)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"2349e0c243c2bb209bc6ded40ea3d94d067e185b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"14227d40_fbaf0aed","updated":"2024-11-25 23:50:22.000000000","message":"Suggestion for rephrasing inline.","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"143a10e3c3ac6e1a59f83a4dfda704bc730934eb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"8b1e9fb8_d70da863","updated":"2024-12-03 20:44:16.000000000","message":"I still think the first sentence leaves the impression that this could possibly be fixed by policy configuration, but looking at the patches, it\u0027s pretty obvious that a code change is required, so the attentive reader will not be fooled.","commit_id":"a1e1e2294c1a9365f5b02048a6f837c35458975f"}],"ossa/OSSA-2024-005.yaml":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"2349e0c243c2bb209bc6ded40ea3d94d067e185b","unresolved":true,"context_lines":[{"line_number":5,"context_line":"title: Authorization bypassed when setting tags on Neutron networks"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: |+"},{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"},{"line_number":11,"context_line":"  not being subjected to the rule:update_network authorization check."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"de55d2d2_a70cde3f","line":9,"range":{"start_line":8,"start_character":1,"end_line":9,"end_character":7},"updated":"2024-11-25 23:50:22.000000000","message":"I suggest phrasing this a bit differently.  My understanding is that the issue isn\u0027t that neutron is checking against the wrong policy, it\u0027s that there\u0027s a bug in the way the policy is applied.  (In other words, this is something that must be corrected in code, it can\u0027t be corrected by policy configuration.)","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"2349e0c243c2bb209bc6ded40ea3d94d067e185b","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"},{"line_number":11,"context_line":"  not being subjected to the rule:update_network authorization check."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"affected-products:"},{"line_number":14,"context_line":"  - product: Neutron"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3e0a387b_b41894a4","line":11,"range":{"start_line":11,"start_character":29,"end_line":11,"end_character":48},"updated":"2024-11-25 23:50:22.000000000","message":"This is what was reported in the bug, but it looks like there is a tag-specific policy that wasn\u0027t being applied correctly:\nhttps://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py#163","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":20178,"name":"Tore Anderson","email":"tore@fud.no"},"change_message_id":"a193fd1b3e6046d4d446a181eba70d8b2be77a01","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"},{"line_number":11,"context_line":"  not being subjected to the rule:update_network authorization check."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"affected-products:"},{"line_number":14,"context_line":"  - product: Neutron"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d61ff3c1_0507eb5b","line":11,"range":{"start_line":11,"start_character":29,"end_line":11,"end_character":48},"in_reply_to":"3e0a387b_b41894a4","updated":"2024-11-27 07:32:28.000000000","message":"I can confirm that the rule:network_update comment in the bug report text was merely an assumption on my (i.e., the submitter\u0027s) part. I observed it was rule:update_network that denied updates to the \u0027description\u0027 attribute, so I mistakenly assumed it would be the same logic that ought to have been applied for updates to the \u0027tags\u0027 attribute as well.","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":20178,"name":"Tore Anderson","email":"tore@fud.no"},"change_message_id":"aced755212c64895f11d622b00aaa2a5810f9a7d","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"},{"line_number":11,"context_line":"  not being subjected to the rule:update_network authorization check."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"affected-products:"},{"line_number":14,"context_line":"  - product: Neutron"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"135b7d44_45cf4236","line":11,"range":{"start_line":11,"start_character":29,"end_line":11,"end_character":48},"in_reply_to":"d61ff3c1_0507eb5b","updated":"2024-12-03 06:52:25.000000000","message":"Seems like the check applied to tags is called \"rule:update_networks_tags\", cf. https://bugs.launchpad.net/neutron/+bug/2088986/comments/12","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":20178,"name":"Tore Anderson","email":"tore@fud.no"},"change_message_id":"a193fd1b3e6046d4d446a181eba70d8b2be77a01","unresolved":true,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"reporters:"},{"line_number":21,"context_line":"  - name: Tore Anderson"},{"line_number":22,"context_line":"    affiliation: Redpill Linaro AS"},{"line_number":23,"context_line":"    reported: CVE-2024-53916"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"issues:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"40109184_a2aa459c","line":22,"updated":"2024-11-27 07:32:28.000000000","message":"Replace «Linaro» with «Linpro» here (full company name is «Redpill Linpro AS»).","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"7e5aa2e59247eebb1724aafb497a5b88843ecc97","unresolved":true,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"reporters:"},{"line_number":21,"context_line":"  - name: Tore Anderson"},{"line_number":22,"context_line":"    affiliation: Redpill Linaro AS"},{"line_number":23,"context_line":"    reported: CVE-2024-53916"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"issues:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"23e30af7_96411fdd","line":22,"in_reply_to":"40109184_a2aa459c","updated":"2024-11-27 16:03:57.000000000","message":"I keep misreading that name! I\u0027m sorry; will revise this next week after holiday is up; or someone else in VMT will if it needs to merge before then.","commit_id":"9badb01724b4628a24a822cb03d096e030957619"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"42a4a0ec96fdae81a9a5a2d770666e6f8ae3858d","unresolved":false,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Authorization bypassed when setting tags on Neutron networks"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: |+"},{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f0ebc7b_68735c99","line":7,"updated":"2024-12-02 22:54:29.000000000","message":"In the past, we\u0027ve included reporter attribution as the first sentence of the descrption (see our standard impact statement template).","commit_id":"a94f716d66c3292a70c059d4aaa0c9b704aa7304"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"80e9e659e3b91720cbebc2972ffabbe2c46a3d92","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: |+"},{"line_number":8,"context_line":"  Neutron does not apply the proper policy check for changing network "},{"line_number":9,"context_line":"  tags. An unprivileged tenant is able to change (add and clear) tags "},{"line_number":10,"context_line":"  on network objects which do not belong to the tenant, and this action is"},{"line_number":11,"context_line":"  not being subjected to the rule:update_network authorization check."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"05effb2e_5935d7a2","line":9,"updated":"2024-12-02 22:49:18.000000000","message":"Nit: These two lines have trailing whitespace, though that shouldn\u0027t break anything.","commit_id":"a94f716d66c3292a70c059d4aaa0c9b704aa7304"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"80e9e659e3b91720cbebc2972ffabbe2c46a3d92","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"affected-products:"},{"line_number":14,"context_line":"  - product: Neutron"},{"line_number":15,"context_line":"    version: \u0027\u003e\u003d23.0.0 \u003c23.0.3, \u003e\u003d24.0.0 \u003c24.0.2, \u003e\u003d25.0.0 \u003c25.0.1\u0027"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"vulnerabilities:"},{"line_number":18,"context_line":"  - cve-id: CVE-2024-53916"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"090cd09d_35c5b612","line":15,"updated":"2024-12-02 22:49:18.000000000","message":"The last stable/bobcat tag is 23.2.0, so this should be:\n\n    version: \u0027\u003e\u003d23.0.0 \u003c23.2.1, \u003e\u003d24.0.0 \u003c24.0.2, \u003e\u003d25.0.0 \u003c25.0.1\u0027\n\n(the rest look correct based on my reading of https://releases.openstack.org/teams/neutron.html )","commit_id":"a94f716d66c3292a70c059d4aaa0c9b704aa7304"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"80e9e659e3b91720cbebc2972ffabbe2c46a3d92","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"reporters:"},{"line_number":21,"context_line":"  - name: Tore Anderson"},{"line_number":22,"context_line":"    affiliation: Redpill Linaro AS"},{"line_number":23,"context_line":"    reported: CVE-2024-53916"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"issues:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"5edab4a5_a2d82b55","line":22,"updated":"2024-12-02 22:49:18.000000000","message":"lin_P_ro not lin_A_ro","commit_id":"a94f716d66c3292a70c059d4aaa0c9b704aa7304"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"80e9e659e3b91720cbebc2972ffabbe2c46a3d92","unresolved":false,"context_lines":[{"line_number":27,"context_line":"    - https://launchpad.net/bugs/2088986"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"reviews:"},{"line_number":30,"context_line":"  2025.1/epoxy (neutron):"},{"line_number":31,"context_line":"    - https://review.opendev.org/c/openstack/neutron/+/935883"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  2024.2/dalmatian(neutron):"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"d0ea0d61_2047fffe","line":30,"updated":"2024-12-02 22:49:18.000000000","message":"We normally omit the (neutron) if all changes are for the same project, that was just an infrequent (but unfortunately somewhat frequent lately) addition in advisories which spanned multiple deliverable repos.","commit_id":"a94f716d66c3292a70c059d4aaa0c9b704aa7304"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"26f7018de783f22468a4a3b05d7e5da202418a48","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"reporters:"},{"line_number":22,"context_line":"  - name: Tore Anderson"},{"line_number":23,"context_line":"    affiliation: Redpill LinPro AS"},{"line_number":24,"context_line":"    reported: CVE-2024-53916"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"issues:"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"5bdbe58a_c46d8d42","line":23,"updated":"2024-12-03 15:40:46.000000000","message":"Nit: (and above) My capitalization of the P was for emphasis and in case the a and p were indistinct in your font. Checking their site at https://redpill-linpro.com/ it seems to be styled with a lower-case p, though I don\u0027t know if that\u0027s important enough to warrant another revision.","commit_id":"bee69c481907ea87600e1e0cf617cdd96ea596c6"}]}