Hi, I believe 50 and 51 were both assigned to me. They were closely linked, but seperate issues.
I wrote 50 up here: https://review.openstack.org/#/c/200303/2 After discussion in a security meeting, my memory is that it was agreed that they probably weren't required. I'd have to pull out the meeting log to be certain, but I'd also continue them if the mood has now changed. -- Kind Regards, Dave Walker On 11 Apr 2016 16:06, "Clark, Robert Graham" <robert.cl...@hpe.com> wrote: > > Thanks Matt, Michael, > > > > To start with, lets look quickly at the more recent OSSNs that are marked as work in progress, namely 63,64,65 and 66 – these should all be published within a week or so. > > > > Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% sure what the blockers are on these. I believe https://wiki.openstack.org/wiki/OSSN/OSSN-0056 may supersede OSSN-0051 and is rooted in bug https://bugs.launchpad.net/ossn/+bug/1435530 - it looks to me like OSSN-0056 was written during a mid-cycle and could be the right one. > > > > I’m struggling to work out the story behind OSSN-0050 – I’m adding Nathan Kinder who might be able to shed more light on this. > > > > -Rob > > > > > > > > From: Michael Xin [mailto:michael....@rackspace.com] > Sent: 11 April 2016 15:28 > To: Matt Fischer; OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs? > > > > Matt: > > Thanks for asking this. I forwarded this email to the new email list so that folks with better knowledge can answer this. > > > > > > Thanks and have a great day. > > > > Yours, > > Michael > > > > > > ----------------------------------------------------------------------------- > > Michael Xin | Manager, Security Engineering - US > > Product Security |Rackspace Hosting > > Office #: 501-7341 or 210-312-7341 > > Mobile #: 210-284-8674 > > 5000 Walzem Road, San Antonio, Tx 78218 > > ---------------------------------------------------------------------------- > > Experience fanatical support > > > > From: Matt Fischer <m...@mattfischer.com> > Date: Monday, April 11, 2016 at 9:19 AM > To: "openstack-secur...@lists.openstack.org" < openstack-secur...@lists.openstack.org> > Subject: [Openstack-security] abandoned OSSNs? > > > > Some folks from our security team here asked me to ensure them that our services were patched for all the OSSNs that are listed here: https://wiki.openstack.org/wiki/Security_Notes > > > > Most of these are straight-forward, but there are some OSSNs that have been allocated an ID but then abandoned. There is no detailed wiki page and my best google efforts lead me to a possible IRC mention and maybe an abandoned review. The two specifically are OSSN-50/51. > > > > So what am I to do with an "abandoned" OSSN? Has it been decided that there is no issue anymore? These are pretty old if I look at the dates framing the other OSSNs (49/52), so I assume they aren't urgent. Can we ignore these? They sound somewhat scary, for example, "keystonemiddleware can allow access after token revocation" but I have no means to say whether it affects us or how we can mitigate without more info. > > > > Thoughts? > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev