Re: Re: [Openstack] [OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)

[andi abes <andi.abes () gmail com>]

On Sat, Sep 29, 2012 at 1:28 PM, Russell Bryant <rbryant () redhat com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/29/2012 02:18 AM, Kurt Seifried wrote:
> > On 09/28/2012 05:56 PM, andi abes wrote:
> > > is the plan going forward to announce these on friday
> > > afternoons?
> >
> > I can't speak for OpenStack but the history of these vulns is that
> > they have been public since May 2012 and April 2012, but were not
> > labelled as security, they were noticed, CVE's were assigned and I
> > think the idea was to notify people quickly since they're have a
> > significant impact and have been around for a while.
>
> Correct.  Normally, we only announce on Tuesday through Thursday.  In
> the case of the two announced yesterday (Friday), these were issues
> fixed a good while ago in the open so we were just now catching up and
> labeling them properly.

indeed, they were fixed a while ago. It just required a mini
fire-drill to verify that, and ensure the packages we are using in our
deployments indeed had the fixes in. As you point out, the original
problem report didn't have a CVE designation assigned, so the relevant
commit messages and standard security tracking mechanisms didn't
indicate the fixes are included.
A fun way to spend a friday afternoon.

IIRC,  per security process packages/distributors are notified before
the CVE's are made public.  It would be a great fire-drill
extinguisher if the CVE announcement provided a link to a centralized
location (for the CVE) where packages maintainers could update the
distribution information.

> Thanks,
>
> - --
> Russell Bryant
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBnL8MACgkQFg9ft4s9SAYz3wCfYo+RnuaEtkEtUGmczPwvQiSh
> yc8An30yhBv+SA1HZxlF2D+gEEUeOM6R
> =RMEV
> -----END PGP SIGNATURE-----