The wiki template has confused authors with regards to which
template they should use to author a new note. Since the source
repository only contains notes in the "email" template format, we
should only contain that template here. The wiki conversion can
be described on the OSSN process page instead.
Change-Id: I4a13ef98bcbcc8a49f14bf30096fb19b0afc8082
There was a simple typo in the recently merged version of OSSN-0021.
I caught and corrected it before publishing, but it should also be
corrected in tree.
Change-Id: Ib36b549cbc61ceecbaa2740181fcc35ef13c164c
Adding a description of the issue of verifying Keystone trust in case
of account compromise. Including examples of API interaction to help
check the situation.
Closes-Bug: #1341849
Change-Id: Iaf38c214d553dfd4dfe29dac9dc1496c061fb765
OSSN-0017 describes an issue where the default setting in Horizon causes client side cookies to be used.
This allows an attacker who is able to capture a user's cookie to perform any action as that user, even
after that user has logged out.
Related-Bug: #1327425
Change-Id: I74bf8f308227c8adafc719474bec6f8cd1db2601
The workaround previously described in OSSN-0013 was not correct
due to a misunderstanding in the behavior of the original bug. This
update adds a workaround that has been tested in Havana, and it also
provides a more clear description about Glance's broken behavior
with regards to processing property protections rules.
Related-Bug: #1271426
Change-Id: Ice8f6d31345c308f09ee14b55053d205d9f57e69
This adds OSSN-0015, which covers an issue related to Glance's default
policy allowing all users to publicize images. This can allow a user
to upload a malicious image in an attempt to attack other users.
Related-Bug: 1313746
Change-Id: Ida7519192a5b77730e4fffa7956978252a3d4c1e
This adds OSSN-0014, which covers the introduction of files with liberal
access permissions by multiple Cinder drivers in OpenStack Icehouse and
earlier. Users with access to the Cinder host and processes running
on the Cinder host can exploit the file permissions to disclose,
modify, and/or destroy user block storage data.
Closes-Bug: 1260679
Change-Id: I4ac9e746401051d85cb9cfbcad3c88b04f23106c
This adds OSSN-0013 addressing an issue with the way Glance property
protections are processed. In some deployments it is possible that a
configuration will allow actions that the administrator had intended
to restrict, unless permissions are defined in a careful order.
Change-Id: Ib149f2559659702f21793c3394bd0791352e18b3
Closes-Bug: #1271426
vulnerability
This adds OSSN-0010, which covers a privilege escalation issue
associated with a sample Keystone v3 policy file.
Change-Id: I3213bbf4b9956b75d733f219660fcefe6a51848d
Related-Bug: #1287219
This adds OSSN-0012, which covers the OpenSSL Heartbleed
vulnerability. This isn't a vulnerability in OpenStack itself, but
OpenStack deployments are likely affected since they would be using
OpenSSL for SSL/TLS.
Change-Id: I2db43e23dc0b090887e937be6188b64e2a0a2ad5
This adds OSSN-0011, which covers an issue related to invalid
security group references in CFN templates being improperly evaluated
by Heat. This results in unintended network access being allowed.
Related-Bug: 1291091
Change-Id: I88ee23aadc74020f150332a619796ebd77ef9698
This adds OSSN-0009, which covers an issue related to the ability
for a user to to abuse group operations in Keystone to trigger
revocation of tokens for other users.
Change-Id: Ic59048442a78fd37b4dcb608ee1a468af70fa82d
Related-Bug: #1268751
This adds a .gitreview file to allow one to easily add a gerrit
remote to a newly cloned repo by running 'git review -s'.
Change-Id: I019ec453f3cbcc07c9d51978c7c6bf87baf95f3f
This adds OSSN-0008, which covers an issue related to the ability
for a user to exhaust the resources on a noVNC or SPICE console host
resulting in a DoS condition.
Some popular mail client PGP software will wrap lines at 72
characters. If we send an OSSN out that has longer lines,
the formatting gets messed up. This can make the OSSN hard
to read. This patch modifies the templates to wrap lines at
72 characters so they match the guidelines posted in the OSSN
process pages on the wiki.
Now that we are publishing OSSNs on the wiki, I changed the
templates to include a link to the OSSN on the wiki instead
of duplicating the Launchpad link like we did previously.
This adds all previously published security notes to the repo. I
also provided some helpful documentation in the README and provided
e-mail and wiki format templates to aid in writing new security
notes.