Commit Graph

1939 Commits

Author SHA1 Message Date
OpenStack Proposal Bot e759d03a74 Updated from openstack-manuals
Change-Id: I5de4df65c4b10e6cd5f247cf63715eac40de78e9
2024-03-28 16:34:16 +00:00
Jeremy Stanley 71399b98e1 OSSN-0093: Add CVE reference
Mitre has assigned CVE-2024-29156 to the reported bug in Murano.

Change-Id: I8b87f4318949bff198ddacf37a6c8b3fc2125d34
2024-03-18 14:33:32 +00:00
Jeremy Stanley 363f101e4c OSSN-0093: Update reporter name
Correct the name of one of the bug reporters, at their request.

Change-Id: Icfb8f2584c4668bc4d0bc8cf0208a6d627b7a5c8
2024-03-18 14:33:30 +00:00
Jeremy Stanley 85e4bf29d2 Update OSSN-0093 with details
Now that the bug is public, add more information about the
associated risks.

Change-Id: I42716501ac27b38f1ef545526dd0aab61dcaba19
2024-03-14 20:09:38 +00:00
Jeremy Stanley 3e222c4788 Add OSSN-0093
Unresolved Vulnerability in Murano

Related-bug: #2048114
Change-Id: I9e13564ba8fc9c53e7039d0ecc71cee4964b0e59
2024-03-07 22:11:15 +00:00
OpenStack Proposal Bot a9f6c5f8f6 Updated from openstack-manuals
Change-Id: I6196adfcc4366d43dc80a0ab52f4d0d81c27becd
2023-09-26 04:37:13 +00:00
Akihiro Motoki 4c4712865b generatepot-rst.sh: Drop UUID filtering
tools/generatepot-rst.sh has an awk filter to drop UUID from POT files,
but it is unnecessary now. It was introduced to strip UUID information
which was added by default in Sphinx <1.3 [1] in openstack-manuals.
Sphinx >=1.3 does not output UUID information by default [2],
 so is is no longer needed.

In addition, (g)awk 5.0 or later (adopted in Ubuntu 20.04 or later)
complains the current awk regexp. I think it is the time to drop it
rather than fixing the regexp.

[1] 993647f316
[2] https://www.sphinx-doc.org/en/master/usage/configuration.html#confval-gettext_uuid

Related-Bug: #2035226
Change-Id: I54180d12de0cfdd618f6789b6cf9ec66d3276a40
2023-09-18 17:09:21 +09:00
renliang 456dcb52e9 Broken link
Update the OpenSSL fips link

Change-Id: If4b4d837323d3e88386282aa9a871dda31e20996
2023-07-25 21:23:38 +08:00
Jeremy Stanley 10c3351277 Add OSSN-0092
Using Configuration as a Short-Term Mitigation for OSSA-2023-003

Change-Id: I83be5d716eefe3f59cc683cb0b3bca00f36e5873
Related-bug: #2004555
2023-05-10 16:57:30 +00:00
OpenStack Proposal Bot 3c9c8d0e3c Updated from openstack-manuals
Change-Id: Iac4cc448a4448edd70f42653114aece8b444b592
2023-03-15 11:21:34 +00:00
Hervé Beraud d6780c5d48 Remove python-dev from bindep
It is no longer supported by jammy and lead us to the following errors with the announce-release job.

```
No package matching 'python-dev' is available
```

Change-Id: I26938c5af6a34db9e67452851a0ef3ed4c5bbb0e
2022-11-07 11:07:47 +01:00
Jay Faulkner 1816dbe20d Adding OSSN-0091 for VirtualBMC & Sushy-tools
CVE-2022-44020

Change-Id: I6e004dae84136e662506c30bfdf7c2d3d03feefc
2022-10-31 12:11:53 -07:00
Erno Kuvaja 0a99808d7d Correct the scope of OSSN-0090
Corrected the scope of "Discussion" section from limiting it to
end-users like outlined in the bug comment #43 [0].

Removed the "hence" from line 86 as that would be suggesting
Glance doing the checksumming normally, which is false impression..
The data is not verified because of not going through Glance
but because the consumer decides to not verify it. Subtle but
important difference.

[0] https://bugs.launchpad.net/glance/+bug/1990157/comments/43

Change-Id: Ib42b486f854e39cdae8762f596266d6c24e8b3fb
2022-10-19 12:51:16 +01:00
Zuul e25426055d Merge "Add OSSN-0090" 2022-10-14 15:49:19 +00:00
Brian Rosmaita 89510bdac5 Add OSSN-0090
Best practices when configuring Glance with COW backends

Change-Id: Ie597a2ea9395f34d592701e9361948072cf531c7
Related-bug: #1990157
2022-10-12 13:51:19 -04:00
OpenStack Proposal Bot 79939a0d2a Updated from openstack-manuals
Change-Id: I6e1e134d84ab00241afa4df4d4dfba856e2aab51
2022-10-05 13:31:26 +00:00
Jeremy Stanley 34a7b3d882 Use permalink for Barbican security analysis
The openstack/security-analysis repository is being retired, so
switch the link in the Barbican section to use a permalink which
won't 404 once the retirement changes merge.

https://lists.openstack.org/pipermail/openstack-discuss/2022-June/028816.html

Change-Id: I7986cd49c2a38dd845831782a3a9c0778b8059eb
2022-06-02 14:42:05 +00:00
Jake Yip d6de852447 Obsolete removed manila config
nova_api_insecure, cinder_api_insecure were deprecated in Train[1] and
removed in Ussuri[2]

There is no mention of neutron_api_insecure, but a grep of the source
does not reflect anything so I assume this has been removed too, or is a
typo, as there is a 'api_insecure' under [neutron] that has also been
removed.

[1] https://review.opendev.org/c/openstack/manila/+/626506
[2] https://review.opendev.org/c/openstack/manila/+/745206

Change-Id: I8cbce18eb1fa03471d15fa90bf7fac171903c41e
2022-05-27 17:44:03 +10:00
Jake Yip f6fd4bf8fb Replacing Keystone config with www_authenticate_uri
identity_uri and auth_protocol is deprecated[1]. Update docs with new
www_authenticate_uri config option following other services (nova).

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/127066

Change-Id: Id86ed5e77f7c088cf408aea53c6d3fcdfd0a192e
2022-05-27 17:44:03 +10:00
Brian Rosmaita 20295565da Add OSSN-0065
Apparently this OSSN was never committed to the security-doc
repository.  Text is taken from:
  https://wiki.openstack.org/wiki/OSSN/OSSN-0065
which was last revised 2017-03-31T19:55:37.

Change-Id: I92ed107785b5e15f4b521056833f8e1200837e40
Closes-bug: #1549483
2022-05-10 15:59:16 -04:00
OpenStack Proposal Bot f8503d84fb Updated from openstack-manuals
Change-Id: I67cc59ac4e5057c743de89ed344b9aca77d48535
2022-03-28 15:15:45 +00:00
Jeremy Stanley fee8939ca6 Remove vulnerability:managed tag references
The TC has decided to no longer continue the "governance tags"
experiment, so the VMT has moved the repos and expectations
previously tracked by that tag into the security site. Overhaul the
security review instructions to refer to the correct location and
structure for this information, as well as a long-overdue cleanup of
references to the no longer extant OSSP.

Change-Id: I1a172016014b64d88199faaff6a6414aae50ccee
2022-02-24 17:29:06 +00:00
OpenStack Proposal Bot 06aeaae4bb Updated from openstack-manuals
Change-Id: Ifdcb8fe550386a8406eddaaa03124c13bb862085
2022-01-14 07:45:54 +00:00
Martin Kopec b9ea2ad9f0 Update Interop doc
The commit replaces DefCore committee (a former name) by
Interop Working Group (the current name) and updates a few
more old interop references.

Change-Id: I5ae3e7de8c5c41cf2859cc3591ec24dcf9e92a41
2021-12-13 12:54:41 +00:00
OpenStack Proposal Bot 66616aa55e Updated from openstack-manuals
Change-Id: I1d2f670de1d1554eaa25775bbdc588791e41a3ea
2021-07-14 09:24:51 +00:00
OpenStack Proposal Bot 8ac414cf22 Updated from openstack-manuals
Change-Id: Ic9b9885d4c6e6da57be026adfabcfa53e05c5587
2021-06-20 08:27:15 +00:00
Julia Kreger abfaecb547 Update IRC references
Change-Id: I1741e1e348f7167f1ad32c5691dfaa5822ff344f
2021-05-29 15:41:43 +02:00
OpenStack Proposal Bot 867374166c Updated from openstack-manuals
Change-Id: I97433e3be10e5af14291afbc1e51e11a465af6de
2021-05-28 09:17:33 +00:00
Zuul 89af0e12b8 Merge "Fix Barbican PKCS#11 description" 2021-05-19 15:30:36 +00:00
Dmitriy Rabotyagov 8dbacc7b42 Fix Barbican PKCS#11 description
Current description is incorrect, since barbican does not store each
projects KEK in HSM. As eventually, that would mean having
thousand of keys, while Thales Luna Network HSM has limit of 100 keys
for DPoD, so it will be unable to use big part of HSM solutions
with that approach.
Instead only MKEK and HMAC are stored in HSM and used to encrypt/decrypt
KEKs.

Change-Id: I8c4eaaa42262797632ce4c4296c04a4fe62b8fcf
2021-05-12 10:07:49 +00:00
Dmitriy Rabotyagov e6c4931f4c Add Barbican vault store plugin description
Barbican does support Vault plugin through Castellan for a while
and it's worth mentioning on the page.

Change-Id: I611a3472e2f00ab4feb6bf2a3ba1627a21fe5f62
2021-05-05 07:18:53 +00:00
Josephine Seifert 8b27aa09ee OSSN-0089: Missing configuration option in Secure Live Migration guide
The guide to enable secure live migration with QEMU-native tls on
nova compute nodes missed an important config option. Without this
option a default connection is uses which is TCP instead of TLS.
This leads to an unecrypted migration of the ram.

Closes-Bug: #1919357
Change-Id: I5cbc4ec8f15ca7c66ca9562b536299524ab5999c
2021-04-12 09:46:12 +02:00
OpenStack Proposal Bot 5e667944ab Updated from openstack-manuals
Change-Id: Ied67e4b652176ad6c9e0035b53079ac52437fd6b
2021-02-04 07:19:33 +00:00
OpenStack Proposal Bot be051208e7 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I0b5899aa710c781b1765e750bffc473122a18990
2021-01-30 08:33:13 +00:00
OpenStack Proposal Bot 79784daac3 Updated from openstack-manuals
Change-Id: I279d548eef63e728abd4bf57ab4cc83f5a1c6069
2021-01-22 17:31:02 +00:00
Jake Yip f493bb8c50 Obsolete check-identity-04
The [token]/hash_algorithm config option has been deprecated since
mitaka[1].

To avoid renumbering, update check-identity-04 to '(Obsolete)'. This
keeps numbering compatibilty for people using previous version of the
checklist.

[1]: https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka

Change-Id: I587617f29141a244ca7983300ff4fcebed4255f5
2021-01-13 09:29:38 +11:00
OpenStack Proposal Bot b0e696774c Updated from openstack-manuals
Change-Id: I49f6e90f598ae97755877574af7c41b9c63087cc
2021-01-02 12:57:58 +00:00
Goutham Pacha Ravi 3edb3f4fc4 OSSN-0087: Add ceph releases with fix
These releases are still being produced by
Ceph CI but we know the version number, which
is useful to know.

Change-Id: Ic8f338f018cf02d83d346ab8abeb8e7eb7117a17
2020-12-16 13:10:23 -08:00
Goutham Pacha Ravi 456bafab46 OSSN-0087: Ceph user credential leakage via Manila
It is possible for regular users of manila
to obtain Ceph client keys that they shouldn't
have access to. This vulnerability occurs because
of a flaw in a ceph interface that manila
interacts with. The flaw has now been patched in
several stable releases of ceph. This security note
is to socialize the fix among OpenStack Manila
deployers so they can understand the vulnerability
and implement the fix in their environments

Closes-bug: #1904015
Change-Id: I911212ea1147b5c3d7ab80835a165cf47c343f6e
2020-12-16 12:44:15 -08:00
Ghanshyam Mann c2c1509820 Remove retired Qinling usage
Qinling project is retiring in Wallaby cycle[1].
This commit removes the usages of Qinling project
before its code is removed.

Needed-By: https://review.opendev.org/c/openstack/qinling/+/764521

[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-November/018638.html

Change-Id: Iffd7a8d5ab87d34198862c925b894e4095d6e7f4
2020-11-28 00:09:45 -06:00
OpenStack Proposal Bot 625ac612d9 Updated from openstack-manuals
Change-Id: Ibc7610a85bc7326464bbe0704102a8fc9ccd2064
2020-10-26 07:32:46 +00:00
OpenStack Proposal Bot 899fe994d1 Updated from openstack-manuals
Change-Id: If77a79d79c5bddddd0baaab1faf3ce80793079e3
2020-10-22 09:00:36 +00:00
OpenStack Proposal Bot 71366af95a Updated from openstack-manuals
Change-Id: I110f93cf07e7a6d9a1a247f3bc1302d981f7b979
2020-09-30 09:20:02 +00:00
OpenStack Proposal Bot 7880999775 Updated from openstack-manuals
Change-Id: I70463c83b1c02327b1abcb63231fecf133e930cd
2020-09-29 09:12:31 +00:00
OpenStack Proposal Bot d4c330442c Updated from openstack-manuals
Change-Id: Ic5b90492e6b6a47d8b2da8a191143dd9c7528916
2020-09-28 19:20:53 +00:00
OpenStack Proposal Bot 1c1fffdd9c Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I9e8dda223d2980ad2dd38d1b9d872e3a5c60fbdc
2020-09-07 09:27:52 +00:00
Simon Li febfb1224e Fix some typos in the document
This patch changes 'Kernal-based' to
'Kernel-based' and 'Kernal Samepage' to
'Kernel Samepage'

Change-Id: I31bc682c34b2c9111ad1f3d45a570606eba4b6f6
2020-08-10 16:05:00 +08:00
Brian Rosmaita 5eb8a58426 Update OSSN-0086 again
The version numbers of cinder releases containing the updated
os-brick library to correct Bug #1883654, according to stable
branch rules, should have had a minor increment instead of a
patch increment.

Change-Id: I03ae119bd32c18ab5dff15c02c108f671fb4d78a
2020-06-30 08:43:51 -04:00
Brian Rosmaita 96c0c20fb6 Update OSSN-0086
Update the list of available patches and the fixed releases in
light of Bug #1883654.

Change-Id: Ifd762d4b3748903536cbc4c4a6057294d788e609
2020-06-18 16:41:48 -04:00
Brian Rosmaita 6564afad9d Update cinder release versions
We decided it made more sense to increment the minor version instead
of the patch version for this change, so update the note to reflect
this.

Change-Id: Id49827def6fac6ff866cc9855730d7147de4a789
2020-06-04 17:33:15 -04:00