© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Now that the OpenStack VMT is subscribed, I'll note that oslo.log and oslo.messaging have never been explicitly tagged as within our oversight (nor do we even have automatic visibility into their private security bugs). That said, this could potentially impact a number of OpenStack deliverables for which we're responsible security-wise so I'm happy to weigh in and help with an advisory.
I'd be in agreement on the user error point except that in this case it sounds like the "user" is another popular OSLO library which is mistakenly using oslo.log in a vulnerable fashion? If so, we need to fix one of them and so should probably consider it a vulnerability on one end or the other. I'm inclined to agree that at least fixing it on the side where it presents less of a footgun for the next consumer of the same library is preferable.
If Ben's patch in comment #2 is acceptable to the oslo.log private security reviewers, I'm happy to propose an impact description for review.