Commit Graph

269 Commits

Author SHA1 Message Date
Jeremy Stanley f6feaaeaed Move Reporting and VMT sections to dedicated pages
In order to improve readability and avoid confusion, move the
sections on reporting vulnerabilities and with VMT contact
information to their own respective documents.

Change-Id: I71d18bb60085961504c3090fe9ed3d5f418157b3
2024-02-27 17:17:16 +00:00
Jeremy Stanley 95c17d10f8 Clean up a couple missed "responsibly" mis-uses
As a follow-up to I3301598500ade978093adf4dd138e35816c358b9, fix two
lingering references which were missed in that change.

Change-Id: If4bd7115fb45852e6ffa3b1e939e40cc97703d36
2024-02-27 16:53:51 +00:00
Jeremy Stanley 40d956ac39 2024 refresh of fungi's OpenPGP key expiration
I update the expiration on my key frequently and leave it set to no
more than one year, but as a result I forget to replace static
copies in various places. Do that again now.

Change-Id: Icca79b8cc19586a8969c8646d217590607f81fa9
2024-02-21 13:32:25 +00:00
Jeremy Stanley d77f392f46 Update stable branch terminology for unmaintained
The TC passed a resolution replacing the Extended Maintenance phase
with an Unmaintained phase, and also reworked a fair amount of the
policy and process surrounding it. See
https://governance.openstack.org/tc/resolutions/20230724-unmaintained-branches.html
for details.

Fix our existing references to extended maintenance, and also
correct some broken hyperlinking while we're here.

Change-Id: I555f20339a86cd680ce58c8f69ef8a78bf34e97e
2023-11-16 14:09:22 +00:00
Jeremy Stanley 23e15de721 Reword "responsible" disclosure to "coordinated"
As Solar Designer noted in a recent presentation[*], the term
"responsible disclosure" is unnecessarily judgemental, suggesting
that any other process is irresponsible by comparison. More
accurately describe what we do as "coordinated disclosure" in the
two places where we previously used the less objective wording.

[*] https://www.sstic.org/2023/presentation/ouverture_2023/

Change-Id: I3301598500ade978093adf4dd138e35816c358b9
2023-06-21 14:49:43 +00:00
Jeremy Stanley 136b24c5dd Add errata 3 for OSSA-2023-003
Since this only impacts the fix for stable/wallaby which is not
under normal maintenance, we'll dispose with the usual errata
announcements.

Change-Id: Ibd0d1d796012fb5d34d48925ce34f6f1c300b54e
Related-Bug: #2004555
2023-05-15 19:21:18 +00:00
Jeremy Stanley d62fe374e4 Add OSSA-2023-003 (CVE-2023-2088)
Change-Id: Iab9cca074c2928dbecbe512f813fe421a744c592
Closes-Bug: #2004555
2023-05-10 16:59:41 +00:00
Jeremy Stanley ee4904680e Stop wrapping paragraphs in RST generator
The paragraph wrapping for description and errata fields destroys
RST formatting embedded in the YAML strings, so just get rid of it
for now.

Change-Id: I7c5cf1ec4b647c4c7254dd222ff3f91838795e3a
2023-05-10 15:45:24 +00:00
Jeremy Stanley 07833d0dcd Add OSSA-2023-002 (CVE-2022-47951)
Change-Id: If071ca13337d87f24bbbdec24cbecb826165f4f4
Closes-Bug: #1996188
2023-01-24 15:28:40 +00:00
Jeremy Stanley 813a3e3a00 Update Jeremy Stanley OpenPGP key expiration
My key is expiring in a couple months, so here's one with a more
recent selfsig into 2024.

Change-Id: I2ecee13918e82db9a671cb628512a8e41f37517b
2023-01-23 18:33:35 +00:00
Jeremy Stanley 0b14e1f02d Add OSSA-2023-001 (CVE-2022-47950)
Change-Id: I07a10908a8d1ce314413f601c8f282cca0451cc1
Closes-Bug: #1998625
2023-01-17 15:15:28 +00:00
Jeremy Stanley 8e1ff97004 Update tox.ini for compatibility with Tox 4.x
Drop the skipsdist and usedevelop settings, they're not needed in
this project anyway and have different side effects in newer Tox.

Change-Id: I231815a9bb7ee81ec4e9f011d75a704fa471d6dd
2023-01-17 14:35:03 +00:00
Zuul 59774c2e56 Merge "Update VMT member list" 2022-12-13 17:06:54 +00:00
Jeremy Stanley 3cdffa08d1 Un-pin PyYAML
The newer default Python interpreter version on Ubuntu 22.04 LTS
doesn't support older PyYAML's use of stdlib collections. It was
pinned to a specific version when first added in 2014 by
I384971732166fbeb123d572d3ccbcde6bad39dfc with no reason given.

Change-Id: I9c18dbd542615f795f063fb6c665f6b6a475e498
2022-12-13 16:34:41 +00:00
Gage Hugo 71a93e076b Update VMT member list
I am stepping down from the VMT. This change removes my info
from the published contact list.

Change-Id: I7a41628b66662113576b32726b587aaddd692768
2022-12-02 13:12:08 -06:00
niuke 73b6da398b remove unicode from code
Change-Id: I918fa5e325f9a3c168f2d9783f04f220a35f8d25
2022-07-28 09:57:33 +08:00
Matthew Thode d0ca85cd73
update Matthew Thode's gpg key
updated expiration mainly

Change-Id: Ibd674ab08bb3e9e97ae61f232dc3cd56e563e4ef
Signed-off-by: Matthew Thode <mthode@mthode.org>
2022-06-15 10:09:58 -05:00
Zuul 97b8030786 Merge "Drop references for the old security blog" 2022-06-02 16:09:59 +00:00
Jeremy Stanley f44bb08b1e Drop references for the old security blog
Members of the OSSG maintained an OpenStack Security Blog between
2016 and 2017, but it's been abandoned for nearly 5 years now and
none of the currently involved contributors in the SIG have access
to that site nor available time to contribute new articles. Remove
the reference for now, it can always be added back if the blog is
resurrected or replaced in the future.

Change-Id: I04ba8b7cd734707406e480142a6b01df8900f1e9
2022-06-02 13:15:57 +00:00
Jeremy Stanley 207f292a31 repos-overseen: VMT is happy to assist any project
Make it clear in the overseen repos list preamble that VMT members
attempt to provide guidance on request, even for repositories not
specifically opted into direct oversight.

Change-Id: Id357a1ec8c62a66c97f7d55eecd95325db60a6d1
2022-06-02 13:02:01 +00:00
Jeremy Stanley b4b7f1d326 Refresh self-keysig expiration on my OpenPGP key
I intentionally keep a short expiration on my OpenPGP key, but this
means I need to update public copies of it at least annually.

Change-Id: I33525b04e11aa2b8e748ab576b2a0330d88d23eb
2022-03-15 14:52:40 +00:00
Jeremy Stanley e168a956e8 Drop SKS Keyserver links from main page
The SKS Keyserver network shut down last year, due to a combination
of GDPR compliance challenges and third-party keysig upload attacks.
There's no great external source for displaying key details now, so
just omit the link.

Also restructure how we're linking to the local keys, in order to
simplify management of the document.

Change-Id: I266ccff9ed3183782961102fb7f8675ac518692b
2022-03-15 14:49:20 +00:00
Jeremy Stanley 1aa37b1663 Import VMT oversight information from governance
The OpenStack TC has decided to stop using its "governance tags"
mechanism for recording specific details about project deliverables.
We previously relied on a vulnerability:managed tag to indicate the
deliverables overseen by the VMT, as well as documenting
expectations for the teams responsible for them.

Tags, being deliverable-specific rather than repository-specific,
were never a great fit for us. When bringing this information into
our own documentation, it's now reworked as a list of specific Git
repositories for simplicity and granularity. The expectations have
also been edited and shortened in order to accommodate this change,
but are still effectively the same as they were in governance.

Change-Id: Ie3c0cc38fc071716420c12b3f6de4a320428bd04
2022-02-23 15:31:47 +00:00
Jeremy Stanley 4b7ca58f75 Clarify instructions for posting to linux-distros
I realized the rules for posting to the linux-distros ML include
putting a special string in the subject line and encrypting the
message. Update our instructions to reflect that and link to theirs
while we're at it.

Change-Id: Icfd645748fd3a4db4c9d6c9e832afb3137f1fcff
2021-11-22 21:57:23 +00:00
Jeremy Stanley 51a1bf0699 Errata 1 for OSSA-2021-002
Change-Id: Iaeb40574176ae62542a0c17e94917e654d38317d
Closes-Bug: #1927677
2021-09-27 15:02:06 +00:00
Marc Gariepy b27c2be28f Update OSSA-2021-005 (CVE-2021-40085)
add link to all the fixed releases

Change-Id: I54702c44f5cadb0f97489422af517df2aa2c6281
2021-09-10 10:45:47 -04:00
Jeremy Stanley 4f5d81b664 Add OSSA-2021-006 (CVE-2021-40797)
Change-Id: Ie61b5ffbec78e8c90e5ad773c9479f0d7ae1b932
Closes-Bug: #1942179
2021-09-08 20:15:03 +00:00
Jeremy Stanley 55e0ee4953 Add OSSA-2021-005 (CVE-2021-40085)
Change-Id: I58b8c608547e24ee144cab805d17c55045e4279a
Closes-Bug: #1939733
2021-08-31 13:56:02 +00:00
Jeremy Stanley 5bfba3e739 Add OSSA-2021-004 (CVE-2021-38598)
Change-Id: I91b44e7fab3209170efd8dc594cb1b442ee48c2d
Closes-Bug: #1938670
2021-08-12 14:55:33 +00:00
Jeremy Stanley cf49e91bb4 Add OSSA-2021-003 (CVE-2021-38155)
Change-Id: Ic9c5d7a45be8a083931b2600adbc76c9e292d0ab
Closes-Bug: #1688137
2021-08-06 21:38:08 +00:00
Jeremy Stanley 08f2c78ccf Add OSSA-2021-002 (CVE-2021-3654)
Change-Id: I1574738a9aa047314c9b933f8bbe032d346cd2d7
Closes-Bug: #1927677
2021-07-28 18:16:17 +00:00
Jeremy Stanley 2780ff1dcc Clarify our affected versions conventions
The old impact description template was slightly misleading in its
use of <= to clamp upper bounds of affected versions. For many years
we've actually been using a strict < of the next possible SemVer
patchlevel version, so correct the examples and add a brief
paragraph to explain the construction in greater detail.

Change-Id: I44db2454bd1cd8691f445a0dcd403b8fa2681de3
2021-07-12 19:53:31 +00:00
Zuul 2cf793fb34 Merge "Update publication date for OSSA-2021-001" 2021-07-12 18:06:08 +00:00
Zuul a869f795e8 Merge "Add OSSA-2021-001 (CVE-2021-20267)" 2021-07-12 17:41:10 +00:00
Jeremy Stanley 51cb75e92e Update publication date for OSSA-2021-001
Follow-up to correct the date on which OSSA-2021-001 was published
so that we don't lose the existing votes on the original change.

Change-Id: I295a49103c651d4b40a557dda0b2b9ea4b124bfa
2021-07-12 17:28:33 +00:00
Jeremy Stanley 239ec3826a Add OSSA-2021-001 (CVE-2021-20267)
Change-Id: I6bcc8392831efbdc7759b0ed5340023bb0440c85
Closes-Bug: #1902917
2021-07-08 20:49:35 +00:00
Jeremy Stanley b05ba12445 Correct is_safe_path example in guidelines
A previous rework of the directory traversal mitigation example in
I3f8d3760daceb9e62396ae21b0d915ae07eff303 was not correctly cleaned
up, and left some unintended startswith method invocations behind.
Get rid of those, and also correct a wrong parameter name in the
main function while we're at it, as well as fixing some incorrect
indentation.

Change-Id: Ie5347f3b6cc8e689440db0aaf552d52ad37c231c
Closes-Bug: #1928544
2021-07-02 17:15:41 +00:00
Jeremy Stanley 5820a97832 Get specific about differences between SB and LP
In the instructions on reporting security vulnerabilities, detail
the StoryBoard workflow distinct from Launchpad, since we've had at
least one reported incident of a user thinking that just checking
the security checkbox would also make the story private.

Change-Id: Id8f824ef830bd321f7db4c03389dbebed01b163d
2021-06-15 15:38:50 +00:00
Jeremy Stanley 9dc1f95497 Not all reports relate to incidents
Rename the Incident Report Taxonomy section to Report Taxonomy but
leave a reference label behind so we don't obliterate any of the
many old external links to this document.

While tidying this up, also switch the task status reference to use
an internal anchor rather than an explicit URL anchor link.

Change-Id: I49245922e08d702b7ec1c46403a0db84dbad2882
2021-06-15 15:38:50 +00:00
Jeremy Stanley c47cf1e489 Make VMT contact list more discoverable
Get rid of the outdated section for the long gone Security Project,
and move the VMT contact info from it to near the top of the main
security.o.o page. Also switch references in the process document to
link that list instead of going to the LP group page (which made
obtaining contact information a challenge).

Change-Id: I6aaf4da8bff51bc63706fc20e9f5f68d6e9b0fe4
2021-06-15 15:38:48 +00:00
Gage Hugo d4785ae6fd Remove outdated security tool development section
The security SIG hasn't maintained the two projects listed under
the "Security tool development" section in quite a while. This
change removes the section entirely since the information it
has is no longer relevant to the security SIG.

Change-Id: I49aee997751b2b4f7ca6e879883a85c56087c0a1
2021-03-25 15:44:20 -05:00
Jeremy Stanley 0e4118d19e More accurately match paths in safe path example
As was pointed out in a bug report, the example for safe path
matching should not be comparing substrings, but actual path
components. As OpenStack projects currently no longer support Python
interpreter versions prior to 3.5, we can take advantage of
os.path.commonpath() for confirming this correctly.

Change-Id: I3f8d3760daceb9e62396ae21b0d915ae07eff303
Closes-Bug: #1815422
2021-01-21 16:53:50 +00:00
Marc Gariepy fc1a66d398 Add missing releases for the CVE
Change-Id: Id450757b2a6a026839be26cf9e8f243f76594348
2021-01-06 14:57:19 -05:00
Jeremy Stanley 0611333d3c OSSA-2020-008: add missing links for some branches
The original advisory omitted URLs for fixes on branches newer than
stable/train, so add those for all other branches where similar
patches merged.

Note the outstanding changes for branches earlier than stable/stein
are proposed but not currently passing CI jobs and have yet to be
reviewed, so they're not included here.

Change-Id: I238e1d91e6a6662d3af3800a114a7b3072660f92
2020-12-08 15:58:00 +00:00
Gage Hugo f058c5f206 Add OSSA-2020-008 (CVE-2020-29565)
Change-Id: Ide92bb95bc2b542a4852965e42e31c72d74294a7
Closes-Bug: #1865026
2020-12-07 16:43:54 +00:00
Zuul d92b7ffa98 Merge "Add OSSA-2020-007 (CVE-2020-26943)" 2020-10-14 05:43:40 +00:00
Zuul 8e0d7b054f Merge "Don't break long/hyphenated words in RST creation" 2020-10-14 00:46:40 +00:00
Jeremy Stanley e50bcab88c Don't break long/hyphenated words in RST creation
The textwrap module by default breaks hyphenated words across line
wrapping boundaries, which Sphinx will then reinterpret as
whitespace. Disable this behavior so that hyphenated words will be
moved to the next line rather than broken at their hyphens. Also
disable a related feature which would break lines longer than the
target line length, allowing one-word lines longer than that.

Change-Id: I2ce8dcd4d67b658817857167e218913c75df0bda
2020-10-13 17:54:46 +00:00
Pierre Riteau 18f75e074c Add OSSA-2020-007 (CVE-2020-26943)
Change-Id: I18de37da9f22fe28c60fc1fbfb1322aaaad11b88
Related-Bug: #1895688
2020-10-12 09:50:19 +02:00
Jeremy Stanley ed8c4da7ae Update SKS Keyserver URLs
The HKPS proxy on 443/tcp at sks-keyservers.net hasn't been operable
for many months (consistently returning a 502 Bad Gateway error).
Switch to a direct HKP URL on 11371/tcp at pool.sks-keyservers.net
instead, which returns the same content (unfortunately not over an
encrypted connection). The next best alternatives would be to use a
lookup on keyserver.ubuntu.com which misses a lot of the
cross-signing key info, or keys.openpgp.net which only provides a
link to download key material with no additional information and no
signatures.

Change-Id: I5d99bcb261a77e2d557fa31ca199f2eed09583c3
2020-09-23 16:25:11 +00:00