| fungi | any chance someone with a better understanding of horizon internals can take a look at https://launchpad.net/bugs/1940450 in order to assist the ubuntu package maintainers in determining whether they need to patch old versions of xstatic-bootstrap-scss? | 13:31 |
|---|---|---|
| lmercl | Hello vishalmanchanda, for my issue https://bugs.launchpad.net/horizon/+bug/1940834 is fixed proposed to nova-api by these my PRs to nova project: https://review.opendev.org/c/openstack/nova/+/805995 and https://review.opendev.org/c/openstack/nova/+/805997 | 13:34 |
| vishalmanchanda | fungi: looking. | 13:54 |
| vishalmanchanda | lmercl: nice | 13:55 |
| vishalmanchanda | #startmeeting horizon | 15:00 |
| opendevmeet | Meeting started Wed Aug 25 15:00:56 2021 UTC and is due to finish in 60 minutes. The chair is vishalmanchanda. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'horizon' | 15:00 |
| vishalmanchanda | hi anyone around for horizon meeting? | 15:01 |
| rdopiera | o/ | 15:03 |
| tmazur | o/ | 15:03 |
| vishalmanchanda | ok let's start. | 15:04 |
| vishalmanchanda | #topic Notices | 15:04 |
| vishalmanchanda | Next week is Xena-3 milestone. | 15:04 |
| vishalmanchanda | Xena Schedule https://releases.openstack.org/xena/schedule.html | 15:05 |
| vishalmanchanda | Also Feature freeze so please let me know if you are working on any feature and want to get it reviewed. | 15:05 |
| rdopiera | I will probably not be able to push my work before freeze, so it will go to Yoga | 15:06 |
| vishalmanchanda | rdopiera: np. | 15:06 |
| vishalmanchanda | TC & PTL Nominations was ended yesterday and I am again up for PTL for yoga cycle. | 15:08 |
| vishalmanchanda | that's all update from my side for this week. | 15:08 |
| vishalmanchanda | #topic open-discussion | 15:09 |
| vishalmanchanda | We have one security bug reported in horizon changed to public, please take a look at https://bugs.launchpad.net/horizon/+bug/1940450 if it's valid or not? | 15:09 |
| vishalmanchanda | I nice to have more eyes on the bug. | 15:10 |
| rdopiera | I already commented on it. They are basically right in comment #7 | 15:10 |
| vishalmanchanda | so no action required from our side? | 15:11 |
| amotoki | one question is whether we should use the recommended version of xstatic version of bootstrap? | 15:12 |
| rdopiera | I don't think so. I think that CVE was one of the main reasons why I upgraded that package in the first place. | 15:12 |
| vishalmanchanda | rdopiera: thanks for confirmation. | 15:12 |
| amotoki | it is not an easy situation for folks who deploy horizon using pip | 15:13 |
| amotoki | do we need a message not to trust the version of xstatic versions and to suggest the upstream of xstatic packages? | 15:14 |
| rdopiera | what do you mean by not trusting the xtstatic versions? | 15:14 |
| rdopiera | they are correct | 15:15 |
| amotoki | sorry I was confused that we need to upgrade bootstrap-scss to 3.4.1 but this is the current vesion. | 15:16 |
| rdopiera | the only problem is that Ubuntu didn't upgrade | 15:17 |
| amotoki | I read thru it again and you are all right. | 15:18 |
| vishalmanchanda | Does anyone have any other topic to discuss? | 15:20 |
| rdopiera | I don't | 15:20 |
| tmazur | Nothing from me | 15:21 |
| amotoki | perhaps xenial is too old and ubuntu cares only xstatic versions shipped with horizon in xenial. | 15:21 |
| amotoki | they might not track independent releases like this. this bug would be a good notice. | 15:22 |
| amotoki | nothing from me more | 15:22 |
| vishalmanchanda | then let's end this meeting. | 15:23 |
| vishalmanchanda | Thanks everyone for joining, see you next week. | 15:23 |
| vishalmanchanda | #endmeeting | 15:24 |
| opendevmeet | Meeting ended Wed Aug 25 15:24:09 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:24 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/horizon/2021/horizon.2021-08-25-15.00.html | 15:24 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/horizon/2021/horizon.2021-08-25-15.00.txt | 15:24 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/horizon/2021/horizon.2021-08-25-15.00.log.html | 15:24 |
| amotoki | o/ | 15:24 |
| fungi | rdopiera: thanks for following up on the bootstrap tooltips bug. do you have any feedback on seth's later comments (#11 about FormsetCell et cetera particularly, but maybe also #12 about if horizon relies on it for anything besides the vitrage dashboard)? | 15:45 |
| rdopiera | fungi: to be honest I don't understand those comments, the CVE is fixed in that version of bootstrap, so I see no point in analyzing where the tooltips are being used | 15:47 |
| rdopiera | I imagine there are many places where the tooltips display user-provided data. | 15:48 |
| fungi | yeah, i think what seth's trying to ascertain is whether horizon exposes any of the vulnerable functions to begin with, in order to determine if there's a fix which can be applied to the version in ubuntu bionic (ubuntu provides stable packaging, and backports specific fixes to the versions they carry rather than just upgrading entire libraries any time there's a vulnerability in one) | 16:02 |
| fungi | since twitter bootstrap doesn't seem to offer stable backports of fixes like we do, he'd need to do the backporting of the fix himself and wants to work out if it's worth the effort to do so | 16:03 |
| rdopiera | I really doubt that anything else is using that xstatic library. | 16:06 |
| rdopiera | Even if Horizon just happens to not use the vulnerable function by coincidence, we can't really say if any plugin, especially a 3rd-party plugin written by a customer doesn't use it. | 16:07 |
| fungi | rdopiera: yep, thanks, that was my rationale as well | 16:08 |
| fungi | just wanted to be sure i was on the right track | 16:08 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!