)]}'
{"ossa/OSSA-2019-005.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"19c07c2d86f309d974846e89d71a75eade952aa5","unresolved":false,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: \u0027Octavia Amphora-Agent not requiring Client-Certificate\u0027"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: \u003e"},{"line_number":8,"context_line":"  Amphora Images in OpenStack Octavia versions from 0.10.0 allow"},{"line_number":9,"context_line":"  unauthenticated access to the Amphora Agent from the management"},{"line_number":10,"context_line":"  network. This leads to information disclosure and also allows"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_bbc91b26","line":7,"updated":"2019-10-04 19:43:26.000000000","message":"Even though there is separate metadata in the file for the reporter, the description should mention them at the start since it may be excerpted by others later.","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"6a817667bea749c0f352d35c77bbe21ef3e33d69","unresolved":false,"context_lines":[{"line_number":9,"context_line":"  unauthenticated access to the Amphora Agent from the management"},{"line_number":10,"context_line":"  network. This leads to information disclosure and also allows"},{"line_number":11,"context_line":"  changes to the configuration of the Amphora via simple HTTP"},{"line_number":12,"context_line":"  requests because cmd/agent.py gunicorn cert_reqs option is falsely"},{"line_number":13,"context_line":"  set to True instead of ssl.CERT_REQUIRED."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"affected-products:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_600e92e6","line":12,"range":{"start_line":12,"start_character":61,"end_line":12,"end_character":68},"updated":"2019-10-04 18:22:35.000000000","message":"Nit: \"incorrectly\"","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"19c07c2d86f309d974846e89d71a75eade952aa5","unresolved":false,"context_lines":[{"line_number":15,"context_line":"affected-products:"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"  - product: \u0027octavia\u0027"},{"line_number":18,"context_line":"    version: \u0027\u003e\u003d0.10.0\u0027"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"vulnerabilities:"},{"line_number":21,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_5bd027ca","line":18,"updated":"2019-10-04 19:43:26.000000000","message":"The list of affected versions should exclude the next patch release on each stable branch where fixes have been proposed, so something like:\n\n    version: \u0027\u003e\u003d0.10.0\u003c2.1.2,\u003e\u003d3.0.0\u003c3.1.2,\u003e\u003d4.0.0\u003c4.0.2\u0027\n\nThis signifies that the excluded versions will contain this fix once they get tagged (even though they don\u0027t exist yet).","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"19c07c2d86f309d974846e89d71a75eade952aa5","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"reporters:"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"  - name: \u0027Daniel Preussker\u0027"},{"line_number":27,"context_line":"    reported:"},{"line_number":28,"context_line":"      - CVE-2019-17134"},{"line_number":29,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_7bd3a3d6","line":26,"updated":"2019-10-04 19:43:26.000000000","message":"Does the reporter have any organizational/employment affiliation they wish to have credited along with their name?","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"19c07c2d86f309d974846e89d71a75eade952aa5","unresolved":false,"context_lines":[{"line_number":30,"context_line":"issues:"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"  links:"},{"line_number":33,"context_line":"    - https://storyboard.openstack.org/#!/story/2006660"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"reviews:"},{"line_number":36,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_1bdaafe8","line":33,"updated":"2019-10-04 19:43:26.000000000","message":"This report is inaccessible. It should be switched to public now that you\u0027ve disclosed the vulnerability in this change as well as the various linked fixes.","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"ab7cfc0729938a52dada56ffc73b997a438e60da","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"reviews:"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  master:"},{"line_number":38,"context_line":"    - https://review.opendev.org/686540"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"  train:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_50348bde","line":37,"range":{"start_line":37,"start_character":2,"end_line":37,"end_character":8},"updated":"2019-10-04 13:51:34.000000000","message":"Not sure master needs to be mentioned.","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"19c07c2d86f309d974846e89d71a75eade952aa5","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"reviews:"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"  master:"},{"line_number":38,"context_line":"    - https://review.opendev.org/686540"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"  train:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_3bd52bb8","line":37,"updated":"2019-10-04 19:43:26.000000000","message":"We usually do include it if the vulnerability is present at some point in the master branch and there\u0027s a fix proposed there.","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"ab7cfc0729938a52dada56ffc73b997a438e60da","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  ocata:"},{"line_number":56,"context_line":"    - https://review.opendev.org/686547"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"  type: gerrit"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_b0aa9fcf","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":14},"updated":"2019-10-04 13:51:34.000000000","message":"I think this is no longer needed but is still part of the template.\n\nhttps://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa","commit_id":"918415b94f644e27b146e2a870c121b93e2002c3"},{"author":{"_account_id":27316,"name":"Daniel Preussker","email":"openstack@devilcode.org","username":"f0o"},"change_message_id":"9cc82105f03b17e6dfad81ed1003712f0cd09184","unresolved":false,"context_lines":[{"line_number":16,"context_line":"affected-products:"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  - product: \u0027octavia\u0027"},{"line_number":19,"context_line":"    version: \u0027\u003e\u003d0.10.0 \u003c0.10.1, \u003e\u003d1.0.0 \u003c1.0.6, \u003e\u003d2.0.0 \u003c2.1.2, \u003e\u003d3.0.0 \u003c3.1.2, \u003e\u003d4.0.0 \u003c4.0.2 and \u003d\u003d5.0.0.0rc1\u0027"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"vulnerabilities:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3fa7e38b_69a43a09","line":19,"updated":"2019-10-05 07:07:56.000000000","message":"I\u0027ve bumped the current git-tags one up.\nThis is temporary until Adam or Carlos confirm to me that these will be the new versions that will be tagged.","commit_id":"fb5294b51544c07f1aa643e736705c71300948b1"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"529ec03a8a1d420938356cc4d6ee073a23af49c2","unresolved":false,"context_lines":[{"line_number":16,"context_line":"affected-products:"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  - product: \u0027octavia\u0027"},{"line_number":19,"context_line":"    version: \u0027\u003e\u003d0.10.0 \u003c0.10.1, \u003e\u003d1.0.0 \u003c1.0.6, \u003e\u003d2.0.0 \u003c2.1.2, \u003e\u003d3.0.0 \u003c3.1.2, \u003e\u003d4.0.0 \u003c4.0.2 and \u003d\u003d5.0.0.0rc1\u0027"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"vulnerabilities:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3fa7e38b_b34930b8","line":19,"updated":"2019-10-07 14:24:02.000000000","message":"There will never be a 0.10.1 or 1.0.6 as the corresponding branches are now under \"extended maintenance\" (so no more point releases forthcoming). Sounds like you can increase 3.1.2 to 3.2.0 here and 4.0.2 to 4.1.0, though I do find it odd that stable branches for projects with the stable:follows-policy governance tag would ever merge changes which merit minor component SemVer increases as that implies things like newer minimum requirements or feature additions. Also I would leave out 5.0.0.0rc1 as that\u0027s not a release, just a prerelease, and we generally don\u0027t make any security guarantees about those. So maybe just...\n\n    version: \u0027\u003e\u003d0.10.0 \u003c2.1.2, \u003e\u003d3.0.0 \u003c3.2.0, \u003e\u003d4.0.0 \u003c4.1.0\u0027","commit_id":"fb5294b51544c07f1aa643e736705c71300948b1"},{"author":{"_account_id":27316,"name":"Daniel Preussker","email":"openstack@devilcode.org","username":"f0o"},"change_message_id":"0c7cd31dc78be6d52f0ea600afa1ba5a1156a5fb","unresolved":false,"context_lines":[{"line_number":16,"context_line":"affected-products:"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  - product: \u0027octavia\u0027"},{"line_number":19,"context_line":"    version: \u0027\u003e\u003d0.10.0 \u003c0.10.1, \u003e\u003d1.0.0 \u003c1.0.6, \u003e\u003d2.0.0 \u003c2.1.2, \u003e\u003d3.0.0 \u003c3.1.2, \u003e\u003d4.0.0 \u003c4.0.2 and \u003d\u003d5.0.0.0rc1\u0027"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"vulnerabilities:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3fa7e38b_49785e2a","line":19,"in_reply_to":"3fa7e38b_29e64218","updated":"2019-10-05 08:27:41.000000000","message":"Happy to wait for the actual release numbers to be set :)","commit_id":"fb5294b51544c07f1aa643e736705c71300948b1"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"6a06e5c92553b092a4d2516eccb6adafb0e7174d","unresolved":false,"context_lines":[{"line_number":16,"context_line":"affected-products:"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  - product: \u0027octavia\u0027"},{"line_number":19,"context_line":"    version: \u0027\u003e\u003d0.10.0 \u003c0.10.1, \u003e\u003d1.0.0 \u003c1.0.6, \u003e\u003d2.0.0 \u003c2.1.2, \u003e\u003d3.0.0 \u003c3.1.2, \u003e\u003d4.0.0 \u003c4.0.2 and \u003d\u003d5.0.0.0rc1\u0027"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"vulnerabilities:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3fa7e38b_29e64218","line":19,"in_reply_to":"3fa7e38b_69a43a09","updated":"2019-10-05 08:08:35.000000000","message":"Per https://review.opendev.org/#/c/683202/ I think some might be bumped a little more? Need to check but honestly maybe this can wait until we\u0027ve actually released them and you can use the exact numbers.","commit_id":"fb5294b51544c07f1aa643e736705c71300948b1"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"5381f9fc206be63b556e1cb44e4fc0487d36044f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"date: 2019-10-04"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2019-005"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"3fa7e38b_68b426d2","line":1,"updated":"2019-10-07 15:24:27.000000000","message":"Increasing this to the date of the current patchset (today) would probably also be a good idea if you end up making another update, but is not critical.","commit_id":"cfb32d221c1bce4fad0747eb486c39fbed7759c0"}]}