#openstack-meeting log

15:01:54 <gagehugo> #startmeeting security
15:01:55 <openstack> Meeting started Thu Dec 20 15:01:54 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:58 <openstack> The meeting name has been set to 'security'
15:02:35 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:03:04 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot
15:03:19 <redrobot> 🙋🏽‍♂️
15:04:20 <fungi> ohai
15:04:58 <gagehugo> o/
15:05:37 <gagehugo> probably will be a quick meeting
15:06:34 <gagehugo> redrobot fungi: any updates?
15:06:50 <gagehugo> I was going to cancel the meeting for next week
15:06:55 <gagehugo> and potentially the week after
15:07:05 <fungi> there's been a cve assigned for that keystone security hardening opportunity
15:07:18 <gagehugo> fungi: yes
15:07:27 <fungi> #link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20170
15:07:48 <gagehugo> we discussed potential changes to make on Monday
15:07:51 <gagehugo> lemme grab a link
15:08:11 <fungi> i disagree with the dispute detail in there, but it was filed by the bug reporter since the vmt doesn't acquire cve assignments for things it doesn't have immediate plans to issue an ossa for
15:08:40 <fungi> i've left some follow-up comments in the bug report to that effect
15:08:44 <gagehugo> yeah
15:09:00 <fungi> #link https://launchpad.net/bugs/1795800 Timing oracle in core auth plugin simplifies brute-forcing usernames
15:09:02 <openstack> Launchpad bug 1795800 in OpenStack Identity (keystone) "Timing oracle in core auth plugin simplifies brute-forcing usernames" [Wishlist,In progress] - Assigned to Gage Hugo (gagehugo)
15:09:28 <gagehugo> fungi: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-17.log.html#t2018-12-17T20:03:41
15:09:34 <gagehugo> #link http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-17.log.html#t2018-12-17T20:03:41
15:09:55 <redrobot> Only update from me is we've been working on adding Barbican + HSM support to TripleO
15:10:13 <fungi> nice!
15:10:23 <redrobot> #link https://review.openstack.org/#/q/topic:add_hsm_parameters
15:10:52 <gagehugo> tl;dr I think the general consensus is to explore a flask hook to make the timings more similar between immediately spitting back an unauthorized vs valid username
15:11:13 <fungi> redrobot: is that focused on the operations end, or for providing access to hsms from guest instances?
15:11:47 <redrobot> fungi, focused on adding support for deploying Barbican on the Overcloud with an HSM as the backend.
15:11:59 <fungi> ahh
15:12:08 <fungi> i know some in the cyborg team expressed an interest in being able to schedule hsm hardware passed through to guests, but that's a whole different can of worms
15:12:13 <gagehugo> interesting
15:18:00 <gagehugo> redrobot fungi: you both ok with canceling the next two weeks meetings?
15:18:17 <redrobot> gagehugo, works for me.
15:18:22 <gagehugo> and picking back up on the 10th
15:19:08 <fungi> yeah, that seems reasonable
15:19:29 <fungi> i'll be around on the 27th and 3rd but i don't see much point in meeting if nobody else will be
15:21:17 <gagehugo> ok
15:22:02 <gagehugo> I should be around on the 3rd, but I figured there (likely) wouldn't be much going on
15:22:28 <gagehugo> fungi redrobot: thanks for coming! have a happy holidays and happy new year!
15:22:48 <redrobot> gagehugo, thank you!  same to you! :D
15:22:58 <gagehugo> :D
15:23:02 <gagehugo> #endmeeting