openstack team mailing list archive

[Jolyon Brown <jolyon@xxxxxxxxxx>]

Hi Thierry

Thanks for the response.

>So in summary... yes this is currently harder than it should be and I'd
>like to fix that. Yes you're welcome to edit [1] so that it's made more
>current. If you think it has value I can retroactively mention past
>OSSAs in [2]. And you should have a look at [3] :)

>[1] https://wiki.openstack.org/wiki/SecurityAdvisories
>[2] https://bugs.launchpad.net/ossa/+cve
>[3] http://secstack.org/2013/04/openstack-common-vulnerability-database/

I'll have a go at [1], definitely (anything to help out). Will include a
link to [2] on there.

Agree that a more 'official' looking page will be of benefit.

Personally I would think taking [2] back to the Folsom release cycle would
be a good idea, but that's a call for you and
the rest of the Vulnerability Management team (Not sure how much work is
involved for you in doing that).

I'll have a look at [3] as well, fantastic.

Thanks again

Jolyon Brown
jolyon@xxxxxxxxxx
www.limilo.com

On Wed, Jun 5, 2013 at 11:43 AM, Thierry Carrez <thierry@xxxxxxxxxxxxx>wrote:

> Jolyon Brown wrote:
> > In my (day) job (not Limilo!) we're currently evaluating an IBM product
> > which is underpinned by OpenStack. During review our InfoSec people
> > claimed many (22) open CVE vulnerabilities for the underlying version of
> > OpenStack used (Folsom). I don't believe this to be the case, as
> > Launchpad lists only 3 CVE bugs. However it's not clear at a glance if
> > these 3 have been back ported, which versions are affected etc. While I
> > know my way around enough to find out, new people investigating
> > OpenStack might not, so I was looking for a summary page of open
> > vulnerabilities broken down per release.
> >
> > Now I know the community does a great job regarding security related
> > bugs, both finding and fixing, and Thierry in particular is working
> > wonders regarding CVE notification. A quick google for OpenStack CVE
> > though brings up https://wiki.openstack.org/wiki/SecurityAdvisories in
> > the first few results which looks as though it may have been the
> > intended place for this kind of summary info, but it looks a bit
> > neglected. Given that this may be the first query someone tries when
> > evaluating OpenStack I think it might need a bit of an update.
> >
> > Is there somewhere else that contains this kind of info in an easily
> > summarised up to date format?
> >
> > Or should the wiki page mentioned be the one to be updated?
>
> Hi!
>
> The official source are the published (and signed) OpenStack Security
> Advisories (OSSA), but I agree it can take a bit of effort to get
> historical information about them, and we need to improve on that.
>
> We published OSSAs to this list from the beginning, and starting in July
> 2012 we also published them to openstack-announce for easier access.
>
> There is a community-maintained wiki page[1] listing them, but I would
> like to transition that to a more "official" (and less prone to editing)
> area on the main openstack.org website.
>
> We also started recently to create "ossa" tasks on Launchpad, and I
> retroactively created them for all 2013 advisories. Together with
> Launchpad CVE linking features, that gives you a nice list you can
> access at [2] -- maybe it would make sense to retroactively create ossa
> links for all advisories ever published.
>
> Matt Joyce also started working on an OpenStack Common Vulnerability
> Database [3] which may help in accessing more structured data.
>
> So in summary... yes this is currently harder than it should be and I'd
> like to fix that. Yes you're welcome to edit [1] so that it's made more
> current. If you think it has value I can retroactively mention past
> OSSAs in [2]. And you should have a look at [3] :)
>
> [1] https://wiki.openstack.org/wiki/SecurityAdvisories
> [2] https://bugs.launchpad.net/ossa/+cve
> [3] http://secstack.org/2013/04/openstack-common-vulnerability-database/
>
> Hope this helps,
>
> --
> Thierry Carrez (ttx)
> Release Manager, OpenStack
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>