openstack team mailing list archive

Thread
Date

Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Tue, 04 Jun 2013 10:58:42 +0200
In-reply-to: <CAJ3HoZ3XNCHL+Q_LVyezVB7Lk+AGNcKT-fVt3UWzmO8mCMVqbg@mail.gmail.com>
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6

Robert Collins wrote:
> What if we were to always do a release after a security advisory?

We don't do a server "stable release" after each security advisory as it
doesn't significantly help spreading the fix, but I agree that for
client libraries (where the PyPI releases are the main form of
downstream consumption of the fix) it makes sense to tag and trigger a
new PyPI release after each security advisory.

These were the first advisories on client libraries, but with Keystone
middleware being shipped within python-keystoneclient, I expect more in
the future.

-- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team

References

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Jeremy Stanley, 2013-05-23
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Lloyd Dewolf, 2013-06-03
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Jeremy Stanley, 2013-06-03
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Lloyd Dewolf, 2013-06-03
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Jeremy Stanley, 2013-06-03
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Robert Collins, 2013-06-03