On 04/11/2016 08:04 AM, Clark, Robert Graham wrote: > Thanks Matt, Michael, > > > > To start with, lets look quickly at the more recent OSSNs that are > marked as work in progress, namely 63,64,65 and 66 – these should all be > published within a week or so. > > > > Looking further back we have the more difficult OSSNs 50 and 51, I’m not > 100% sure what the blockers are on these. I believe > https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 > and is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it > looks to me like OSSN-0056 was written during a mid-cycle and could be > the right one. > > > > I’m struggling to work out the story behind OSSN-0050 – I’m adding > Nathan Kinder who might be able to shed more light on this.
It looks like that one was added to the wiki by 'Davewalker' in this revision: https://wiki.openstack.org/w/index.php?title=Security_Notes&direction=next&oldid=85312 I searched all open and closed OSSN bugs, and did not see one that matches this issue. -NGK > > > > -Rob > > > > > > > > *From:*Michael Xin [mailto:michael....@rackspace.com] > *Sent:* 11 April 2016 15:28 > *To:* Matt Fischer; OpenStack Development Mailing List (not for usage > questions) > *Subject:* Re: [openstack-dev] [Openstack-security] [Security]abandoned > OSSNs? > > > > Matt: > > Thanks for asking this. I forwarded this email to the new email list so > that folks with better knowledge can answer this. > > > > > > Thanks and have a great day. > > > > Yours, > > Michael > > > > > > ----------------------------------------------------------------------------- > > Michael Xin | Manager, Security Engineering - US > > Product Security |Rackspace Hosting > > Office #: 501-7341 or 210-312-7341 > > Mobile #: 210-284-8674 > > 5000 Walzem Road, San Antonio, Tx 78218 > > ---------------------------------------------------------------------------- > > Experience fanatical support > > > > *From: *Matt Fischer <m...@mattfischer.com <mailto:m...@mattfischer.com>> > *Date: *Monday, April 11, 2016 at 9:19 AM > *To: *"openstack-secur...@lists.openstack.org > <mailto:openstack-secur...@lists.openstack.org>" > <openstack-secur...@lists.openstack.org > <mailto:openstack-secur...@lists.openstack.org>> > *Subject: *[Openstack-security] abandoned OSSNs? > > > > Some folks from our security team here asked me to ensure them that our > services were patched for all the OSSNs that are listed > here: https://wiki.openstack.org/wiki/Security_Notes > > > > Most of these are straight-forward, but there are some OSSNs that have > been allocated an ID but then abandoned. There is no detailed wiki page > and my best google efforts lead me to a possible IRC mention and maybe > an abandoned review. The two specifically are OSSN-50/51. > > > > So what am I to do with an "abandoned" OSSN? Has it been decided that > there is no issue anymore? These are pretty old if I look at the dates > framing the other OSSNs (49/52), so I assume they aren't urgent. Can we > ignore these? They sound somewhat scary, for example, > "keystonemiddleware can allow access after token revocation" but I have > no means to say whether it affects us or how we can mitigate without > more info. > > > > Thoughts? > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
