[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: [Openstack] [OSSA 2012-016] Token authorization for a user in a disabled tena
From: andi abes <andi.abes () gmail ! com>
Date: 2012-09-29 22:18:21
Message-ID: CA+KYVfi9VmoT4QzAPsFNv1=nYe1yu8gWzWTYHHBzSUQXdKcEcA () mail ! gmail ! com
[Download RAW message or body]
On Sat, Sep 29, 2012 at 1:28 PM, Russell Bryant <rbryant@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/29/2012 02:18 AM, Kurt Seifried wrote:
>> On 09/28/2012 05:56 PM, andi abes wrote:
>>> is the plan going forward to announce these on friday
>>> afternoons?
>>
>> I can't speak for OpenStack but the history of these vulns is that
>> they have been public since May 2012 and April 2012, but were not
>> labelled as security, they were noticed, CVE's were assigned and I
>> think the idea was to notify people quickly since they're have a
>> significant impact and have been around for a while.
>
> Correct. Normally, we only announce on Tuesday through Thursday. In
> the case of the two announced yesterday (Friday), these were issues
> fixed a good while ago in the open so we were just now catching up and
> labeling them properly.
>
indeed, they were fixed a while ago. It just required a mini
fire-drill to verify that, and ensure the packages we are using in our
deployments indeed had the fixes in. As you point out, the original
problem report didn't have a CVE designation assigned, so the relevant
commit messages and standard security tracking mechanisms didn't
indicate the fixes are included.
A fun way to spend a friday afternoon.
IIRC, per security process packages/distributors are notified before
the CVE's are made public. It would be a great fire-drill
extinguisher if the CVE announcement provided a link to a centralized
location (for the CVE) where packages maintainers could update the
distribution information.
> Thanks,
>
> - --
> Russell Bryant
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBnL8MACgkQFg9ft4s9SAYz3wCfYo+RnuaEtkEtUGmczPwvQiSh
> yc8An30yhBv+SA1HZxlF2D+gEEUeOM6R
> =RMEV
> -----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic