-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/29/2012 03:40 PM, Russell Bryant wrote: > On 11/29/2012 03:50 AM, Avishay Traeger wrote: >> >> Hi all, Currently, CHAP secrets are managed by Cinder, and passed >> to Nova for use when attaching volumes. This means that unless >> the communication is encrypted, or a separate trusted network is >> used, CHAP secrets can be sniffed on the wire. Opinions? > > In the future, if you suspect something is a security issue > (vulnerability), the public mailing list isn't the best place to > report it. :-) Please use a private bug on launchpad, or send > someone on the vulnerability management team an encrypted email. > > http://www.openstack.org/projects/openstack-security/ > > In this case, I don't think there is a problem here. A lot of > sensitive information is passed around between services, via both > messaging and the REST APIs. It is certainly important to protect > these communications via the means you mentioned (trusted network, > encryption).
Also if appropriate please notify secal...@redhat.com, traditionally SRT would handle notifying/communications with many upstreams (this applies more to RHEL where we have hundreds of upstreams we are not directly involved in) which is obviously different for OpenStack since we have Russell, but it is very helpful if SRT is notified as early as possible since we'll need to handle the security issues any ways at some point.. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQvjAMAAoJEBYNRVNeJnmTmPwQAJx3WKrc3OHSkyjBukqt+x/V 6G3by9ZQZeUYnXPzKCW5uLC+nypea2zx/AKn6/QBwjcE+jTWzvI4EOkv6wpzxyC1 cdcRE1gLoaStPZhEfBAugjXwBMH8zwDE6htuEDZrazPNgSfOGYr7UAsr1KOh0dy+ ijY7fd1nJgakKl/LMrqbTRx0soh6ZFvQdZ51DEywDohs2Fn6CEeDiSbaj/4uUDGl 5s/4HM9CyfRF8fc8lFloU10QIdx+0E2kY+wMrFjfGUSX9UWtqKzj3HjE8mCIJzBq RDOlKF0NSb3etasbYV881MPA0Ur9AYB5F03qoQvfRg0NWa3Mzuqty/CztYCg3Xii UpGLhmPxX67dItotYr1uTnP7lTLieAjVbu6HOAPUcXVw1zvF3p0dDlhEn1Rsg0I3 FKMMyMUAeuObPeFhnnvRfnsRfQh45drDFGwv1v38lnFbXQyZTu9Yk9ysDekNJLvS VyC8ZTGBizlyKbpJf2ABUF8kI2fS9jfUBkWtRxErnzElUmGPsMZ4yRPGYdRuMY49 0IrE4TcdWszAgZxaVRSj2CE2Dw8x1V1/ZUSUW5fyRKPOmZhtAuY2NRXYxk3NNeO/ 5c6TQwnGec9GTmUMIFfWoUBCBORbib0d2Q3evQZ9MmO1VJEnSirXhIUt9LXq+9/C 60oOnghV/Ry4U+jzf6NX =1lL1 -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
