openstack team mailing list archive
Mailing list archive
Re: OpenStack CVE Wiki page
Thanks for the response.
>So in summary... yes this is currently harder than it should be and I'd
>like to fix that. Yes you're welcome to edit  so that it's made more
>current. If you think it has value I can retroactively mention past
>OSSAs in . And you should have a look at  :)
I'll have a go at , definitely (anything to help out). Will include a
link to  on there.
Agree that a more 'official' looking page will be of benefit.
Personally I would think taking  back to the Folsom release cycle would
be a good idea, but that's a call for you and
the rest of the Vulnerability Management team (Not sure how much work is
involved for you in doing that).
I'll have a look at  as well, fantastic.
On Wed, Jun 5, 2013 at 11:43 AM, Thierry Carrez <thierry@xxxxxxxxxxxxx>wrote:
> Jolyon Brown wrote:
> > In my (day) job (not Limilo!) we're currently evaluating an IBM product
> > which is underpinned by OpenStack. During review our InfoSec people
> > claimed many (22) open CVE vulnerabilities for the underlying version of
> > OpenStack used (Folsom). I don't believe this to be the case, as
> > Launchpad lists only 3 CVE bugs. However it's not clear at a glance if
> > these 3 have been back ported, which versions are affected etc. While I
> > know my way around enough to find out, new people investigating
> > OpenStack might not, so I was looking for a summary page of open
> > vulnerabilities broken down per release.
> > Now I know the community does a great job regarding security related
> > bugs, both finding and fixing, and Thierry in particular is working
> > wonders regarding CVE notification. A quick google for OpenStack CVE
> > though brings up https://wiki.openstack.org/wiki/SecurityAdvisories in
> > the first few results which looks as though it may have been the
> > intended place for this kind of summary info, but it looks a bit
> > neglected. Given that this may be the first query someone tries when
> > evaluating OpenStack I think it might need a bit of an update.
> > Is there somewhere else that contains this kind of info in an easily
> > summarised up to date format?
> > Or should the wiki page mentioned be the one to be updated?
> The official source are the published (and signed) OpenStack Security
> Advisories (OSSA), but I agree it can take a bit of effort to get
> historical information about them, and we need to improve on that.
> We published OSSAs to this list from the beginning, and starting in July
> 2012 we also published them to openstack-announce for easier access.
> There is a community-maintained wiki page listing them, but I would
> like to transition that to a more "official" (and less prone to editing)
> area on the main openstack.org website.
> We also started recently to create "ossa" tasks on Launchpad, and I
> retroactively created them for all 2013 advisories. Together with
> Launchpad CVE linking features, that gives you a nice list you can
> access at  -- maybe it would make sense to retroactively create ossa
> links for all advisories ever published.
> Matt Joyce also started working on an OpenStack Common Vulnerability
> Database  which may help in accessing more structured data.
> So in summary... yes this is currently harder than it should be and I'd
> like to fix that. Yes you're welcome to edit  so that it's made more
> current. If you think it has value I can retroactively mention past
> OSSAs in . And you should have a look at  :)
>  https://wiki.openstack.org/wiki/SecurityAdvisories
>  https://bugs.launchpad.net/ossa/+cve
>  http://secstack.org/2013/04/openstack-common-vulnerability-database/
> Hope this helps,
> Thierry Carrez (ttx)
> Release Manager, OpenStack
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp