#openstack-meeting log

15:01:15 <gagehugo> #startmeeting security
15:01:16 <openstack> Meeting started Thu Oct 17 15:01:15 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:20 <openstack> The meeting name has been set to 'security'
15:01:39 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:01:50 <fungi> greetings
15:03:52 <gagehugo> light agenda today
15:05:00 <fungi> i've been wrapped up in other things this past week, so not sure what there is to discuss
15:05:19 <gagehugo> same
15:05:25 <fungi> though we skipped last week
15:05:53 <gagehugo> a busy october unfortunately
15:06:13 <fungi> so we could talk about the octavia ossa
15:06:47 <fungi> that was week before last
15:06:55 <gagehugo> sure
15:07:03 <fungi> #link https://security.openstack.org/ossa/OSSA-2019-005.html OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
15:07:12 <fungi> i thought this was actually a really cool first
15:07:44 <gagehugo> yeah, the team there managed the process themselves for the most part
15:07:49 <fungi> the octavia team followed the openstack vmt's process themselves, since that deliverable doesn't have a vulnerability:managed governance tag
15:08:21 <fungi> so, yeah, the vmt just reviewed the ossa, octavia took care of the rest
15:08:36 <fungi> it can't have been easy, so big kudos to them
15:08:56 <njohnston> fungi: I'll pass it on!  Very cool.
15:09:12 * njohnston works closely with those folks
15:09:19 <johnsom> o/
15:09:25 <fungi> also i think it's our first ossa to link a story in storyboard instead of a bug in launchpad
15:10:24 <gagehugo> \o/
15:11:37 <fungi> in more general news, there's quite a few patches proposed/merged/released for security hardening opportunities this month:
15:11:44 <fungi> #link http://lists.openstack.org/pipermail/openstack-security/2019-October/thread.html
15:12:06 <fungi> not sure if anyone has any in particular they want to call out
15:13:21 <fungi> #link https://launchpad.net/bugs/1842749 CSV Injection Possible in Compute Usage History
15:13:21 <openstack> Launchpad bug 1842749 in OpenStack Dashboard (Horizon) "CSV Injection Possible in Compute Usage History" [High,Fix released] - Assigned to Adam Harwell (adam-harwell)
15:14:02 <fungi> that one was determined to be a security hardening opportunity 5 days ago, and the fix for it merged to master a few days later
15:15:08 * gagehugo will take a look
15:15:46 <gagehugo> oh that's the windows one
15:16:11 <fungi> yeah, i thought that was a rather obscure report, but nice to see folks thinking creatively about attack vectors
15:18:39 <gagehugo> yeah, it's valid
15:21:28 <fungi> what with everyone focused on train release prep the past few weeks, i expect there's just not much for us to talk about today
15:21:32 <gagehugo> anything else for this week?
15:21:37 <gagehugo> probbaly
15:21:41 <gagehugo> probably*
15:21:59 <gagehugo> We can go ahead and cancel the meeting during the summit as well
15:22:57 <fungi> that's likely for the best. thursday the 7th
15:23:11 <fungi> of november
15:23:40 <fungi> i also doubt i'll be around for the meeting thursday october 31st as i'll be on my way to catch a flight to shanghai
15:24:11 <fungi> technically the one on november 7 is during the ptg not the summit, but close enough
15:24:17 <gagehugo> yeah
15:24:37 <gagehugo> I'll also be out the 21st of Nov
15:24:51 <fungi> it's getting to be that time of year
15:25:07 <gagehugo> yup
15:25:18 <gagehugo> winter is coming
15:25:27 <fungi> so anyway, plan to meet next week as usual, i'll miss the week after that, and then the following week is summit/ptg
15:25:51 <gagehugo> sounds good
15:26:26 <gagehugo> anything else? floor is open
15:28:54 <gagehugo> thanks everyone, have a good rest of the week!
15:28:57 <gagehugo> #endmeeting