Comment 22 for bug 1517277
Revision history for this message
| Jim Rollenhagen (jim-rollenhagen) wrote Re: Clean steps don't actually run | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Tristan, almost good to go. s/Grad/Brad/ :)
I've pinged Deva and Lucas to review the new patches.
As an FYI, I'll do a 4.2.2 release immediately after the stable/liberty patch lands.
I'm happy to send the email, if I'm given a list of addresses to send it to. I'd prefer if the VMT or deva sent the email as I'm sure my GPG keys are not as well-trusted. Here's a draft with a proposed disclosure date:
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.
Title: Ironic does not honor clean steps
Reporter: Brad Morgan (Rackspace)
Products: Ironic
Affects: >= 4.2.0, <= 4.2.1
Description:
Grad Morgan from Rackspace reported a vulnerability in Ironic. To prevent user data leak, Ironic is expected to "clean" a server after use, however that is transparently not happening. Previous tenant's data may be left behind on the disk and may be available to new users. All Ironic setups are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to the stable/liberty and master branches on the public disclosure date.
CVE: $CVE
Proposed public disclosure date/time:
December 1, 2015, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.