-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Glance configuration option can lead to privilege escalation
- ---
### Summary ###
Glance exposes a configuration option called `use_user_token` in the
configuration file `glance-api.conf`. It should be noted that the
default setting (`True`) is se
One issue to be aware of is the use of this as a Denial of Service
vector. Basically an attacker can use this to lock out key accounts
by continuously sending invalid passwords.
Doing this might have unexpected and undesirable results,
particularly in automated tasks.
I think this feature has so
Hey Major,
This sounds like a great next step. It might also be cool to set up
Vagrant to pull Ubuntu 14.04, grab Ansible, and run the scripts on it.
I'll carve out a few hours early next week and have a crack at it.
-Travis
On 11/6/15, 10:59 PM, Major Hayden wrote:
>Hello there,
>
>At this
Hi Cyril,
This is a really cool idea. It should be fairly easy to implement and
can only help make Bandit more usable. To be honest enhancing the way
we're using the 'bandit.yaml' file has been on our list for a while.
A tool like this seems like it would be a nice intermediate solution
until w
This does seem to make a lot of sense. Basically what we will get is
an improved lowest common denominator when it comes to intra-node TLS.
This probably also fits in nicely with work others in OpenStack
Security have recently discussed regarding the creation of a
super-lightweight CA.
The only p
Hi Eric,
First off welcome to OpenStack! Generally for security related
questions we use the OpenStack-dev mailing list and preface the
subject with a [Security] tag.
One of the functions of a hypervisor is to ensure proper isolation of
tenant VMs. That being said I highly recommend deploying s
Today we released Bandit version 0.13.0 which includes the following
features and enhancements:
Plugins now registered as entry points
Improved Bandit run speed
Added a confidence filter option
Added timestamp to JSON report
New plugin to detect Try, Except, Pass
Improved detection for hardcoded /
(Merging thread from security ML)
Bandit probably isn¹t the correct integration point for this - cve-check
has its own analysis procedures while
Bandit uses Python AST. Also I see the use workflows being different.
For Bandit a developer/gate wants to
check a specific code snippet whereas for cve
I¹d like to propose Michael McCune for CoreSec membership.
I¹ve worked with Michael (elmiko) on numerous security tasks and
bugs, and he has a great grasp on security concepts and is very active
in the OpenStack security community. I think he would be a natural
choice for CoreSec.
smime.p7s
Des
Hi all -
Bandit is a Python AST-based static analyzer from the OpenStack
Security Group. Unlike other static code analysis tools in the
OpenStack ecosystem such as hacking and flake8, Bandit was
purpose-built to help find security vulnerabilities.
Bandit has a wiki page at:
https://wiki.opens
10 matches
Mail list logo