)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b4a5bdfd9321300bad338e22dec932620613de6e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d7329efc_85239dfe","updated":"2026-04-07 16:04:29.000000000","message":"005 is being taken at the moment; will update this shortly","commit_id":"2d576a57a4f56aa2add707de791f8a7594a26644"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"3b588955d8dc51706f102af3d68d6f0c800d430f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"52cc7154_e970bbe6","updated":"2026-03-25 21:40:44.000000000","message":"Text reads well; rendered HTML looks fine.\n\nThis is what you\u0027ll be pasting into the advisory email:\nhttps://de19e57dd79c29d6fa65-9c39e1b31aead2b89889cdc7bed43508.ssl.cf2.rackcdn.com/openstack/959ab8f0e59344e0b112ad043916cff9/docs/_sources/ossa/OSSA-2026-005.rst.txt","commit_id":"2d576a57a4f56aa2add707de791f8a7594a26644"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"18498213a557f7e259b8d8fc9fb5cddd906d4c86","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5b85efd0_d1474681","updated":"2026-04-09 12:19:12.000000000","message":"Two suggestions inline; otherwise, everything LGTM.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fef8dea1fd17258d125e4101c661827b50ac0dba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"73500710_be2a4324","updated":"2026-04-09 20:51:27.000000000","message":"Revisions LGTM.","commit_id":"31e6e2e6387c0dfa6b385c8ecb95a5c5ca1d7ddf"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"2a3c817d_a5ac4b2f","updated":"2026-04-09 20:45:22.000000000","message":"ty @rosmaita.fossdev@gmail.com and @fungi@yuggoth.org. Made the changes you suggested","commit_id":"31e6e2e6387c0dfa6b385c8ecb95a5c5ca1d7ddf"}],"ossa/OSSA-2026-006.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"0dfdf7bd29f5927f13071edfa067c7345dbdcbb3","unresolved":false,"context_lines":[{"line_number":1,"context_line":"date: 2026-04-09"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2026-006"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"350c6169_b92706f5","line":1,"updated":"2026-04-09 20:33:42.000000000","message":"If it doesn\u0027t end up merging in the next few hours, you\u0027ll want to bump this as well.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"c7cc80f761df7797b29aedd898b5689b34343147","unresolved":false,"context_lines":[{"line_number":21,"context_line":"  use the Skyline Console web interface to view instance console logs are"},{"line_number":22,"context_line":"  affected. Until upgraded, operators should restrict or avoid use of"},{"line_number":23,"context_line":"  \"View Full Log\" for instances where console output may be influenced"},{"line_number":24,"context_line":"  by untrusted users."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"affected-products:"},{"line_number":27,"context_line":"  - product: skyline-console"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"e53b715b_fa512865","line":24,"updated":"2026-04-09 13:30:26.000000000","message":"I\u0027d drop sentences #3-5 and move sentence #7 to a note. Try to keep the description paragraph to only critical information needed to credit the reporter and inform readers whether they should apply the patch.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[{"line_number":21,"context_line":"  use the Skyline Console web interface to view instance console logs are"},{"line_number":22,"context_line":"  affected. Until upgraded, operators should restrict or avoid use of"},{"line_number":23,"context_line":"  \"View Full Log\" for instances where console output may be influenced"},{"line_number":24,"context_line":"  by untrusted users."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"affected-products:"},{"line_number":27,"context_line":"  - product: skyline-console"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"4ee9d5ae_15a0fbba","line":24,"in_reply_to":"e53b715b_fa512865","updated":"2026-04-09 20:45:22.000000000","message":"Done","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"c7cc80f761df7797b29aedd898b5689b34343147","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"affected-products:"},{"line_number":27,"context_line":"  - product: skyline-console"},{"line_number":28,"context_line":"    version: \u0027\u003c5.0.1, \u003e\u003d6.0.0 \u003c6.0.1, \u003d\u003d7.0.0\u0027"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"vulnerabilities:"},{"line_number":31,"context_line":"  - cve-id: CVE-2026-pending"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b7d0978c_15055e13","line":28,"updated":"2026-04-09 13:30:26.000000000","message":"You can replace \u0027\u003e\u003d6.0.0 \u003c6.0.1\u0027 with just \u0027\u003d\u003d6.0.0\u0027 here.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"affected-products:"},{"line_number":27,"context_line":"  - product: skyline-console"},{"line_number":28,"context_line":"    version: \u0027\u003c5.0.1, \u003e\u003d6.0.0 \u003c6.0.1, \u003d\u003d7.0.0\u0027"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"vulnerabilities:"},{"line_number":31,"context_line":"  - cve-id: CVE-2026-pending"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"ced469d4_5c0d5d06","line":28,"in_reply_to":"b7d0978c_15055e13","updated":"2026-04-09 20:45:22.000000000","message":"Done","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"18498213a557f7e259b8d8fc9fb5cddd906d4c86","unresolved":true,"context_lines":[{"line_number":53,"context_line":"  2024.2/dalmatian:"},{"line_number":54,"context_line":"    - https://review.opendev.org/982356"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"notes:"},{"line_number":57,"context_line":"  - The fix was merged publicly on the master branch before coordinated"},{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"bc5dc529_d575b095","line":56,"updated":"2026-04-09 12:19:12.000000000","message":"I suggest explicitly saying:\n\n  - A CVE request was filed with MITRE on \u003cdate\u003e.\n\n(to make it clear that \"pending\" doesn\u0027t mean \"not yet applied for\")","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[{"line_number":53,"context_line":"  2024.2/dalmatian:"},{"line_number":54,"context_line":"    - https://review.opendev.org/982356"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"notes:"},{"line_number":57,"context_line":"  - The fix was merged publicly on the master branch before coordinated"},{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"e1dde6bc_483639d9","line":56,"in_reply_to":"bc5dc529_d575b095","updated":"2026-04-09 20:45:22.000000000","message":"Nice, i can start doing this..","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"18498213a557f7e259b8d8fc9fb5cddd906d4c86","unresolved":true,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"notes:"},{"line_number":57,"context_line":"  - The fix was merged publicly on the master branch before coordinated"},{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"},{"line_number":60,"context_line":"    rendering, which automatically escapes interpolated string values"},{"line_number":61,"context_line":"    before inserting them into the DOM."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c3bdd171_fc8d8b3e","line":58,"updated":"2026-04-09 12:19:12.000000000","message":"I suggest also mentioning that it was merged before the stable/2026.1 branch was cut, so there is no specific stable/2026.1 patch, and the patch was automatically included in the gazpacho release.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"notes:"},{"line_number":57,"context_line":"  - The fix was merged publicly on the master branch before coordinated"},{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"},{"line_number":60,"context_line":"    rendering, which automatically escapes interpolated string values"},{"line_number":61,"context_line":"    before inserting them into the DOM."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"f98146f5_863bf6dc","line":58,"in_reply_to":"c3bdd171_fc8d8b3e","updated":"2026-04-09 20:45:22.000000000","message":"++ ty","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"c7cc80f761df7797b29aedd898b5689b34343147","unresolved":false,"context_lines":[{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"},{"line_number":60,"context_line":"    rendering, which automatically escapes interpolated string values"},{"line_number":61,"context_line":"    before inserting them into the DOM."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1caee61f_8f33fa98","line":61,"updated":"2026-04-09 13:30:26.000000000","message":"These two notes aren\u0027t necessary to include in the advisory, their details can be found in the bug for anyone curious as to why there wasn\u0027t advance notification to downstrean stakeholders prior to publication, or to understand more about how the patch is implemented.","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"12aea8cf68191339a79de0499592e935e53bc56e","unresolved":false,"context_lines":[{"line_number":58,"context_line":"    disclosure; consequently, the embargo on this bug has been dropped."},{"line_number":59,"context_line":"  - The fix replaces the unsafe document.write() call with React JSX"},{"line_number":60,"context_line":"    rendering, which automatically escapes interpolated string values"},{"line_number":61,"context_line":"    before inserting them into the DOM."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"35c65b0f_d1ca6e2a","line":61,"in_reply_to":"1caee61f_8f33fa98","updated":"2026-04-09 20:45:22.000000000","message":"yeah, redundant.. ty dropped","commit_id":"751d94653f32ff000ad85a98a16c9cd8614add32"}]}