[Yahoo-eng-team] [Bug 1840288] Re: Trusts GET API leaks existence information to unauthorized users

I concur with the class C1 suggestion here. Generally OpenStack's VMT has considered any theoretical vulnerability which depends on direct brute-forcing or guessing the UUID space as impractical, but still possibly a security hardening opportunity. ** Information type changed from Public Security

[Yahoo-eng-team] [Bug 1840403] [NEW] Install and configure in keystone

Public bug reported: Seems like apache2.conf is not the way to put servername directive on Ubuntu 18.04 lts This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes: - [x] This doc is

[Yahoo-eng-team] [Bug 1544522] Re: Don't use Mock.called_once_with that does not exist

Reviewed: https://review.opendev.org/675041 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cf7d28eb6ea47818e9f3584f65ec025f5a46326b Submitter: Zuul Branch:master commit cf7d28eb6ea47818e9f3584f65ec025f5a46326b Author: Takashi NATSUME Date: Wed Aug 7 14:38:45 2019

[Yahoo-eng-team] [Bug 1840288] Re: Trusts GET API leaks existence information to unauthorized users

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions. ** Also affects: ossa

[Yahoo-eng-team] [Bug 1840291] [NEW] keystone does not retry on DbDeadlock [HTTP 500] for delete_credential_for_user

Public bug reported: traceback: We do have it for identity backend via https://github.com/openstack/keystone/commit/e439476c1e434587122053a5c02c9ee4908e8b7c, but not for credential backend. 2019-08-14 03:34:15.264 199385 ERROR keystone.common.wsgi [req-b30e30a8-14fe-477f-b805-56a4d6e51ffc

[Yahoo-eng-team] [Bug 1840288] [NEW] Trusts GET API leaks existence information to unauthorized users

*** This bug is a security vulnerability *** Public security bug reported: The current implementation of the GET /v3/OS-TRUST/trusts/{trust_id} API leaks information about the existence of a trust to unauthorized users. If an authenticated user requests a trust that either does not exist or has

[Yahoo-eng-team] [Bug 1840269] [NEW] The kernel cmd parameter "cloud-init=disabled" is not considered

Public bug reported: cloud-init v.19.2 doesn't consider the "cloud-init=disabled" kernel command line parameter in CentOS7 The output of 'cloud-init collect-logs' is attached. ** Affects: cloud-init Importance: Undecided Status: New ** Attachment added: "cloud-init.tar.gz"

[Yahoo-eng-team] [Bug 1839577] Re: totp should support previous windows

Reviewed: https://review.opendev.org/647655 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5572d013004afe3d1a483d5b7ad6e3383e973ae1 Submitter: Zuul Branch:master commit 5572d013004afe3d1a483d5b7ad6e3383e973ae1 Author: Adrian Turjak Date: Tue Mar 26 18:22:21 2019