17:00:58 <hyakuhei> #startmeeting OpenStack Security Group
17:00:59 <openstack> Meeting started Thu Sep 25 17:00:58 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:00 <tkelsey> hello all
17:01:04 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:14 <hyakuhei> Good evening / morning all
17:01:28 <tkelsey> hyakuhei: \o
17:01:30 <sweston> Morning!
17:01:32 <hyakuhei> Are we enjoying this very peaceful and uneventful week?
17:01:33 <michaelxin> morning
17:01:50 <bknudson> hi
17:02:00 <sicarie> It's nice to be able to sit back, relax, and know that all is calm
17:02:09 <chair6> g'day
17:02:48 <nkinder_> hi all
17:02:59 <hyakuhei> Right, I expect we've all got stuff to do this week
17:03:37 <hyakuhei> Quick round up of vulnerabilities you probably should know about
17:03:47 <hyakuhei> Shellshock - google it. Bad times
17:04:00 <michaelxin> yup. patching time
17:04:03 <hyakuhei> LibNSS has an issue with RSA signature checking - bad times for Keystone I expect
17:04:30 <hyakuhei> Libvncserver has a remote bof but standard openstack deployments shouldn't be affected as QEMU doesn't use it
17:04:55 <hyakuhei> QEMU has two vulnerabilities that are reasonably horrible, pcihp.c and vga.c
17:05:16 <hyakuhei> pcihp.c has some nasty implications and the operators of clouds should go check if they're affected
17:05:35 <hyakuhei> Xen has a monumnetally bad vuln which is embargoed until October 1st
17:05:43 <nkinder_> hyakuhei: you mean Mozilla NSS?
17:05:45 <hyakuhei> And that concludes my little rundown
17:05:51 <hyakuhei> nkinder_: yeah
17:05:56 <nkinder_> hyakuhei: keystone uses openssl
17:06:02 <hyakuhei> Didn't have time to put notes together so just running from memory
17:06:09 <michaelxin> thanks for the update
17:06:14 <hyakuhei> I though ayoung loved NSS for the pki stuff?
17:06:27 <morganfainberg> hyakuhei, but we use OpenSSL
17:06:27 <hyakuhei> Happy to stand corrected, one less thing for everyone to worry about :)
17:06:28 <morganfainberg> :)
17:06:39 <hyakuhei> Great
17:06:59 <hyakuhei> Ok so I was going to talk about elections and things today but I've not had time to prep much
17:07:05 <bknudson> if you're running keystone in apache then you can use nss, I think.
17:07:20 <morganfainberg> bknudson, not for token sig checking afaict.
17:07:38 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014
17:08:12 <nkinder_> bknudson: yes, but that's for SSL only (not token signing)
17:08:29 <hyakuhei> I will follow up with an email about that soon, short version : It's time to pick a leader for the OSSG next release cycle
17:09:27 <hyakuhei> ok, so agenda items for today?
17:10:37 <tkelsey> i poked bandit, its fun :-) got some patches submitted if people fancy reviewing
17:10:46 <hyakuhei> Sure - links ?
17:11:05 <tkelsey> https://review.openstack.org/#/c/124039/
17:11:23 <tkelsey> and https://review.openstack.org/#/c/124058/
17:12:29 <hyakuhei> Awesome - thanks tkelsey
17:12:30 * bdpayne arrives fashionably late
17:12:40 <hyakuhei> welcome bdpayne !
17:12:45 <bdpayne> :-)
17:12:55 <tkelsey> hyakuhei: welcome, it was fun playing with bandit. Nice tool
17:13:11 <hyakuhei> nkinder_: how are the OSSNs looking?
17:13:12 <chair6> tkelsey we should get you looking at the framework too .. i'm sure there's bugs to be found and fixed :)
17:13:31 <tkelsey> chair6: sure thing
17:13:41 <nkinder_> hyakuhei: coming along nicely.  There are 3 in flight
17:14:37 <hyakuhei> Anything need reviewing?
17:14:38 <nkinder_> So 0024 needs another +2
17:14:47 <hyakuhei> Link please?
17:15:29 <tkelsey> hyakuhei:  https://review.openstack.org/#/c/114460/
17:15:56 <hyakuhei> ty
17:15:57 <tkelsey> OSSN 24
17:15:59 <tkelsey> np
17:16:13 <hyakuhei> Cool
17:16:24 <hyakuhei> Other agenda items?
17:16:28 <nkinder_> sorry, in another meeting that was scheduled over this one...
17:16:43 <nkinder_> So for OSSNs, there are a few things...
17:17:08 <nkinder_> I have one which is being sent out for review today.
17:17:29 <nkinder_> The recent note that went out for a FWaaS issue wasn't reviewed by a neutron core
17:17:45 <bdpayne> oh, sorry
17:17:47 <nkinder_> The contents were fine, but it would have been nice to point out that FWaaS is experimental
17:17:48 <bdpayne> I thought it had
17:17:50 <nkinder_> No biggie
17:17:51 <bdpayne> which is why I approved it
17:17:58 <bdpayne> (I think I'm the one that approved it)
17:18:08 <nkinder_> Yeah, just a reminder for folks to look up the group in gerrit
17:18:24 <bdpayne> or, perhaps we could leave the final approvals to nkinder?
17:18:24 <tkelsey> I wrote that one, sorry all
17:18:35 <bdpayne> and just do our reviews
17:18:35 <hyakuhei> not your fault tkelsey
17:18:35 <bdpayne> ?
17:18:41 <hyakuhei> SPOF
17:18:49 <bdpayne> perhaps a policy like that would help avoid mistakes down the road?
17:18:54 <hyakuhei> Someone from neutron reviewed it right
17:19:02 <nkinder_> hyakuhei: no
17:19:21 <hyakuhei> I'm disinclined to decide policy based on single events, that's how bad rules and horrible processes come about
17:19:24 <nkinder_> It's hard to enforce via gerrit rules, as we need to know what the affected project is
17:19:42 <nkinder_> and the commits are tied to our security-doc repo
17:19:57 <nkinder_> So I think the answer is just "be careful" when approving
17:20:00 <hyakuhei> Lets learn from that and only ok it on workflow if you're confident it's been reviewed by a core. If you're not sure, then punt it to nkinder_  :P
17:20:01 <bdpayne> fair enough
17:20:09 <nkinder_> hyakuhei: +1
17:20:17 <tkelsey> hyakuhei: +1
17:20:33 <nkinder_> bdpayne, tmcpeak, and I were discussing if we should issue a OSSN for the bash issue
17:20:42 <nkinder_> I know chair6 was also doing some research yesterday
17:20:50 <tkelsey> yeah i was thinking about that as well
17:20:57 <bdpayne> ah yeah
17:21:06 <chair6> all somewhat cursory and not sure how useful it was, but it could be considered a datapoint :)
17:21:28 <bdpayne> so I think it could be useful just given the press that this thing has been getting
17:21:30 <nkinder_> I'm OK wit us publishing a note if someone wants to write it up
17:21:53 <nkinder_> We should reserve this sort of general purpose security note for big issues like this (and heartbleed)
17:22:02 <bdpayne> yeah
17:22:12 <hyakuhei> +1 same as we did with heartbleed, give the community something to refer all the people who will be asking about it to
17:22:17 <bknudson> hopefully the OSSN will just say that OpenStack doesn't do the kind of thing that makes it vulnerable
17:22:25 <nkinder_> as far as we know...
17:22:27 <tkelsey> do we have a precedent for this kind of note?
17:22:36 <nkinder_> tkelsey: I wrote a note for heartbleed
17:22:50 <tkelsey> link/number ?
17:22:52 <chair6> #link https://wiki.openstack.org/wiki/OSSN/OSSN-0012
17:22:59 <tkelsey> ah cool :)
17:23:36 <nkinder_> So, anyone want to take on writing it up?
17:23:55 <nkinder_> It's sort of a "strike while the iron is hot" issue
17:24:15 <nkinder_> There's no way I will get to it myself today
17:24:33 <hyakuhei> Ditto.
17:25:12 <tkelsey> wont be able to commit to getting it done today :-(
17:25:17 <bdpayne> unfortunately, I'm in the same very busy boat
17:25:28 <nkinder_> Fun times for everyone :)
17:25:29 <bdpayne> perhaps we punt on this one?
17:25:48 <nkinder_> Yeah, or maybe I'll be able to get to it tomorrow...
17:25:52 * nkinder_ says hopefully
17:25:56 <hyakuhei> Throw it on LP see if someone can pick it up tomorrow
17:26:08 <nkinder_> ok, I'll create a LP
17:26:20 <tkelsey> nkinder_: I can pick it up tomorrow UK time id no one else gets it before then
17:28:00 <hyakuhei> Great - thanks tkelsey
17:28:26 <nkinder_> ok, LP filed for shellshock
17:28:27 <nkinder_> https://bugs.launchpad.net/ossn/+bug/1374055
17:28:28 <uvirtbot> Launchpad bug 1374055 in ossn "Publish a security note about bash "shellshock" vulnerability" [Undecided,New]
17:28:41 <hyakuhei> Great
17:28:54 <nkinder_> That's all I have for OSSNs right now
17:28:57 <hyakuhei> So I imagine everyone is super busy today. Anything else for the agenda ?
17:29:13 <nkinder_> One more thing to mention around SSL
17:29:28 <nkinder_> The changes to devstack to enable SSL for all endpoints was approved last night
17:29:35 <nkinder_> It's still fighting with the gate
17:29:35 <bdpayne> oh nice
17:29:57 <nkinder_> But, that should make it though today.  We can start to investigate SSL gate jobs once it's available
17:30:24 <bknudson> there's also a change to make it easy for you to set the token hash algorithm (e.g., to sha256)
17:30:43 <nkinder_> bknudson: link?
17:31:12 <nkinder_> here's the devstack SSL review - https://review.openstack.org/#/c/98854/
17:31:26 <bknudson> https://review.openstack.org/#/c/116535/
17:31:33 <bknudson> set KEYSTONE_TOKEN_HASH_ALGORITHM=sha256
17:32:02 <bknudson> it would be neat to have a tempest run that configures SSL and the token hash algorithm
17:32:41 <nkinder_> bknudson: nice.  That will need to be reflected in the security overview page for Keystone in Juno
17:32:59 <nkinder_> I plan to do a pass through the changes in Keystone now that we're so close to RC
17:33:13 <bknudson> where's that?
17:33:16 <bknudson> security guide?
17:33:31 <nkinder_> #link https://wiki.openstack.org/wiki/Security/Juno/Keystone
17:33:52 <nkinder_> bknudson: I think a few of your changes in Juno need to be reflected there
17:34:03 <nkinder_> bknudson: you've done some good hardening work :)
17:34:15 <bknudson> it's all I can do.
17:34:42 <nkinder_> I think that's all I had for today.
17:34:48 <hyakuhei> Great, anyone else ?
17:34:52 <bknudson> I'll put it on my todo to see if that page needs updates, too
17:34:58 <bknudson> wishes it was in gerrit
17:35:11 <nkinder_> bknudson: I'll propose moving it there (again)
17:35:30 <nkinder_> bknudson: lance had done that in the beginning, but we punted on it
17:35:50 <bknudson> now that we have multiple versions/releases it makes more sense
17:35:55 <nkinder_> +1
17:36:07 <hyakuhei> So I've got one question
17:36:28 <hyakuhei> Anyone know why the second round patch/package update for Shellshock is taking so long?
17:38:23 <hyakuhei> I guess not :) Ok then, that's a wrap peoples!
17:38:26 <hyakuhei> #endmeeting