← Back to team overview

openstack team mailing list archive

Re: OpenStack CVE Wiki page


Jolyon Brown wrote:
> In my (day) job (not Limilo!) we're currently evaluating an IBM product
> which is underpinned by OpenStack. During review our InfoSec people
> claimed many (22) open CVE vulnerabilities for the underlying version of
> OpenStack used (Folsom). I don't believe this to be the case, as
> Launchpad lists only 3 CVE bugs. However it's not clear at a glance if
> these 3 have been back ported, which versions are affected etc. While I
> know my way around enough to find out, new people investigating
> OpenStack might not, so I was looking for a summary page of open
> vulnerabilities broken down per release. 
> Now I know the community does a great job regarding security related
> bugs, both finding and fixing, and Thierry in particular is working
> wonders regarding CVE notification. A quick google for OpenStack CVE
> though brings up https://wiki.openstack.org/wiki/SecurityAdvisories in
> the first few results which looks as though it may have been the
> intended place for this kind of summary info, but it looks a bit
> neglected. Given that this may be the first query someone tries when
> evaluating OpenStack I think it might need a bit of an update. 
> Is there somewhere else that contains this kind of info in an easily
> summarised up to date format?
> Or should the wiki page mentioned be the one to be updated?


The official source are the published (and signed) OpenStack Security
Advisories (OSSA), but I agree it can take a bit of effort to get
historical information about them, and we need to improve on that.

We published OSSAs to this list from the beginning, and starting in July
2012 we also published them to openstack-announce for easier access.

There is a community-maintained wiki page[1] listing them, but I would
like to transition that to a more "official" (and less prone to editing)
area on the main openstack.org website.

We also started recently to create "ossa" tasks on Launchpad, and I
retroactively created them for all 2013 advisories. Together with
Launchpad CVE linking features, that gives you a nice list you can
access at [2] -- maybe it would make sense to retroactively create ossa
links for all advisories ever published.

Matt Joyce also started working on an OpenStack Common Vulnerability
Database [3] which may help in accessing more structured data.

So in summary... yes this is currently harder than it should be and I'd
like to fix that. Yes you're welcome to edit [1] so that it's made more
current. If you think it has value I can retroactively mention past
OSSAs in [2]. And you should have a look at [3] :)

[1] https://wiki.openstack.org/wiki/SecurityAdvisories
[2] https://bugs.launchpad.net/ossa/+cve
[3] http://secstack.org/2013/04/openstack-common-vulnerability-database/

Hope this helps,

Thierry Carrez (ttx)
Release Manager, OpenStack

Follow ups