Comment 7 for bug 904072

Thierry Carrez (ttx) wrote :

Time is running short to disclose this in a coordinated fashion before the holiday weeks. It's clearly not best practice to release a security advisory the days before Christmas.

Nachi: are you comfortable with not disclosing this in the next two weeks (and wait for the first days of January for coordinating the disclosure downstream) ? Are you the original finder that should be credited for finding this ?

Brian: what do you mean by "I saw this patch fix a live environment" ? How public is this already ?

Vish: there is no way to make the patch shorter ? :)

I'm preparing the impact statement / CVE request and need a bit more information about impact. My understanding is that an authentified user can issue commands for any project... Am I right in assuming that (1) you need to be authentified, (2) you can issue any command and (3) this affects both EC2 and OSAPI ?

In particular for (2), I suspect that the user cannot issue *any* command, but just the ones that he would be... entitled to on projects belonging to him ? How do we map roles/users/projects usually ?