oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

From: Robert Collins <robertc () robertcollins net>
Date: Tue, 4 Jun 2013 07:11:40 +1200
What if we were to always do a release after a security advisory?
On 4 Jun 2013 06:25, "Jeremy Stanley" <fungi () yuggoth org> wrote:


On 2013-06-03 10:51:19 -0700 (-0700), Lloyd Dewolf wrote:
[...]

Interestingly, the OSSA 2013-014 notice did include
"python-keystoneclient fix (will be included in upcoming 0.2.4
release)".


I'm going to chalk that up to Thierry knowing the version number at
that point, since the OSSA 2013-014 fix is what got tagged with
0.2.4 the next morning. On the other hand the -013 fix was a
lower-priority feature enhancement and I didn't want to rely on a
versioning guess a week ahead. Client releases are handled a bit
more independently compared to OpenStack server components (where we
can predict release milestone dates fairly accurately).

As a general rule I'm going to try to include the release version
numbers in advance when I can do so safely, and otherwise rely on
subsequent release announcements.
--
Jeremy Stanley

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack () lists launchpad net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
Previous By Date Next
Previous By Thread Next

Current thread: