Thursday, 2020-10-08

« Wednesday, 2020-10-07 Index Friday, 2020-10-09 »
*** rf0lc0 has quit IRC00:22
*** gyee has quit IRC00:31
*** ykatabam has quit IRC00:34
*** whoami-rajat___ has joined #openstack-meeting00:37
*** ianychoi__ is now known as ianychoi00:44
*** rcernin has quit IRC00:48
*** rcernin has joined #openstack-meeting00:55
*** rcernin has quit IRC01:08
*** rcernin has joined #openstack-meeting01:26
*** rcernin has quit IRC01:39
*** ricolin_ has joined #openstack-meeting01:45
*** rcernin has joined #openstack-meeting02:13
*** ykatabam has joined #openstack-meeting02:28
*** macz_ has joined #openstack-meeting02:41
*** macz_ has quit IRC02:46
*** armax has quit IRC03:26
*** ykatabam has quit IRC03:29
*** yasufum_ has quit IRC03:55
*** armstrong has quit IRC04:05
*** ociuhandu has joined #openstack-meeting04:08
*** ociuhandu has quit IRC04:12
*** psahoo has joined #openstack-meeting04:16
*** manpreet has joined #openstack-meeting04:21
*** yasufum has joined #openstack-meeting04:25
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-meeting04:33
*** psahoo has quit IRC05:07
*** psahoo has joined #openstack-meeting05:07
*** dsariel has left #openstack-meeting05:12
*** yasufum_ has joined #openstack-meeting05:31
*** yasufum has quit IRC05:32
*** yasufum_ is now known as yasufum05:32
*** bbowen_ has joined #openstack-meeting05:37
*** bbowen has quit IRC05:39
*** macz_ has joined #openstack-meeting06:18
*** macz_ has quit IRC06:22
*** psachin has joined #openstack-meeting06:29
*** ralonsoh has joined #openstack-meeting06:37
*** vishalmanchanda has joined #openstack-meeting06:54
*** slaweq has joined #openstack-meeting07:01
*** ociuhandu has joined #openstack-meeting07:02
*** rpittau|afk is now known as rpittau07:27
*** manpreet has quit IRC07:33
*** whoami-rajat___ has quit IRC07:33
*** ttx has quit IRC07:33
*** moguimar has quit IRC07:33
*** jamesdenton has quit IRC07:33
*** patrickeast has quit IRC07:33
*** mattoliverau has quit IRC07:33
*** freefood has quit IRC07:33
*** manpreet has joined #openstack-meeting07:33
*** moguimar has joined #openstack-meeting07:38
*** jamesdenton has joined #openstack-meeting07:38
*** patrickeast has joined #openstack-meeting07:38
*** mattoliverau has joined #openstack-meeting07:38
*** freefood has joined #openstack-meeting07:38
*** yasufum has quit IRC07:38
*** tosky has joined #openstack-meeting07:54
*** rcernin has quit IRC07:57
*** e0ne has joined #openstack-meeting08:01
*** ttx has joined #openstack-meeting08:02
*** yasufum has joined #openstack-meeting08:06
*** johnsom has quit IRC09:25
*** johnsom has joined #openstack-meeting09:25
*** walshh_ has quit IRC09:25
*** walshh_ has joined #openstack-meeting09:26
*** dalvarez has quit IRC09:45
*** armax has joined #openstack-meeting09:54
*** macz_ has joined #openstack-meeting09:55
*** macz_ has quit IRC09:59
*** rcernin has joined #openstack-meeting10:29
*** rcernin has quit IRC10:31
*** rh-jlabarre has quit IRC10:49
*** psachin has quit IRC10:53
*** psachin has joined #openstack-meeting11:03
*** bcm has quit IRC11:05
*** yasufum has quit IRC11:08
*** lpetrut has joined #openstack-meeting11:25
*** macz_ has joined #openstack-meeting11:43
*** macz_ has quit IRC11:48
*** rledisez has quit IRC11:58
*** alecuyer has quit IRC11:58
*** rledisez has joined #openstack-meeting11:59
*** raildo has joined #openstack-meeting12:00
*** armstrong has joined #openstack-meeting12:08
*** rf0lc0 has joined #openstack-meeting12:22
*** njohnston has joined #openstack-meeting12:24
*** _erlon_ has joined #openstack-meeting12:25
*** TrevorV has joined #openstack-meeting13:05
*** macz_ has joined #openstack-meeting13:31
*** macz_ has quit IRC13:36
*** Luzi has joined #openstack-meeting13:44
*** eharney_ has joined #openstack-meeting14:00
*** jokke has joined #openstack-meeting14:00
jokke#startmeeting glance14:01
openstackMeeting started Thu Oct  8 14:01:03 2020 UTC and is due to finish in 60 minutes.  The chair is jokke. Information about MeetBot at http://wiki.debian.org/MeetBot.14:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:01
*** openstack changes topic to " (Meeting topic: glance)"14:01
openstackThe meeting name has been set to 'glance'14:01
jokke#topic roll-call14:01
*** openstack changes topic to "roll-call (Meeting topic: glance)"14:01
jokkeo/14:01
*** eharney has quit IRC14:01
jokkeToday's Agenda is subject to a change https://etherpad.opendev.org/p/glance-team-meeting-agenda14:01
Steapo/14:02
jokkehey14:02
jokkegiving minute or two to see if we get anyone else joining us14:03
jokkeok, so Abhishek had a loss in the family, he is absent today14:05
jokke#topic updates14:05
*** openstack changes topic to "updates (Meeting topic: glance)"14:05
jokke#link https://etherpad.opendev.org/p/Glance-Wallaby-PTG-planning14:05
jokkeSummit and PG are approaching quick14:06
jokkePlease give your input in the etherpad linked14:06
jokkeWe tagged RC2, it just contains API version bump otherwise looks like we're good to go for the release14:06
jokkePeriodic jobs are running green for a change14:07
jokke#topic Multi-store tests14:07
*** openstack changes topic to "Multi-store tests (Meeting topic: glance)"14:07
jokkeThere is bunch of patches linked in the agenda, I'm not going to repeat them all here. Please feel free to have a look14:08
jokkeI'm not sure if there was anything else in plans for this tpic that bring awareness14:08
jokke#topic Open Discussion14:09
*** openstack changes topic to "Open Discussion (Meeting topic: glance)"14:09
jokkeSteap: did you have something?14:09
Steaphonestly, not really, except for https://review.opendev.org/749091, but it is more of a downstream thing :)14:10
jokkeCool, thanks for bringing that up, rosmaita &smcginnis if you're around at some point ^^ could do with second. ;)14:12
smcginnisWill take a look.14:13
SteapThanks :)14:13
jokkecheers14:13
jokkethat's all from my side anything else?14:13
jokkeok going 1st14:15
jokkegoing twice14:15
jokkeSold! Thanks all! this was quick one. o/~14:16
jokke#endmeeting14:16
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"14:16
openstackMeeting ended Thu Oct  8 14:16:43 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:16
openstackMinutes:        http://eavesdrop.openstack.org/meetings/glance/2020/glance.2020-10-08-14.01.html14:16
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/glance/2020/glance.2020-10-08-14.01.txt14:16
openstackLog:            http://eavesdrop.openstack.org/meetings/glance/2020/glance.2020-10-08-14.01.log.html14:16
smcginnisProbably good the meeting was mostly uneventful at this point in the cycle. ;)14:17
jokke++14:19
*** lpetrut has quit IRC14:21
*** slaweq has quit IRC14:38
*** slaweq has joined #openstack-meeting14:42
*** andrebeltrami has joined #openstack-meeting14:55
*** priteau has joined #openstack-meeting14:59
*** psahoo has quit IRC14:59
gagehugo#startmeeting security15:01
openstackMeeting started Thu Oct  8 15:01:43 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
*** openstack changes topic to " (Meeting topic: security)"15:01
openstackThe meeting name has been set to 'security'15:01
gagehugo#link https://etherpad.opendev.org/p/security-agenda agenda15:02
gagehugoo/15:03
*** mlavalle has joined #openstack-meeting15:03
fungihey there15:04
gagehugofungi: hey o/15:05
fungi#link https://launchpad.net/bugs/1895688 Authenticated RCE in blazar-dashboard15:05
openstackLaunchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau)15:05
priteauHi o/15:06
fungier, sorry, was prepping an entry and had a stray newline in there :/15:06
fungididn't mean to jump into the topic early15:06
gagehugono worries haha15:07
gagehugo#topic Authenticated RCE in blazar-dashboard via python expression in POST parameters15:07
*** openstack changes topic to "Authenticated RCE in blazar-dashboard via python expression in POST parameters (Meeting topic: security)"15:07
gagehugo#link https://bugs.launchpad.net/blazar/+bug/189568815:07
openstackLaunchpad bug 1895688 in Blazar "Authenticated RCE in blazar-dashboard via python expression in POST parameters" [Critical,Fix released] - Assigned to Pierre Riteau (priteau)15:07
fungipriteau took care of that very quickly once he got access to blazar's private bugs15:08
priteauThat was the hard part :-)15:08
gagehugonice15:08
priteauTo be fair, credit goes to the discover of the issue who shared a patch15:08
priteauThe patch was backported to victoria, ussuri, train, stein15:10
priteauNew releases produced for ussuri, train, stein15:10
gagehugook cool15:11
priteauI wanted to ask what is the next step, should we produce an OSSA?15:11
priteauAs I mentioned to fungi in private discussions, there is quite likely very few users of this software15:11
fungiit's probably a good idea, though if you're not in a hurry you could file a request for a cve assignment via mitre's web form first15:12
fungibut really it's up to you. if you feel like the impact is extremely limited then it may not be worth the trouble15:12
priteauI would like to do things properly, it can be useful to know15:13
fungisure. in that case we have instructions... lemme get the link15:14
gagehugohttps://security.openstack.org/vmt-process.html#send-cve-request15:14
gagehugopriteau ^15:14
fungi#link https://security.openstack.org/vmt-process.html#send-cve-request cve request instructions15:15
fungiyep15:15
gagehugo:)15:15
fungiand then after, or in parallel, you can start working on a yaml file addition to the ossa repo:15:15
fungi#link https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa template for ossa metadata15:16
fungistuff like $DESCRIPTION_CONTENT and $AFFECTED_VERSIONS are part of the impact description, which there's also a template for in that document15:17
fungibut feel free to ask in #openstack-security if you have questions and we're happy to guide you15:17
priteauIn the cve form, do I need to list each affected version as a separate entry?15:18
priteauor just comma-separate them?15:19
*** macz_ has joined #openstack-meeting15:19
fungiwe usually comma-separate version ranges15:20
gagehugoI believe I just comma separated them last time I submitted one15:20
fungii'll get you an example15:20
fungi#link https://security.openstack.org/ossa/OSSA-2020-006.html#affects example affected version ranges list15:21
priteauThanks15:21
priteau"<1.3.1, ==2.0.0, ==3.0.0"15:22
fungiyeah, assuming 1.3.1, 2.0.1 and 3.0.1 are the fixed releases15:23
priteauThey are15:23
fungithen that looks entirely correct15:24
*** macz_ has quit IRC15:24
priteauI think I've got enough information to request the CVE. I'll do it a bit later today.15:26
gagehugosounds good!15:27
fungithey usually get back to you by e-mail with the cve number they've assigned within a day or two15:27
gagehugo"usually"15:27
fungibut yeah, don't get worried if you don't hear from them until monday or tuesday15:27
fungiyou'll generally get a confirmation e-mail for the submission itself straight away though15:28
*** macz_ has joined #openstack-meeting15:29
gagehugofungi priteau: anything else for this topic?15:29
priteauNot for now, I'll ask in the security channel if I run into problems15:30
fungiwe're all happy to help15:30
gagehugo^^15:30
gagehugo#topic horizon bug15:30
*** openstack changes topic to "horizon bug (Meeting topic: security)"15:30
gagehugo#link https://bugs.launchpad.net/horizon/+bug/189846515:30
openstackLaunchpad bug 1898465 in OpenStack Dashboard (Horizon) "In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage" [Undecided,New]15:30
gagehugoThis was made public15:30
fungiyeah, i marked it as a security hardening opportunity for now15:31
fungithere's another public horizon bug for an open redirect which will likely get an ossa soon15:32
fungithe stable/ussuri backport for it merged today, but older stable branches still need backports i think15:33
gagehugothanks fungi15:36
gagehugo#topic open discussion15:36
*** openstack changes topic to "open discussion (Meeting topic: security)"15:36
gagehugoAnything else for this week?15:36
fungiit might be nice to get some renewed movement on the memcached socket pileup15:37
gagehugoagreed15:38
gagehugo#link https://bugs.launchpad.net/keystonemiddleware/+bug/189285215:38
openstackLaunchpad bug 1892852 in OpenStack Security Advisory "memcached socket not released upon lbaas API request " [Undecided,Incomplete]15:38
gagehugothat's the duplicate one15:38
gagehugo#link https://bugs.launchpad.net/keystonemiddleware/+bug/188365915:38
openstackLaunchpad bug 1883659 in oslo.cache "keystonemiddleware connections to memcached from neutron-server grow beyond configured values" [Undecided,Confirmed]15:38
fungithere's a theoretical fix for oslo.cache but it's not seen any updates for a month or two15:38
fungiit's probably also a duplicate of 188839415:39
fungiwhich was opened in july15:39
gagehugoheh15:41
fungilooks like that's the only one referred to by the fix change, so i'll add some comments in it about being a duplicate as well15:41
fungiand let the devs sort it out15:42
fungiright now reviewers arriving at https://review.opendev.org/742193 don't have any clear indication that there are outstanding security bugs for it15:42
gagehugohmm15:44
gagehugothat might poke them along15:44
gagehugofungi priteau: thanks!  I need to run, have a good rest of the week!15:45
gagehugo#endmeeting15:45
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"15:45
openstackMeeting ended Thu Oct  8 15:45:26 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:45
openstackMinutes:        http://eavesdrop.openstack.org/meetings/security/2020/security.2020-10-08-15.01.html15:45
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/security/2020/security.2020-10-08-15.01.txt15:45
openstackLog:            http://eavesdrop.openstack.org/meetings/security/2020/security.2020-10-08-15.01.log.html15:45
*** Luzi has quit IRC15:46
fungithanks gagehugo!15:46
*** e0ne has quit IRC15:55
*** gyee has joined #openstack-meeting16:00
*** rpittau is now known as rpittau|afk16:01
*** yoctozepto has quit IRC16:16
*** yoctozepto has joined #openstack-meeting16:16
*** ricolin_ has quit IRC16:29
*** vishalmanchanda has quit IRC16:34
*** psachin has quit IRC16:57
*** ociuhandu_ has joined #openstack-meeting17:03
*** ociuhandu has quit IRC17:06
*** ociuhandu_ has quit IRC17:07
*** mlavalle has quit IRC17:08
*** mlavalle has joined #openstack-meeting17:09
*** eharney_ is now known as eharney17:39
*** ociuhandu has joined #openstack-meeting17:47
*** ociuhandu has quit IRC17:52
*** lbragstad_ has joined #openstack-meeting18:35
*** lbragstad has quit IRC18:37
*** yasufum has joined #openstack-meeting19:05
*** yasufum has quit IRC19:10
*** yasufum has joined #openstack-meeting19:10
*** priteau has quit IRC19:31
*** ralonsoh has quit IRC19:50
*** yasufum has quit IRC20:23
*** slaweq has quit IRC20:26
*** TrevorV has quit IRC20:30
*** yasufum has joined #openstack-meeting21:20
*** rf0lc0 has quit IRC21:30
*** yasufum has quit IRC21:38
*** jmasud has quit IRC21:48
*** manpreet has quit IRC21:49
*** yasufum has joined #openstack-meeting21:56
*** _erlon_ has quit IRC22:22
*** yasufum has quit IRC22:27
*** yasufum has joined #openstack-meeting22:44
*** rcernin has joined #openstack-meeting22:47
*** bbowen_ has quit IRC22:52
*** bbowen_ has joined #openstack-meeting22:52
*** mlavalle has quit IRC22:54
*** tosky has quit IRC22:59
*** yasufum has quit IRC22:59
*** yasufum has joined #openstack-meeting23:17
*** yasufum has quit IRC23:30
*** macz_ has quit IRC23:32
*** jmasud has joined #openstack-meeting23:35
*** rfolco has joined #openstack-meeting23:38
*** rfolco has quit IRC23:40
*** rfolco has joined #openstack-meeting23:41
*** rfolco has quit IRC23:45
*** gyee has quit IRC23:50
*** armax has quit IRC23:59
« Wednesday, 2020-10-07 Index Friday, 2020-10-09 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!