security] Tomorrow's meeting and LCOO

g as well. > > On Wed, Mar 14, 2018 at 1:35 PM, Luke Hinds <lhi...@redhat.com> wrote: > >> Hello, >> >> Something has come up that determines I won't be able to attend the >> meeting tomorrow and more importantly chair it. >> >> However I would not w

[openstack-dev] [security] Tomorrow's meeting and LCOO

Hello, Something has come up that determines I won't be able to attend the meeting tomorrow and more importantly chair it. However I would not want to be a bottleneck to good progress underway. If someone would like to step up and chair for just this meeting, the agenda is below:

Re: [openstack-dev] [tripleo] [security] Proposing Security Squad

On Tue, Mar 6, 2018 at 1:37 PM, Jeremy Stanley wrote: > On 2018-03-06 14:40:53 +0200 (+0200), Juan Antonio Osorio wrote: > > As mentioned in the PTG, I would like to start a Security Squad > > for TripleO, with the goal of working with the security aspects > > and challenges

[openstack-dev] [security] Security SIG Meeting Time Change

Hi All, As agreed during the PTG, we will switch Thursdays meetings from 17:00 UTC, to 15:00 UTC. -- Luke __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

contributors / feedback etc. We did this with projects such as Bandit before, until it found its own legs and momentum. Cheers, Luke On Mon, Feb 12, 2018 at 8:45 AM, Luke Hinds <lhi...@redhat.com> wrote: > > > On Sun, Feb 11, 2018 at 4:01 PM, Pino de Candia < > giuseppe.deca

Re: [openstack-dev] [PTL][SIG][PTG]Team Photos

gt;>> [1] https://docs.google.com/spreadsheets/d/ >>> 1J2MRdVQzSyakz9HgTHfwYPe49PaoTypX66eNURsopQY/edit?usp=sharing >>> >>> >>> >>> > __ > OpenStack Develo

Re: [openstack-dev] [tripleo] Draft schedule for PTG

On Sat, Feb 24, 2018 at 12:15 AM, Emilien Macchi <emil...@redhat.com> wrote: > > > On Fri, Feb 23, 2018 at 10:28 AM, Juan Antonio Osorio <jaosor...@gmail.com > > wrote: > >> Could we change the Security talk to a day before Friday (both Thursday >> and Wedn

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

gt;> >> On Tue, Feb 6, 2018 at 10:52 AM, Giuseppe de Candia < >> giuseppe.decan...@gmail.com> wrote: >> >>> Hi Luke, >>> >>> Fantastic! An hour would be great if the schedule allows - there are >>> lots of different aspects we can dive into

Re: [openstack-dev] [OpenStackClient][Security][ec2-api][heat][horizon][ironic][kuryr][magnum][manila][masakari][neutron][senlin][shade][solum][swift][tacker][tricircle][vitrage][watcher][winstackers]

On Wed, Feb 7, 2018 at 4:23 PM, Matthew Thode wrote: > Hi all, > > it looks like some of your projects may need to cut a queens > branch/release. Is there anything we can do to move it along? > > The following is the list I'm working off of (will be updated as >

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

ore time for presenting and post discussion? We will be meeting in an allocated room on Monday (details to follow). https://etherpad.openstack.org/p/security-ptg-rocky Luke > > > On Wed, Jan 31, 2018 at 12:03 PM, Luke Hinds <lhi...@redhat.com> wrote: > >> >> On Mo

Re: [openstack-dev] [ptg] Dublin PTG proposed track schedule

On Mon, Feb 5, 2018 at 3:07 PM, Thierry Carrez <thie...@openstack.org> wrote: > Luke Hinds wrote: > > I had been monitoring for PTG room allocations, but I missed this email > > which was the important one. > > > > The security SIG plans to meet at the PTG to

Re: [openstack-dev] [ptg] Dublin PTG proposed track schedule

On Tue, Jan 30, 2018 at 2:11 PM, Thierry Carrez wrote: > Thierry Carrez wrote: > > Here is the proposed pre-allocated track schedule for the Dublin PTG: > > > > https://docs.google.com/spreadsheets/d/e/2PACX-1vRmqAAQZA1rIzlNJpVp-X60- >

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

On Mon, Jan 29, 2018 at 2:29 PM, Adam Young <ayo...@redhat.com> wrote: > Bug 968696 and System Roles. Needs to be addressed across the Service > catalog. > Thanks Adam, will add it to the list. I see it's been open since 2012! > > On Mon, Jan 29, 2018 at 7:3

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

at 3:33 PM, Luke Hinds <lhi...@redhat.com> wrote: > Hello All, > > I am seeking topics for the PTG from all projects, as this will be where > we try out are new form of being a SIG. > > For this PTG, we hope to facilitate more cross project collaboration > topics now th

[openstack-dev] [security] Won't be able to make todays meeting

Hello, I won't be able to attend the security project meeting today, and as there are no hot topics I suggest we postpone until next week (if there are, then feel free to #startmeeting and I will catch up tomorrow through meetbot logs). Cheers, Luke

Re: [openstack-dev] PTL Election Season

On Mon, Jan 15, 2018 at 5:04 PM, Kendall Nelson wrote: > Election details: https://governance.openstack.org/election/ > > Please read the stipulations and timelines for candidates and electorate > contained in this governance documentation. > > Be aware, in the PTL

[openstack-dev] [security] Security PTG Planning, x-project request for topics.

do use the security SIG room where a larger audience may be present to help solve problems and gain x-project consensus. Please see our PTG planning pad [0] where I encourage you to add to the topics. [0] https://etherpad.openstack.org/p/security-ptg-rocky -- Luke Hinds Security Project PTL

[openstack-dev] [all] [security] Security SIG

Hi All, Following on from the mailing list discussion [0], we now plan to change the Security Project into a Special Interest Group (The Security SIG). SIGs are a good match for an activity that centers around a topic or practice that spans all the community (developers, operators, end

Re: [openstack-dev] [security] Security SIG

On Sat, Nov 18, 2017 at 8:34 PM, Jeremy Stanley <fu...@yuggoth.org> wrote: > On 2017-11-03 07:49:05 + (+0000), Luke Hinds wrote: > [...] > > One thing came to mind on Jeremy's points around the VMT, is > > OSSN's > > > > We often get a workflow where Sec-Co

Re: [openstack-dev] [security] [api] Script injection issue

This will need the VMT's attention, so please raise as an issue on launchpad and we can tag it as for the vmt members as a possible OSSA. Apologies for top post, replying from phone. On 17 Nov 2017 12:34 pm, "Adam Heczko" wrote: > Thanks TommyLike for this bug report.

Re: [openstack-dev] [security] Security SIG

On Mon, Oct 30, 2017 at 1:53 PM, Thierry Carrez <thie...@openstack.org> wrote: > Luke Hinds wrote: > > On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley <fu...@yuggoth.org > > <mailto:fu...@yuggoth.org>> wrote: > > > >> On 2017-10-27 15:30:34 +0200 (+

Re: [openstack-dev] [security] Security SIG

On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley wrote: > On 2017-10-27 15:30:34 +0200 (+0200), Thierry Carrez wrote: > [...] > > I think the Security project team would benefit from becoming a > > proper SIG. > [...] > > I tend to agree, though it's worth also considering what

Re: [openstack-dev] Regarding Multi-Factor Authentication

...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483 __

Re: [openstack-dev] Project Ideas for Graduate Student

On Thu, Oct 5, 2017 at 11:37 PM, Mike Perez wrote: > On 15:27 Oct 05, Mike Perez wrote: > > On 02:59 Oct 05, Puneet Jain wrote: > > > Hello all, > > > > > > I am a graduate student and have intermediate knowledge and huge in > cloud > > > computing. I am looking for a project

[Openstack] [OSSN-0082] Heap and Stack based buffer overflows in dnsmasq prior to version 2.78

### Operators should update the dnsmasq service using the affected nodes operating systems packaging tools to version 2.78 and later, or a distribution packaged version that contains relevant backports for these vulnerabilities. ### Contacts / References ### Author: Luke Hinds <lhi...@redhat.com> Thi

[openstack-dev] [OSSN-0082] Heap and Stack based buffer overflows in dnsmasq prior to version 2.78

### Operators should update the dnsmasq service using the affected nodes operating systems packaging tools to version 2.78 and later, or a distribution packaged version that contains relevant backports for these vulnerabilities. ### Contacts / References ### Author: Luke Hinds <lhi...@redhat.com> Thi

Re: [openstack-dev] Security of Meta-Data

On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia < giuseppe.decan...@gmail.com> wrote: > Hi Folks, > > > Are there any documented conventions regarding the security model for > MetaData? > > > Note that CloudInit allows passing user and ssh service public/private > keys via MetaData service

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

On Fri, Sep 29, 2017 at 5:31 PM, Jay Pipes <jaypi...@gmail.com> wrote: > On 09/29/2017 06:19 AM, Luke Hinds wrote: > >> On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott < >> scott.mcclym...@verizonwireless.com <mailto:scott.mcclymont@verizo >> nwir

Re: [openstack-dev] [all][infra] Zuul v3 migration update

On Fri, Sep 29, 2017 at 2:40 AM, Clark Boylan wrote: > On Wed, Sep 27, 2017, at 03:24 PM, Monty Taylor wrote: > > Hey everybody, > > > > We're there. It's ready. > > > > We've worked through all of the migration script issues and are happy > > with the results. The cutover

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott < scott.mcclym...@verizonwireless.com> wrote: > Hey All, > > I've got a spec up for a change I want to implement in Glance for Queens > to enhance the current checksum (md5) functionality with a stronger hash > algorithm. I'm going to do this

Re: [openstack-dev] [api-wg][glance] call for comments on Glance spec for Queens

On Fri, Sep 29, 2017 at 3:08 AM, Brian Rosmaita wrote: > Hello API WG, > > I've got a patch up for a proposal to fix OSSN-0075 by introducing a > new policy. There are concerns that this will introduce an > interoperability problem in that an API call that works in

[Openstack] [OSSN-0081] sha512_crypt is insufficient for password hashing

that operators upgrade to the Pike release where all future passwords would be bcrypt hashed. Operators should also force password changes on all users [1], which will result in the users newly generated passwords being bcrypt hashed. ### Contacts / References ### Author: Luke Hinds <lhi...@redhat.com&

[openstack-dev] [OSSN-0081] sha512_crypt is insufficient for password hashing

that operators upgrade to the Pike release where all future passwords would be bcrypt hashed. Operators should also force password changes on all users [1], which will result in the users newly generated passwords being bcrypt hashed. ### Contacts / References ### Author: Luke Hinds <lhi...@redhat.com&

Re: [openstack-dev] [barbican] [security] custodia @ PTG

Mascena de Sousa Filho < rmasc...@redhat.com> wrote: > Hi Luke, > > I'll definitely be there, sounds like a great idea, so we can clarify a > lot of topics and make progress in the community together. > > Cheers, > > > On Thu, Aug 17, 2017 at 5:52 AM Luke Hinds <lhi.

[Openstack] [OSSN 0080] Aodh can be used to launder Keystone trusts

r, Red Hat Author: Luke Hinds, Red Hat CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440 This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333 OpenStack Security Project : https://launchpad.net/~open

[openstack-dev] [OSSN 0080] Aodh can be used to launder Keystone trusts

r, Red Hat Author: Luke Hinds, Red Hat CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440 This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333 OpenStack Security Project : https://launchpad.net/~open

[openstack-dev] [barbican] [security] custodia @ PTG

Hi Raildo, Both Barbican and Security have an interest in custodia and we have it marked down as a topic / discussion point for the PTG [1] Would you be interested / willing to join the Barbican room on Thurs / Fri and propose a walk through / overview etc? [1]

[openstack-dev] [security] Security Meeting next week

Hi, It was decided that the Security Project meeting would not be held next week, and will instead reconvene on the 17th of August. Regards, Luke __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [security][barbican] PTG room sharing

On Tue, Aug 1, 2017 at 5:28 PM, Dave McCowan (dmccowan) <dmcco...@cisco.com> wrote: > > > On 8/1/17, 12:21 PM, "Thierry Carrez" <thie...@openstack.org> wrote: > > >Luke Hinds wrote: > >> Thanks Dave, I will let Kendall know that we can free up t

[openstack-dev] [elections][security] Candidacy for Security Project PTL (Queens)

it as vital to keep the security project afloat, as operators rely so much on the project for guidance on securing OpenStack clouds. Regards, Luke Hinds (lhinds) __ OpenStack Development Mailing List (not for usage questions

Re: [openstack-dev] [security][barbican] PTG room sharing

On Tue, Aug 1, 2017 at 2:50 PM, Dave McCowan (dmccowan) wrote: > > Hello Barbican Team, > > I believe there were some discussions on room sharing between the security > project and barbican team. > > We are still keen on this in the security project. How would you like to >

[openstack-dev] [security][barbican] PTG room sharing

Hello Barbican Team, I believe there were some discussions on room sharing between the security project and barbican team. We are still keen on this in the security project. How would you like to work out logistics? Should we share PTG planning etherpads? We have 4 days between us, not sure if

[openstack-dev] [OSSN-0078] Ceph credentials included in logs using older versions of libvirt/qemu

running qemu version 2.6 or later, and libvirt version 2.2 or later, are not vulnerable. No change is required in Nova or Ceph to resolve this issue. ### Contacts / References ### Author: Luke Hinds, Red Hat https://access.redhat.com/security/cve/CVE-2015-5160 This OSSN : https://wiki.openstack.org/wiki

Re: [openstack-dev] [TripleO] Forming our plans around Ansible

On Fri, Jul 7, 2017 at 10:17 PM, James Slagle <james.sla...@gmail.com> wrote: > On Fri, Jul 7, 2017 at 5:00 PM, Luke Hinds <lhi...@redhat.com> wrote: > > I can't offer much in-depth feedback on the pros and cons of each > scenario. > > My main point would be to try

Re: [openstack-dev] [TripleO] Forming our plans around Ansible

On Fri, Jul 7, 2017 at 6:50 PM, James Slagle wrote: > I proposed a session for the PTG > (https://etherpad.openstack.org/p/tripleo-ptg-queens) about forming a > common plan and vision around Ansible in TripleO. > > I think it's important however that we kick this

Re: [openstack-dev] [Security] Today's IRC meeting.

On Thu, May 4, 2017 at 12:37 PM, Rob C wrote: > Hi All, > > I won't be able to make today's meeting as I'm travelling. > > I've not found a chair to cover the meeting, please decide if you have a > quorum and either proceed or go back to "real life" as you see fit. > > Cheers

Re: [openstack-dev] [TripleO] spec-lite process for tripleo

On Wed, Mar 29, 2017 at 10:42 PM, Steven Hardy wrote: > On Tue, Mar 28, 2017 at 12:09:43PM -0400, Emilien Macchi wrote: > > Bringing an old topic on the table. > > > > We might have noticed: > > > > 1. Some tripleo-specs take huge amount of time before getting merged > > (or

Re: [openstack-dev] Arrivederci

On Wed, Mar 22, 2017 at 12:06 PM, Ian Cordasco wrote: > Hi everyone, > > Friday 24 March 2017 will be my last day working on OpenStack. I'll remove > myself from teams (glance, craton, security, hacking) on Friday and > unsubscribe > from the OpenStack mailing lists. > >

[Openstack] [OSSN-0078] copy_from in Image Service API v1 allows network port scan

. Existing deployments can limit policy on `copy_from` by restricting use to `admin` within `policy.json` as follows: "copy_from": "role:admin" ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078 Original L

[openstack-dev] [OSSN-0078] copy_from in Image Service API v1 allows network port scan

. Existing deployments can limit policy on `copy_from` by restricting use to `admin` within `policy.json` as follows: "copy_from": "role:admin" ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078 Original L

Re: [openstack-dev] [tripleo][diskimage-builder] Status of diskimage-builder

On Sat, Mar 4, 2017 at 6:13 PM, Andre Florath wrote: > Hello! > > Thanks Greg for sharing your thoughts. The idea of splitting off DIB > from OpenStack is new for me, therefore I collect some pros and > cons: > > Stay in OpenStack: > > + Use available OpenStack infrastructure

[Openstack] [OSSN 0065] Users of Glance may be able to replace active image data

Users of Glance may be able to replace active image data --- ### Summary ### When Glance has been configured with the "show_multiple_locations" option enabled with default policy for set and delete locations, it is possible for a non-admin user having write access to the image metadata to replace

[openstack-dev] [OSSN 0065] Users of Glance may be able to replace active image data

Users of Glance may be able to replace active image data --- ### Summary ### When Glance has been configured with the "show_multiple_locations" option enabled with default policy for set and delete locations, it is possible for a non-admin user having write access to the image metadata to replace

Re: [openstack-dev] [security] FIPS compliance

On Tue, Jan 17, 2017 at 10:11 AM, Yolanda Robla Mota wrote: > Hi, in previous threads, there have been discussions about enabling FIPS, > and the problems we are hitting with md5 inside OpenStack: > http://lists.openstack.org/pipermail/openstack-dev/2016- >

[Openstack] [OSSN-0074] Nova metadata service should not be used for sensitive information

OpenStack Security Note: 0074 Nova metadata service should not be used for sensitive information --- ### Summary ### A recent security report has highlighted how users may be using the metadata service to store security sensitive information. The Nova metadata service should not be considered

[openstack-dev] [OSSN-0074] Nova metadata service should not be used for sensitive information

OpenStack Security Note: 0074 Nova metadata service should not be used for sensitive information --- ### Summary ### A recent security report has highlighted how users may be using the metadata service to store security sensitive information. The Nova metadata service should not be considered

Re: [openstack-dev] Fwd: Re: [requirements][kolla][security] pycrypto vs cryptography

On Fri, Nov 18, 2016 at 3:04 PM, Jeremy Stanley <fu...@yuggoth.org> wrote: > On 2016-11-18 14:38:22 + (+0000), Luke Hinds wrote: > [...] > > I proposed raising bugs on launchpad for each instance discovered, so > that > > if anything, we at least have an idea o

Re: [openstack-dev] [security] FIPS Compliance (Was: [requirements][kolla][security] pycrypto vs cryptography)

On Fri, Nov 18, 2016 at 4:14 PM, Dean Troyer <dtro...@gmail.com> wrote: > > -Original Message- > > From: Luke Hinds <lhi...@redhat.com> > [...] > >> for non security related functions, but when it comes to government > >> compliance and running

Re: [openstack-dev] Fwd: Re: [requirements][kolla][security] pycrypto vs cryptography

n irc) is whether pycrypto (or if we move to > > > > > > cryptography) provide FIPS-140-2 compliance. > > > > > > > > > > My understanding is that if you need, for example, a FIPS-compliant > > > > > AES implementation under the hood, then this i

[Openstack] [OSSN-0066] (Errata) MongoDB guest instance allows any user to connect

OSSN previously incorrectly stated that the fix was back ported to Liberty release. This is not the case and the fix was applied only to Mitaka. ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066 Original LaunchPad Bug : https://bug

[openstack-dev] [OSSN-0066] (Errata) MongoDB guest instance allows any user to connect

OSSN previously incorrectly stated that the fix was back ported to Liberty release. This is not the case and the fix was applied only to Mitaka. ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066 Original LaunchPad Bug : https://bug

Re: [openstack-dev] [horizon] USE_SSL

shboard.html > The Django docs are probably your best bet for information: https://docs. > djangoproject.com/en/1.10/topics/security/#ssl-https > > Rob > > On 9 November 2016 at 13:23, Luke Hinds <lhi...@redhat.com> wrote: > >> Hi, >> >> I have noted that USE_S

[openstack-dev] [horizon] USE_SSL

Hi, I have noted that USE_SSL is no longer in local_settings.py I have not had any luck in having google find the background of why this was removed for first django (if it has?) and horizon. >From what I can see, it seems related to django views. Does anyone understand the context of this

[Openstack] [OSSN-0076] Glance Image service v1 and v2 api image-create vulnerability

to the role admin only, amend `/etc/glance/policy.json` accordingly. "add_image": "role:admin", ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+b

[openstack-dev] [OSSN-0076] Glance Image service v1 and v2 api image-create vulnerability

to the role admin only, amend `/etc/glance/policy.json` accordingly. "add_image": "role:admin", ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+b

[openstack-dev] Fwd: [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

ment Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: lhi...@redhat.com | irc: lhinds @

[Openstack] [OSSN-0066] MongoDB guest instance allows any user to connect

is applies to all MongoDB clusters, and requires a restart of the trove-api service to change, and cannot be toggled on running clusters. ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066 Original LaunchPad Bug : https://bugs.lau

[openstack-dev] [OSSN-0066] MongoDB guest instance allows any user to connect

is applies to all MongoDB clusters, and requires a restart of the trove-api service to change, and cannot be toggled on running clusters. ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066 Original LaunchPad Bug : https://bugs.lau

[Openstack] [OSSN-0075] Deleted Glance image IDs may be reassigned

Deleted Glance image IDs may be reassigned --- ### Summary ### It is possible for image IDs from deleted images to be reassigned to other images. This creates the possibility that: - Alice creates a VM that boots from image ID X which has been shared with her by a trusted party, Bob. - Bob

[openstack-dev] [OSSN-0075] Deleted Glance image IDs may be reassigned

Deleted Glance image IDs may be reassigned --- ### Summary ### It is possible for image IDs from deleted images to be reassigned to other images. This creates the possibility that: - Alice creates a VM that boots from image ID X which has been shared with her by a trusted party, Bob. - Bob

[openstack-dev] [OSSN-0073] Horizon dashboard leaks internal information through cookies

Horizon dashboard leaks internal information through cookies --- ### Summary ### When horizon is configured, its URL contains the IP address of the internal URL of keystone, as the default value for the identity service is "internalURL".[1] The cookie "login_region" will be set to the value

[Openstack] [OSSN-0069] Host machine exposed to tenant networks via IPv6

/ References ### Author: Vinay Potluri, Intel & Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652 This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856 Related issue addre

[openstack-dev] [OSSN-0069] Host machine exposed to tenant networks via IPv6

/ References ### Author: Vinay Potluri, Intel & Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652 This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856 Related issue addre

Re: [Openstack] Advice on how to get started

On Sun, Sep 4, 2016 at 7:44 PM, Turbo Fredriksson wrote: > On Sep 4, 2016, at 7:25 PM, Karishma Sharma wrote: > > > Is it DevStack that I need to build or something else? > > _Personally_ I prefer to learn the hard way. That is, install the > package(s) and configure them

[Openstack] [OSSN 0070] Bandit versions lower than 1.1.0 do not escape HTML in issue reports

Bandit versions lower than 1.1.0 do not escape HTML in issue reports --- ### Summary ### Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS if HTML reports are hosted as part of a CI pipeline.

[openstack-dev] [OSSN 0070] Bandit versions lower than 1.1.0 do not escape HTML in issue reports

Bandit versions lower than 1.1.0 do not escape HTML in issue reports --- ### Summary ### Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS if HTML reports are hosted as part of a CI pipeline.

[Openstack] [OSSN 0068] Repeated token revocation requests, can lead to service degradation or disruption

ity # https://www.modsecurity.org/ ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0068 Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1553324 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Se

[openstack-dev] [OSSN 0068] Repeated token revocation requests, can lead to service degradation or disruption

ity # https://www.modsecurity.org/ ### Contacts / References ### Author: Luke Hinds, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0068 Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1553324 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Se