← Back to team overview

openstack team mailing list archive

OpenStack CVE Wiki page


Hi All

Wasn't sure which list to address this to (possibly documentation?), please
feel free to redirect me!

In my (day) job (not Limilo!) we're currently evaluating an IBM product
which is underpinned by OpenStack. During review our InfoSec people claimed
many (22) open CVE vulnerabilities for the underlying version of OpenStack
used (Folsom). I don't believe this to be the case, as Launchpad lists only
3 CVE bugs. However it's not clear at a glance if these 3 have been back
ported, which versions are affected etc. While I know my way around enough
to find out, new people investigating OpenStack might not, so I was looking
for a summary page of open vulnerabilities broken down per release.

Now I know the community does a great job regarding security related bugs,
both finding and fixing, and Thierry in particular is working wonders
regarding CVE notification. A quick google for OpenStack CVE though brings
up https://wiki.openstack.org/wiki/SecurityAdvisories in the first few
results which looks as though it may have been the intended place for this
kind of summary info, but it looks a bit neglected. Given that this may be
the first query someone tries when evaluating OpenStack I think it might
need a bit of an update.

Is there somewhere else that contains this kind of info in an easily
summarised up to date format?

Or should the wiki page mentioned be the one to be updated?

I'm happy to do this by the way. I'm even happier that OpenStack has
progressed to the point where (usually quite conservative) companies such
as my employer are considering it against the alternatives.


Jolyon Brown

Follow ups