14:03:00 <lhinds> #startmeeting security group 14:03:00 <collabot> Meeting started Wed Sep 21 14:03:00 2016 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:03:00 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:03:00 <collabot> The meeting name has been set to 'security_group' 14:03:18 <Sona> hi all 14:03:22 <aripie> hi 14:03:25 <serverascode> hello 14:03:40 <lhinds> #agenda https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:04:40 <lhinds> anyone wish to add any items? 14:05:25 <Sona> it looks ok 14:05:27 <lhinds> #topic security scanning 14:06:02 <lhinds> I don't think anything new here, I have been tied up in threat analysis, but that is over now, and Colorado drops tomorrow. So work will be picked up again/ 14:06:09 <lhinds> so nothing from my side 14:06:14 <lhinds> serverascode .. 14:06:38 <serverascode> I haven't been able to do anything around packing yet, but I think the end of this week is looking more open for me 14:06:51 <serverascode> *packaging 14:07:00 <lhinds> that's fine, it was expected to be quiet as we have a code freeze 14:07:30 <lhinds> #topic ovsm 14:07:39 <lhinds> first advisory went out today 14:07:49 <lhinds> #link https://wiki.opnfv.org/pages/viewpage.action?pageId=7768349 14:08:06 <lhinds> this has been patched in c-release, and backported to b-release 14:08:25 <lhinds> quite a serious one too. 14:08:32 <Sona> good 14:08:50 <Sona> is there a list of CVEs/vulnerabilities fixed in C release? 14:09:13 <lhinds> Only one has a CVE, but awaiting the number from mitre.org 14:09:25 <lhinds> The others coming up.. 14:09:33 <lhinds> #topic Security Audit 14:09:34 <Sona> how was this detected? 14:09:50 <lhinds> I found it, by grepping for private keys 14:10:06 <Sona> well done :) 14:10:09 <lhinds> but I am porting it to be programmatic check in anteater 14:10:16 <lhinds> so was testing some code out 14:10:34 <lhinds> actually anteater could be a topic next meeting 14:10:44 <lhinds> sec audit 14:11:07 <lhinds> This is complete now, I will be sending out a summary to tech-discuss shortly. 14:11:33 <lhinds> In total there were 12 patches submitted and merged 14:11:59 <lhinds> fixes for cross site scripting attacks, unsafe yaml loading, shell executions, and private key leakage 14:12:07 <lhinds> so all sorts of nasty stuff. 14:13:15 <Sona> Luke, by sec audit do you mean those I helped you a litle? 14:13:26 <lhinds> Going to try and get the community to start using 'SecurityImpact' gerrit tags from now on, so we can review code before its merged 14:13:27 <Sona> google docs? 14:13:48 <lhinds> Sona: yes, the google docs were for the reports. 14:14:07 <Sona> some of projects are not using the TA template 14:14:20 <Sona> I tried to finish 14:14:42 <Sona> I did VSwitchperf 14:14:54 <lhinds> That's ok, the template is not so important, the time consuming part is reading the code and working out what they are doing. 14:15:10 <Sona> that is right :) 14:15:44 <lhinds> and we reached the cut off point for release too. 14:16:04 <lhinds> but I did do a cursory glance and that ones not sent out and could not see anything nasty 14:16:50 <lhinds> ok I think that wraps it up. 14:16:57 <lhinds> #topic AOB 14:16:59 <Sona> ok good, thanks 14:17:16 <lhinds> anyone have anything, if not will close up shop till next week 14:17:29 <aripie> just a piece of ETSI info 14:17:36 <aripie> #link https://portal.etsi.org/webapp/MeetingCalendar/MeetingDetails.asp?m_id=18853 14:17:59 <aripie> there is an ETSI SEC f2f this week, expeting to finalize some drafts 14:18:03 <lhinds> oh yeah, I heard about that 14:18:27 <lhinds> they are all in the south of france, drinking wine and talking about what everyone is doing wrong :) 14:18:35 <aripie> so we'll see if they manage to get some drafts to final 14:18:46 <serverascode> south of france, wine, sounds nice 14:18:48 <aripie> ... you said it! 14:19:23 <lhinds> I spoke to one of them last night, drunk as a skunk in a nightclub somewhere. 14:19:31 <lhinds> k.. 14:19:33 <lhinds> thanks all! 14:19:51 <lhinds> I will close up, but the channel is 24/7 if anything comes up 14:19:55 <lhinds> #endmeeting