| *** salv-orlando has quit IRC | 00:16 | |
| *** _amrith_ is now known as amrith | 00:17 | |
| *** bpokorny_ has quit IRC | 00:47 | |
| *** amrith is now known as _amrith_ | 00:59 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/123636 | 06:01 |
|---|---|---|
| openstackgerrit | A change was merged to openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/123636 | 06:30 |
| *** modicasio has joined #openstack-security | 07:43 | |
| modicasio | hi | 07:43 |
| *** modicasio has quit IRC | 07:51 | |
| *** salv-orlando has joined #openstack-security | 09:10 | |
| *** openstack has joined #openstack-security | 09:23 | |
| *** _amrith_ is now known as amrith | 12:51 | |
| *** deepsa_ has joined #openstack-security | 12:57 | |
| openstackgerrit | Abu Shohel Ahmed proposed a change to openstack/security-doc: Adds a new OpenStack Security Notes https://review.openstack.org/114460 | 13:08 |
| *** lismore_hp has joined #openstack-security | 13:24 | |
| *** bknudson has joined #openstack-security | 13:30 | |
| *** deepsa_ has quit IRC | 13:55 | |
| *** voodookid has joined #openstack-security | 14:14 | |
| *** edmondsw has joined #openstack-security | 14:24 | |
| openstackgerrit | Nathan Kinder proposed a change to openstack/security-doc: Add OSSN-0024 - Sensitive data exposure in logfiles https://review.openstack.org/114460 | 15:16 |
| *** lismore_hp has quit IRC | 16:09 | |
| openstackgerrit | Nathan Kinder proposed a change to openstack/security-doc: Correct a typo in OSSN-0029 https://review.openstack.org/123783 | 16:25 |
| nkinder_ | tmcpeak: could you give a quick review to ^^^ ? | 16:26 |
| nkinder_ | tmcpeak: I'm OK with bypassing the review requirements since this is a typo correction, but I'd like one other +1 at least | 16:26 |
| nkinder_ | tmcpeak: once this is corrected, I can publish 0029 | 16:30 |
| tmcpeak | nkinder_: sure | 16:31 |
| nkinder_ | tmcpeak: thanks! | 16:32 |
| nkinder_ | I also took a pass of cleaning up some small things in 0024 for Shohel | 16:32 |
| nkinder_ | That one is really close. A review of that would be great. | 16:32 |
| tmcpeak | cool | 16:32 |
| *** openstackgerrit has quit IRC | 16:35 | |
| *** jamielenz has joined #openstack-security | 16:53 | |
| *** jamielenz is now known as jamielennox | 16:53 | |
| *** openstackgerrit has joined #openstack-security | 17:24 | |
| *** openstackgerrit has quit IRC | 17:51 | |
| *** openstackgerrit has joined #openstack-security | 17:51 | |
| openstackgerrit | A change was merged to openstack/security-doc: Correct a typo in OSSN-0029 https://review.openstack.org/123783 | 17:56 |
| *** edmondsw has quit IRC | 17:59 | |
| *** bpokorny has joined #openstack-security | 18:08 | |
| *** bpokorny has quit IRC | 18:24 | |
| *** bdpayne has joined #openstack-security | 18:27 | |
| bdpayne | So... CVE-2014-6271... good times, eh? | 18:30 |
| chair6 | good times! | 18:31 |
| bdpayne | has anyone considered using bandit to see if any openstack services use an environment variable in an unsafe way (i.e., in a way that would make it vulnerable to this cve)? | 18:34 |
| bdpayne | chair6 and/or tmcpeak ^^ | 18:50 |
| tmcpeak | lol yeah, good times | 18:52 |
| tmcpeak | bdpayne: we've been considering such things, but it's pretty difficult to automate the analysis | 18:53 |
| bdpayne | yeah | 18:53 |
| bdpayne | I wonder if we should craft an OSSN on this one | 18:53 |
| tmcpeak | bdpayne: yeah, I'm thinking the same | 18:53 |
| bdpayne | the thing is, it would be nice to be able to say something meaningful about the vulnerability (or lack thereof) of the openstack services to this | 18:53 |
| bdpayne | which is a lot of analysis | 18:54 |
| bdpayne | although, something that I suspect people are doing anyway | 18:54 |
| nkinder_ | I'm not really sure what we can say without analysis except "upgrade bash" | 18:54 |
| nkinder_ | ...which falls into underlying system security updates | 18:54 |
| bdpayne | yeah | 18:54 |
| tmcpeak | couldn't we just say "update bash. No seriously guys, update it" | 18:56 |
| *** bpokorny has joined #openstack-security | 18:57 | |
| bdpayne | sort of? | 18:57 |
| bdpayne | turns out that some people don't like updating unless they really need to | 18:57 |
| bdpayne | risk and such | 18:57 |
| voodookid | bdpayne: those same people tend to have non-existant patch testing and deployment processes. Increasing their risk. | 18:58 |
| bdpayne | well, anyway... if people aren't interested that's fine... just thought I'd check | 18:59 |
| *** bpokorny_ has joined #openstack-security | 19:00 | |
| *** bpokorny has quit IRC | 19:02 | |
| nkinder_ | bdpayne: I'm sort of interested, and also sort of don't want to make OSSNs start covering all sorts of underlying system vulnerabilities that may or may not affect OpenStack. | 19:03 |
| nkinder_ | bdpayne: it's a fuzzy line for sure | 19:04 |
| bdpayne | sure | 19:04 |
| bdpayne | I'm viewing this as something being potentially on the level of heartbleed | 19:04 |
| bdpayne | which we did issue an OSSN for | 19:04 |
| bdpayne | but, it is also true that we aren't a distro | 19:05 |
| tmcpeak | bdpayne, nkinder: yeah I agree. I'm seeing it on the same sort of level as heartbleed | 19:06 |
| nkinder_ | bdpayne: Yeah. If someone wants to write up an OSSN for this, I'm not going to stand in it's way. :) | 19:06 |
| tmcpeak | I'd for sure do it, but I'm going away for a couple of weeks | 19:16 |
| tmcpeak | you'll have to carry on without me | 19:16 |
| nkinder_ | tmcpeak: ah, is it that time? | 19:20 |
| tmcpeak | nkinder_: it is! | 19:20 |
| tmcpeak | Saturday | 19:20 |
| nkinder_ | tmcpeak: awesome. Early congrats! | 19:23 |
| tmcpeak | nkinder_: thank you sir :) | 19:23 |
| bknudson | bdpayne: so I don't think openstack does anything that would expose the bash issue... | 19:38 |
| bknudson | I think it would require taking user input and sticking it into an env var and then execing bash with it | 19:38 |
| bdpayne | bknudson, you may be right... I'm exploring it now | 19:38 |
| bdpayne | bknudson that would be one way | 19:38 |
| bdpayne | I don't think you'd need to exec bash explicitly though | 19:39 |
| bknudson | if the error is in bash, then you'd have to get bash involved somehow | 19:40 |
| bdpayne | yes | 19:40 |
| bdpayne | we're exploring the extent of this now | 19:41 |
| *** openstackgerrit has quit IRC | 19:46 | |
| *** openstackgerrit has joined #openstack-security | 19:47 | |
| *** bpokorny has joined #openstack-security | 20:00 | |
| *** bpokorny_ has quit IRC | 20:03 | |
| *** paulmo has quit IRC | 20:53 | |
| *** bpokorny_ has joined #openstack-security | 20:57 | |
| *** bpokorny has quit IRC | 21:00 | |
| *** tmcpeak has quit IRC | 21:29 | |
| nkinder_ | fyi, OSSN-0029 made it through review without a +1 from a neutron core - https://review.openstack.org/#/c/122116 | 22:09 |
| nkinder_ | we need to be careful of that | 22:09 |
| nkinder_ | the note is technically correct AFAIK, but it fails to mention that FWaaS is still "experimental", which would have been nice to point out | 22:10 |
| *** salv-orlando_ has joined #openstack-security | 22:32 | |
| *** salv-orlando has quit IRC | 22:35 | |
| *** salv-orlando_ is now known as salv-orlando | 22:35 | |
| *** bknudson has quit IRC | 22:36 | |
| *** openstackgerrit has quit IRC | 22:47 | |
| *** openstackgerrit_ has joined #openstack-security | 22:47 | |
| *** openstackgerrit_ is now known as openstackgerrit | 22:48 | |
| chair6 | bdpayne - did you come up with anything at the openstack level? | 22:56 |
| chair6 | i've got a bandit test now that flags usage of Popen and equivalent functions with the 'env' arg | 22:57 |
| chair6 | not sure that could even be an exploitable angle but figured it could be interesting.. | 22:57 |
| bdpayne | chair6 the openstack pieces I looked at actually looked good | 23:01 |
| bdpayne | and, perhaps more to the point, I learned today that Debian-based systems are using dash as the default shell | 23:01 |
| bdpayne | which helps quite a bit too | 23:01 |
| chair6 | heh, yep | 23:07 |
| *** voodookid has quit IRC | 23:09 | |
| chair6 | well across all of barbican,cinder,glance,heat,horizon,ironic,keystone,keystonemiddleware,neutron,nova,swift,trove | 23:10 |
| chair6 | codebases, i only see three instances where a Popen call is passed a named 'env' argument | 23:10 |
| chair6 | one of those the arg is populated from os.environ.copy() | 23:13 |
| chair6 | two of them are helper functions, so i gotta go look for usage of that helper function | 23:13 |
| bdpayne | cool, that's nice to hear chair6 | 23:29 |
| chair6 | turns out it wasn't a full picture, due to xargs splitting output | 23:34 |
| chair6 | revised numbers - 8 helper functions that call Popen with an env var, so need to track those backwards | 23:35 |
| chair6 | 1 other fn where the arg is populated straight from os.environ.copy(), and 1 (a selenium driver) where env is passed but does not appear to be open to include user input | 23:36 |
| *** bknudson has joined #openstack-security | 23:36 | |
| *** bknudson has quit IRC | 23:36 | |
| chair6 | not seeing any glaringly obvious holes where user input might make its way to an evironment variable and to bash though | 23:37 |
| *** paulmo has joined #openstack-security | 23:37 | |
| *** bknudson has joined #openstack-security | 23:39 | |
| *** amrith is now known as _amrith_ | 23:41 | |
| *** openstack has joined #openstack-security | 23:56 | |
| *** bknudson has quit IRC | 23:56 | |
| *** bknudson has joined #openstack-security | 23:58 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!