Comment 17 for bug 1183884

Our Gerrit code review infrastructure is entirely public, so any fixes pushed there would prematurely disclose this private, embargoed security issue.

OpenStack's vulnerability management process is documented at https://wiki.openstack.org/wiki/Vulnerability_Management . We are collectively in the Patch Review and Review Impact Description stages of the Embargoed Vulnerability Management Process.

From the "fixing it" side of things, Swift core developers should hopefully be reading the diff posted here in comment #2 and testing it out privately or proposing alternative fixes as diff attachments to this private security bug. Similarly the Swift PTL reads the Impact description proposed in comment #14, and if necessary suggests modifications to its wording.

Once we've got at least two Swift core reviewers in support of a patch attached this bug, have Swift PTL approval of the Impact Description, have requested and have received a CVE assignment for the bug, then we'll pick a disclosure date and provide advance warning to our registered downstream stakeholders (packagers et al). On the selected disclosure date the pre-approved patch will be published to Gerrit and approved through CI/merged concurrent with publication of an OpenStack Security Advisory to appropriate public mailing lists.