Comment 10 for bug 1916926

Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Glance leaks namespace existence to unauthorized users

While we don't normally draft security notes privately under embargo (unlike advisories), we have on occasion done so and notified downstream stakeholders with an advance copy prior to publication. This might be one of those times where private advance notification is prudent.

The process for writing an OSSN is documented here:

    https://wiki.openstack.org/wiki/Security/Security_Note_Process

Would anyone like to have a go at writing up some guidance for this and the related bugs? I gather it involves policy configuration changes to disable some API method(s) but the specifics are where I cease to be useful on this matter. I'm happy to help with coordinating a publication date and getting it sent to the stakeholders.