Thanks, I've switched this to a normal public bug and set our security advisory task to Won't Fix indicating there shouldn't be any advisory publication required. The OpenStack VMT is treating this as a class E report (neither a vulnerability nor hardening opportunity) per our taxonomy: https://security.openstack.org/vmt-process.html#incident- report-taxonomy
** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2021-05-11 and will be made - public by or on that date even if no fix is identified. - The security group panel enables all actions (create/edit/delete/manage rules/etc.) regardless of the network policy.yaml settings or user account. In the code there's this telling readme: # TODO(amotoki): [drop-nova-network] Add neutron policy support In my deployment this is a bit alarming -- users who are intended to be read-only are nonetheless invited to delete things. Of course the Neutron backend /does/ observe the policy so this is ugly but not usually an actual security risk unless people have different back-end and front-end policy files. I'm flagging as security-related nonetheless for the odd edge case where it poses a risk. ** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1915308 Title: security group table doesn't observe Neutron policy settings Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Won't Fix Bug description: The security group panel enables all actions (create/edit/delete/manage rules/etc.) regardless of the network policy.yaml settings or user account. In the code there's this telling readme: # TODO(amotoki): [drop-nova-network] Add neutron policy support In my deployment this is a bit alarming -- users who are intended to be read-only are nonetheless invited to delete things. Of course the Neutron backend /does/ observe the policy so this is ugly but not usually an actual security risk unless people have different back-end and front-end policy files. I'm flagging as security-related nonetheless for the odd edge case where it poses a risk. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1915308/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp