Hi Thierry Thanks for the response.
>So in summary... yes this is currently harder than it should be and I'd >like to fix that. Yes you're welcome to edit [1] so that it's made more >current. If you think it has value I can retroactively mention past >OSSAs in [2]. And you should have a look at [3] :) >[1] https://wiki.openstack.org/wiki/SecurityAdvisories >[2] https://bugs.launchpad.net/ossa/+cve >[3] http://secstack.org/2013/04/openstack-common-vulnerability-database/ I'll have a go at [1], definitely (anything to help out). Will include a link to [2] on there. Agree that a more 'official' looking page will be of benefit. Personally I would think taking [2] back to the Folsom release cycle would be a good idea, but that's a call for you and the rest of the Vulnerability Management team (Not sure how much work is involved for you in doing that). I'll have a look at [3] as well, fantastic. Thanks again Jolyon Brown jol...@limilo.com www.limilo.com On Wed, Jun 5, 2013 at 11:43 AM, Thierry Carrez <thie...@openstack.org>wrote: > Jolyon Brown wrote: > > In my (day) job (not Limilo!) we're currently evaluating an IBM product > > which is underpinned by OpenStack. During review our InfoSec people > > claimed many (22) open CVE vulnerabilities for the underlying version of > > OpenStack used (Folsom). I don't believe this to be the case, as > > Launchpad lists only 3 CVE bugs. However it's not clear at a glance if > > these 3 have been back ported, which versions are affected etc. While I > > know my way around enough to find out, new people investigating > > OpenStack might not, so I was looking for a summary page of open > > vulnerabilities broken down per release. > > > > Now I know the community does a great job regarding security related > > bugs, both finding and fixing, and Thierry in particular is working > > wonders regarding CVE notification. A quick google for OpenStack CVE > > though brings up https://wiki.openstack.org/wiki/SecurityAdvisories in > > the first few results which looks as though it may have been the > > intended place for this kind of summary info, but it looks a bit > > neglected. Given that this may be the first query someone tries when > > evaluating OpenStack I think it might need a bit of an update. > > > > Is there somewhere else that contains this kind of info in an easily > > summarised up to date format? > > > > Or should the wiki page mentioned be the one to be updated? > > Hi! > > The official source are the published (and signed) OpenStack Security > Advisories (OSSA), but I agree it can take a bit of effort to get > historical information about them, and we need to improve on that. > > We published OSSAs to this list from the beginning, and starting in July > 2012 we also published them to openstack-announce for easier access. > > There is a community-maintained wiki page[1] listing them, but I would > like to transition that to a more "official" (and less prone to editing) > area on the main openstack.org website. > > We also started recently to create "ossa" tasks on Launchpad, and I > retroactively created them for all 2013 advisories. Together with > Launchpad CVE linking features, that gives you a nice list you can > access at [2] -- maybe it would make sense to retroactively create ossa > links for all advisories ever published. > > Matt Joyce also started working on an OpenStack Common Vulnerability > Database [3] which may help in accessing more structured data. > > So in summary... yes this is currently harder than it should be and I'd > like to fix that. Yes you're welcome to edit [1] so that it's made more > current. If you think it has value I can retroactively mention past > OSSAs in [2]. And you should have a look at [3] :) > > [1] https://wiki.openstack.org/wiki/SecurityAdvisories > [2] https://bugs.launchpad.net/ossa/+cve > [3] http://secstack.org/2013/04/openstack-common-vulnerability-database/ > > Hope this helps, > > -- > Thierry Carrez (ttx) > Release Manager, OpenStack > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp