15:00:40 #startmeeting security 15:00:41 Meeting started Thu Aug 8 15:00:40 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:42 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:44 The meeting name has been set to 'security' 15:00:55 aloha 15:00:55 #link https://review.opendev.org/#/c/674877/ 15:01:02 o/ 15:01:19 o/ 15:03:29 let's begin 15:03:36 #topic OSSA-2019-003 15:03:58 So a new OSSA was released this week 15:04:06 thanks to fungi for handling that 15:04:12 #link https://security.openstack.org/ossa/OSSA-2019-003.html 15:04:28 #link https://bugs.launchpad.net/nova/+bug/1837877 15:04:29 Launchpad bug 1837877 in OpenStack Compute (nova) queens "[OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433)" [High,In progress] - Assigned to Matt Riedemann (mriedem) 15:04:42 Fixes in Nova are here 15:04:43 #link https://review.opendev.org/#/q/I5e0a43ec59341c9ac62f89105ddf82c4a014df81 15:06:41 all supported stable branches except stable/queens have merged at this point 15:07:32 also the advisory was hung up in the openstack-announce ml's moderation queue until just now, but it also was sent on tuesday to the openstack-discuss ml as well as oss-security (non-openstack open source security mailing list) 15:08:06 after discussing with ttx he's suggested i become a co-moderator of openstack-announce so we don't have to ping him on these in the future 15:08:53 also the real thanks on ossa-2019-003 go to donnyd for reporting it and mriedem for writing and testing all the patches for 6 different branches of nova 15:09:19 thanks to all of them too then! 15:10:02 #topic Nova/Cinder policy 15:10:12 mhen: sorry, it's been crazy here this last week 15:10:25 I still have that on my to-do list 15:10:25 No worries, I totally understand :) 15:10:32 just giving a heads up :) 15:10:47 and putting it on the agenda also helps me remember 15:11:07 #topic Open Discussion 15:11:14 anyone have anything else? 15:16:29 update on the image encryption effort 15:16:59 it looks like the nova spec is unlikely to get a spec freeze exception for train, based on discussion in #openstack-nova on monday 15:17:35 hmm ok 15:17:49 the main reasoning is that if they did approve the exception, they don't think they'd have time to actually review the necessary changes for the implementation before release 15:18:39 especially as the image handling routines in nova are rather dangerous places to be poking around due to their age (they don't get touched often) so extra care would be required there 15:19:23 there were also still some outstanding questions on the spec requiring clarification, and a concern about assumptions being made around the wrong abstraction layers 15:19:46 makes sense 15:19:52 so ideally the spec gets polished up in the coming weeks and targets an early approval in the "u" cycle 15:19:55 probably best not to rush this 15:23:46 thanks fungi mhen 15:23:53 have a good rest of the week 15:23:57 #endmeeting