Tuesday, 2016-08-30

« Monday, 2016-08-29 Index Wednesday, 2016-08-31 »
ccneillyep00:02
ccneillunrahul: I figured we'd make some tweaks to the tests once we get all the other stuff we've been working on out of the way, so we're not running into cross-dependency/rebase nightmares00:03
ccneillanyway, I'm out for the day. have a good one y'all o/00:03
*** woodster_ has quit IRC00:09
unrahulYeah.. That's true..00:11
unrahulThis time everything got merged without much rebasing..00:11
unrahulThat was  a relief00:11
*** sdake has joined #openstack-security00:14
*** trisq has joined #openstack-security00:18
*** gfhellma has quit IRC00:18
*** Unterd0g has quit IRC00:30
*** browne has quit IRC00:30
*** Unterd0g has joined #openstack-security00:32
*** ccneill has quit IRC00:39
*** diazjf has joined #openstack-security00:43
*** aastha has quit IRC00:47
*** diazjf has quit IRC00:57
*** edtubill has joined #openstack-security00:57
*** trisq has quit IRC00:58
*** diazjf has joined #openstack-security00:58
*** jass93 has joined #openstack-security00:59
*** sdake has quit IRC01:14
*** diazjf has quit IRC01:14
*** edtubill has quit IRC01:17
*** sdake has joined #openstack-security01:21
*** trisq has joined #openstack-security01:24
*** salv-orlando has joined #openstack-security01:32
*** knangia has quit IRC01:41
*** salv-orlando has quit IRC01:43
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/36252101:46
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/36252102:02
*** austin987 has joined #openstack-security02:08
*** jesusrodriguez has joined #openstack-security02:39
openstackgerritDarren Chan proposed openstack/security-doc: OSSN-0070: bandit version < 1.1.0 have possible XSS  https://review.openstack.org/35549302:39
*** jesusrodriguez has joined #openstack-security02:41
*** jesusrodriguez1 has joined #openstack-security02:43
*** dave-mccowan has quit IRC02:44
*** jesusrodriguez1 has quit IRC02:45
*** jesusrodriguez has quit IRC02:46
*** jesusrodriguez has joined #openstack-security03:00
*** jesusrodriguez has left #openstack-security03:02
*** hyakuhei has quit IRC03:04
*** jesusrodriguez has joined #openstack-security03:08
*** hyakuhei has joined #openstack-security03:19
*** salv-orlando has joined #openstack-security03:45
*** salv-orlando has quit IRC03:53
*** mdong has quit IRC04:06
*** mdong has joined #openstack-security04:06
*** salv-orlando has joined #openstack-security04:41
*** sdake has quit IRC05:47
openstackgerritMichael Dong proposed openstack/syntribos: Fixed runner time log  https://review.openstack.org/36248005:50
*** sdake has joined #openstack-security05:50
*** salv-orl_ has joined #openstack-security06:08
*** salv-orlando has quit IRC06:11
*** jass93 has quit IRC06:12
*** salv-orlando has joined #openstack-security06:12
*** jass93 has joined #openstack-security06:13
*** salv-orl_ has quit IRC06:17
*** salv-orlando has quit IRC06:17
*** rcernin has joined #openstack-security06:19
*** pcaruana has joined #openstack-security06:26
*** mdong has quit IRC06:38
*** sdake has quit IRC06:44
*** liverpooler has joined #openstack-security06:51
*** tesseract- has joined #openstack-security07:07
*** shohel has joined #openstack-security07:31
*** vinaypotluri has quit IRC07:42
*** austin987 has quit IRC08:23
*** aastha has joined #openstack-security08:31
*** markd_ has joined #openstack-security08:40
*** hyakuhei has quit IRC08:59
*** hyakuhei has joined #openstack-security08:59
*** hyakuhei has quit IRC08:59
*** hyakuhei has joined #openstack-security08:59
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/36272809:28
*** salv-orlando has joined #openstack-security10:27
lhindsping hyakuhei10:43
hyakuheiHey lhinds10:44
lhindshi mate - are you able to get this email changed:10:44
lhindshttps://review.openstack.org/#/admin/groups/347,members10:44
lhindsIt has an old one on there (nsn = nokia soltuions and networks)10:44
lhinds'openstack-security-notes-core10:45
lhinds  '10:45
lhinds^ that is correct10:45
hyakuheione second I'll take a look10:45
lhindsonly security-doc-core that is wrong10:45
hyakuheidone10:46
lhindscool! thanks10:46
hyakuheiSorry for the confusion.10:46
lhindsnp at all10:46
lhindshyakuhei: so I think vinays note is good to go: https://review.openstack.org/#/c/356712/ so I will + 2 this and merge, and send out the signed email / populate wiki entry10:48
hyakuheiFor an OSSN to be published it should have a +2 from two Security folks and a +1 from a core on the project it affects.10:49
hyakuheiI'll go take a look at it now10:49
lhindsahh, noted, thanks!10:49
hyakuheiso is there a fix out for this issue now?10:49
lhindsyes, nova disables ipv610:51
lhindsso the note is to insure operators don't turn it off without being aware that it can bypass to the host10:51
hyakuheiGood stuff.10:51
hyakuheiSure, though I should be able to get that from the note ;)10:51
lhindsDustin submitted the patch which was merged10:51
hyakuheiwhich I haven't finished reading yet.10:51
*** salv-orl_ has joined #openstack-security10:52
lhindsInstructions:10:52
lhindsIPv6 is now disabled by default using root_dev.disable_ipv6() in interface.py10:52
lhindswhich calls the method common.ip_utils.is_enabled()10:52
*** salv-orl_ has quit IRC10:54
*** salv-orlando has quit IRC10:56
*** aastha has quit IRC10:57
*** trisq has quit IRC11:12
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/36272811:48
openstackgerritMerged openstack/security-doc: OSSN-0070: bandit version < 1.1.0 have possible XSS  https://review.openstack.org/35549312:32
*** markvoelker has joined #openstack-security12:52
*** trisq has joined #openstack-security12:57
*** jesusrodriguez has quit IRC13:01
*** markvoelker has quit IRC13:17
*** dave-mccowan has joined #openstack-security13:24
*** markvoelker has joined #openstack-security13:40
*** vinaypotluri has joined #openstack-security13:42
*** markvoelker has quit IRC13:45
*** woodburn has left #openstack-security13:46
*** liverpooler has quit IRC13:53
*** hockeynut has joined #openstack-security14:03
*** shohel has quit IRC14:05
*** browne has joined #openstack-security14:07
*** sdake has joined #openstack-security14:08
*** cleong has joined #openstack-security14:09
*** woodburn has joined #openstack-security14:11
*** sdake_ has joined #openstack-security14:12
*** sdake has quit IRC14:13
*** mvaldes has joined #openstack-security14:25
*** dikonoor has joined #openstack-security14:34
*** woodster_ has joined #openstack-security14:34
*** _elmiko is now known as elmiko14:43
*** sdake_ has quit IRC14:47
*** knangia has joined #openstack-security15:01
*** sdake has joined #openstack-security15:09
*** nkinder has quit IRC15:12
*** aastha has joined #openstack-security15:15
*** nkinder has joined #openstack-security15:25
*** sdake has quit IRC15:31
*** salv-orlando has joined #openstack-security15:40
openstackgerritMerged openstack/security-analysis: Report sphinx errors  https://review.openstack.org/36116815:45
*** ccneill has joined #openstack-security16:04
*** mdong has joined #openstack-security16:10
*** mwturvey has joined #openstack-security16:14
*** mwturvey has quit IRC16:14
*** ccneill has quit IRC16:30
*** ccneill has joined #openstack-security16:30
*** hockeynut has quit IRC16:33
*** trisq has quit IRC16:37
ccneill+1'd your CR, mdong16:45
ccneillkeystone API docs for anyone who needs them: http://developer.openstack.org/api-ref/identity/v3/16:45
*** liverpooler has joined #openstack-security16:50
*** gfhellma has joined #openstack-security16:53
*** gfhellma1 has joined #openstack-security17:01
*** gfhellma has quit IRC17:03
*** rcernin has quit IRC17:12
ccneillunrahul / vinaypotluri : can one of y'all +2 mdong's CR when you get a chance? https://review.openstack.org/#/c/362480/17:13
ccneillthen I think we're good on CRs until we get further in our testing :)17:13
*** tesseract- has quit IRC17:14
*** tesseract- has joined #openstack-security17:24
*** pcaruana has quit IRC17:25
*** sdake has joined #openstack-security17:27
*** tesseract- has quit IRC17:28
*** hockeynut has joined #openstack-security17:42
*** markvoelker has joined #openstack-security17:54
*** gfhellma1 has quit IRC18:05
*** tesseract- has joined #openstack-security18:05
*** tesseract- has quit IRC18:05
*** tesseract- has joined #openstack-security18:06
*** gfhellma has joined #openstack-security18:06
*** salv-orl_ has joined #openstack-security18:08
*** tesseract- has quit IRC18:08
*** tesseract- has joined #openstack-security18:10
*** salv-orlando has quit IRC18:11
*** dikonoor has quit IRC18:15
*** dikonoor has joined #openstack-security18:16
ccneillhmm.. so this is interesting18:20
ccneillhttp://developer.openstack.org/api-ref/identity/v3/?expanded=assign-role-to-user-on-projects-owned-by-domain-detail,create-policy-detail,show-credential-details-detail,list-credentials-detail,create-credential-detail#create-credential18:20
ccneillwhen creating an EC2 credential like that18:20
ccneillkeystone does SHA256() on the "access" key, and that becomes the "unique ID" instead of using a uuid418:20
ccneillhttps://github.com/openstack/keystone/blob/master/keystone/credential/controllers.py#L36-L6018:20
ccneillso if you look at those examples in the docs, for example, `echo -n "181920" | openssl dgst -sha256` = 3d3367228f9c7665266604462ec60029bcd83ad89614021a80b2eb879c57251018:21
*** markvoelker has quit IRC18:22
ccneill"blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",18:22
ccneill    "project_id": "731fc6f265cd486d900f16e84c5cb594",18:22
ccneill    "type": "ec2",18:22
ccneill    "id": "3d3367228f9c7665266604462ec60029bcd83ad89614021a80b2eb879c572510"18:22
ccneillfrom the docs18:22
ccneillso I'm curious.. what do AWS "access" sections typically look like? from OS docs, looks like MD5s and tenant IDs(?), but on AWS' docs it looks like they're completely different18:23
ccneillhttps://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html18:24
*** sicarie has joined #openstack-security18:28
*** tesseract- has quit IRC18:30
*** tesseract- has joined #openstack-security18:30
*** tesseract- has quit IRC18:30
*** tesseract- has joined #openstack-security18:31
*** tesseract- has quit IRC18:37
*** sicarie has quit IRC18:37
*** sicarie has joined #openstack-security18:44
*** salv-orl_ has quit IRC18:49
*** mvaldes1 has joined #openstack-security18:49
*** bknudson has quit IRC18:51
*** mvaldes has quit IRC18:52
*** mvaldes has joined #openstack-security18:56
*** bknudson has joined #openstack-security18:56
*** mvaldes1 has quit IRC18:59
*** salv-orlando has joined #openstack-security18:59
*** sicarie has quit IRC19:00
*** mdong_ has joined #openstack-security19:03
*** jesusrodriguez has joined #openstack-security19:06
*** jesusrodriguez has left #openstack-security19:06
*** mdong has quit IRC19:07
*** mdong_ is now known as mdong19:07
*** tmcpeak has joined #openstack-security19:17
*** sicarie has joined #openstack-security19:26
openstackgerritMichael Dong proposed openstack/syntribos: Fixed bug where CLI failure counts were cumulutive  https://review.openstack.org/36315819:28
*** rcernin has joined #openstack-security19:39
*** hockeynut has quit IRC19:49
*** gfhellma has quit IRC20:05
*** gfhellma has joined #openstack-security20:06
*** dikonoor has quit IRC20:10
*** sdake has quit IRC20:11
*** mvaldes has quit IRC20:11
*** sdake has joined #openstack-security20:12
*** mvaldes has joined #openstack-security20:12
*** rcernin has quit IRC20:33
*** rcernin has joined #openstack-security20:33
*** diazjf has joined #openstack-security20:35
ccneillany knowledgeable haxors want to check out my take on this keystone bug? https://bugs.launchpad.net/keystone/+bug/161861520:36
openstackccneill: Error: malone bug 1618615 not found20:36
ccneilltmcpeak / hyakuhei / tristanC ?20:37
*** mdong has quit IRC20:38
tmcpeakccneill: I don't have access either20:38
*** Oshino has quit IRC20:39
ccneillsec20:39
ccneillboom20:39
ccneillshould have access now20:39
* tmcpeak looks20:40
ccneillprobably shouldn't have used an XSS payload in my example lol O:-)20:40
unrahulhey ccneill20:41
ccneillsup unrahul20:41
tmcpeakccneill: you're just fun like that20:41
ccneill;)20:41
ccneilla wiiild and crazy dood20:41
unrahulI got a 500 error for a req when the body was a bufferoverflow payload20:41
unrahulcan u take a look at our google sheet20:41
unrahuland see if we should raise it20:41
ccneillnice20:42
*** Oshino has joined #openstack-security20:42
ccneillwe should probably aggregate 500 errors together so we don't overload them with bug reports, but yeah I think that's worth reporting20:42
ccneillI wouldn't have reported the first one I found if it hadn't affected so many different endpoints20:43
tmcpeakccneill: nice, found using Syntribos?20:43
ccneillor at least, would've reported it together with other 500 errors we've found20:43
tmcpeaklooks like an interesting design decision at least20:43
ccneilltmcpeak: nah, just dumb brainmeat :P20:43
ccneillstarted looking at API docs today, then looked at code20:43
ccneillat first I was like "huh.. that looks like a huge id. maybe I can try to do a timing attack to determine existence of a given key"20:44
ccneillbut then I realized it was a SHA256() of a knowable value and I was like O_o20:44
ccneillalmost made it to writing a test for Syntribos, buut I think this is more interesting20:45
unrahulokay ccneill  I shall list all the 500 errors and may be we can raise a bug in the evening.20:45
ccneillunrahul: sounds good!20:46
ccneillI have a feeling we'll find plenty :)20:46
tmcpeakyeah, ccneill good bug :)20:48
ccneill:D20:49
ccneillI was hoping so20:49
*** diazjf has quit IRC20:50
unrahulccneill: :D , after few weeks of dev I am kinda liking this..20:53
ccneillyep, it's a change of pace for sure haha20:53
ccneillI've missed it >:)20:53
ccneillwriting security tools is fun. using them is more fun20:54
unrahulhehe.. true.. I get it now.20:54
unrahulhey ccneill vinaypotluri  is the tool really slow now?20:54
vinaypotlurinope20:55
unrahulare we  making too many requests??20:55
unrahulccneill:  we need a pause option for syntribos...20:56
ccneillagreed..20:57
unrahulhow involved will it be any idea?20:57
*** julian1 has joined #openstack-security21:03
*** diazjf has joined #openstack-security21:06
*** jamielennox is now known as jamielennox|away21:06
*** jmckind has joined #openstack-security21:06
tmcpeakare you guys using queuing like celery?21:07
tmcpeakshould be relatively easy if so21:07
ccneilltmcpeak: not at this point :(21:10
tmcpeakahh ok21:11
tmcpeakmay be a bit more challenging then...21:11
*** hockeynut has joined #openstack-security21:17
unrahulI was thinking of caching the templates calls and keeping a note of it.. at the bare minimum and if there is an interrupt run from the last known template detail..21:23
ccneillhmm.. not sure we can resume that generator in a reasonable way if you ctrl-c it21:26
*** sdake has quit IRC21:26
ccneillhttps://stackoverflow.com/questions/13381466/how-to-gracefully-stop-python-unittest21:26
ccneillwas reading this, not sure if it would work for us21:26
*** salv-orlando has quit IRC21:26
unrahul:/21:30
unrahulwill need to remove unittests21:30
unrahuland do some celery magic>??21:30
tmcpeakCELERY MAGIC!21:30
*** hockeynut has quit IRC21:31
ccneill:{21:31
unrahulah.. when I thought it was over.. they pulled me back in! :/21:31
ccneillwe probably should get rid of unittest at some point21:31
tmcpeaksay "celery magic" three times and gmurphy appears like beetleguise21:31
*** sdake has joined #openstack-security21:32
knangia:D21:32
ccneillnot sure we have time right now with our current testing schedule though x_x21:32
unrahulhehe.. need to check it out.21:32
unrahulyeah..21:32
unrahulI dont suppose we can do anything now21:32
*** cleong has quit IRC21:35
unrahuleeh ccneill  so there is a bug in our logging (again :/) , if we have subdirs then as there is option to create that subdir dir given, the logger would fail.. I am working on a patch ryt now..will put a cr out..21:36
unrahulu guys got this?21:36
unrahulit will only happen when templates are in subdirs21:36
unrahulccneill:  i guess it is becuase we have relative paths for the templates now..21:41
ccneill>_< d'oh21:41
ccneillmy bad :(21:42
unrahul:D .. I dont suppose we need subdirs for logs as well.. trying to find a short cut and append it.21:42
unrahulhey ccneill  I think its a quick fix21:43
*** gfhellma1 has joined #openstack-security21:44
*** diazjf has quit IRC21:44
*** gfhellma has quit IRC21:44
*** gfhellma has joined #openstack-security21:48
*** salv-orlando has joined #openstack-security21:49
*** gfhellma1 has quit IRC21:50
openstackgerritRahul U Nair proposed openstack/syntribos: Fixing bug in logger  https://review.openstack.org/36329021:50
*** diazjf has joined #openstack-security21:50
openstackgerritRahul U Nair proposed openstack/syntribos: Fixing bug in logger  https://review.openstack.org/36329021:51
*** mvaldes has quit IRC21:51
unrahulhey ccneill  I have uploaded a patch, should be generic and check for all non alphabets/numbers or does this patch look alryt..?21:55
ccneillunrahul: sorry, responding to the keystone bug21:56
ccneillwill check it out in a sec21:56
unrahuloh yup!21:56
*** jmckind has quit IRC22:03
*** diazjf has quit IRC22:31
*** diazjf has joined #openstack-security22:31
unrahulhey ccneill  u there?22:32
ccneillyep22:32
ccneilljust commented on your CR22:32
unrahulshould we  use the seprator as  "::" ?22:32
unrahulas - and _ would look weird..22:32
unrahulwhat do u say?22:33
unrahulsep - ::22:33
ccneillhmm22:33
unrahulso..??22:34
ccneillI'm not sure if : would behave weird on windows22:34
ccneillas if it were a drive or something22:34
ccneillI agree : would probably be clearer though22:34
unrahuloh..22:35
unrahulI shall keep this for now.. and may be we can file a bug.. if something happens later..22:35
ccneillfor ":"? sounds fine for now22:36
*** sdake has quit IRC22:36
ccneillI need to go get my car inspected lol >_<, I'll be back online a bit later22:37
*** gfhellma has quit IRC22:38
unrahulyup.22:38
unrahulalryt ccneill  will see u later.22:38
*** gfhellma has joined #openstack-security22:39
openstackgerritRahul U Nair proposed openstack/syntribos: Fixing bug in logger  https://review.openstack.org/36329022:44
*** sicarie has quit IRC22:48
openstackgerritRahul U Nair proposed openstack/syntribos: A nit in seperator  https://review.openstack.org/36330622:52
*** diazjf has quit IRC23:08
*** elmiko is now known as _elmiko23:13
openstackgerritMerged openstack/syntribos: A nit in seperator  https://review.openstack.org/36330623:20
*** salv-orlando has quit IRC23:21
openstackgerritMerged openstack/syntribos: Fixing bug in logger  https://review.openstack.org/36329023:27
openstackgerritMerged openstack/syntribos: Fixed bug where CLI failure counts were cumulutive  https://review.openstack.org/36315823:28
*** rcernin has quit IRC23:35
« Monday, 2016-08-29 Index Wednesday, 2016-08-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!