'Re: [oss-security] Re: [Openstack] [OSSA 2012-016] Token authorization for a user in a disabled tena'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: [Openstack] [OSSA 2012-016] Token authorization for a user in a disabled tena
From:       andi abes <andi.abes () gmail ! com>
Date:       2012-09-29 22:18:21
Message-ID: CA+KYVfi9VmoT4QzAPsFNv1=nYe1yu8gWzWTYHHBzSUQXdKcEcA () mail ! gmail ! com
[Download RAW message or body]

On Sat, Sep 29, 2012 at 1:28 PM, Russell Bryant <rbryant@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/29/2012 02:18 AM, Kurt Seifried wrote:
>> On 09/28/2012 05:56 PM, andi abes wrote:
>>> is the plan going forward to announce these on friday
>>> afternoons?
>>
>> I can't speak for OpenStack but the history of these vulns is that
>> they have been public since May 2012 and April 2012, but were not
>> labelled as security, they were noticed, CVE's were assigned and I
>> think the idea was to notify people quickly since they're have a
>> significant impact and have been around for a while.
>
> Correct.  Normally, we only announce on Tuesday through Thursday.  In
> the case of the two announced yesterday (Friday), these were issues
> fixed a good while ago in the open so we were just now catching up and
> labeling them properly.
>

indeed, they were fixed a while ago. It just required a mini
fire-drill to verify that, and ensure the packages we are using in our
deployments indeed had the fixes in. As you point out, the original
problem report didn't have a CVE designation assigned, so the relevant
commit messages and standard security tracking mechanisms didn't
indicate the fixes are included.
A fun way to spend a friday afternoon.

IIRC,  per security process packages/distributors are notified before
the CVE's are made public.  It would be a great fire-drill
extinguisher if the CVE announcement provided a link to a centralized
location (for the CVE) where packages maintainers could update the
distribution information.

> Thanks,
>
> - --
> Russell Bryant
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBnL8MACgkQFg9ft4s9SAYz3wCfYo+RnuaEtkEtUGmczPwvQiSh
> yc8An30yhBv+SA1HZxlF2D+gEEUeOM6R
> =RMEV
> -----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic