#opnfv-sec log

14:03:00 <lhinds> #startmeeting security group
14:03:00 <collabot> Meeting started Wed Sep 21 14:03:00 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:03:00 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:03:00 <collabot> The meeting name has been set to 'security_group'
14:03:18 <Sona> hi all
14:03:22 <aripie> hi
14:03:25 <serverascode> hello
14:03:40 <lhinds> #agenda https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:04:40 <lhinds> anyone wish to add any items?
14:05:25 <Sona> it looks ok
14:05:27 <lhinds> #topic security scanning
14:06:02 <lhinds> I don't think anything new here, I have been tied up in threat analysis, but that is over now, and Colorado drops tomorrow. So work will be picked up again/
14:06:09 <lhinds> so nothing from my side
14:06:14 <lhinds> serverascode ..
14:06:38 <serverascode> I haven't been able to do anything around packing yet, but I think the end of this week is looking more open for me
14:06:51 <serverascode> *packaging
14:07:00 <lhinds> that's fine, it was expected to be quiet as we have a code freeze
14:07:30 <lhinds> #topic ovsm
14:07:39 <lhinds> first advisory went out today
14:07:49 <lhinds> #link https://wiki.opnfv.org/pages/viewpage.action?pageId=7768349
14:08:06 <lhinds> this has been patched in c-release, and backported to b-release
14:08:25 <lhinds> quite a serious one too.
14:08:32 <Sona> good
14:08:50 <Sona> is there a list of CVEs/vulnerabilities fixed in C release?
14:09:13 <lhinds> Only one has a CVE, but awaiting the number from mitre.org
14:09:25 <lhinds> The others coming up..
14:09:33 <lhinds> #topic Security Audit
14:09:34 <Sona> how was this detected?
14:09:50 <lhinds> I found it, by grepping for private keys
14:10:06 <Sona> well done :)
14:10:09 <lhinds> but I am porting it to be programmatic check in anteater
14:10:16 <lhinds> so was testing some code out
14:10:34 <lhinds> actually anteater could be a topic next meeting
14:10:44 <lhinds> sec audit
14:11:07 <lhinds> This is complete now, I will be sending out a summary to tech-discuss shortly.
14:11:33 <lhinds> In total there were 12 patches submitted and merged
14:11:59 <lhinds> fixes for cross site scripting attacks, unsafe yaml loading, shell executions, and private key leakage
14:12:07 <lhinds> so all sorts of nasty stuff.
14:13:15 <Sona> Luke, by sec audit do you mean those I helped you a litle?
14:13:26 <lhinds> Going to try and get the community to start using 'SecurityImpact' gerrit tags from now on, so we can review code before its merged
14:13:27 <Sona> google docs?
14:13:48 <lhinds> Sona: yes, the google docs were for the reports.
14:14:07 <Sona> some of projects are not using the TA template
14:14:20 <Sona> I tried to finish
14:14:42 <Sona> I did VSwitchperf
14:14:54 <lhinds> That's ok, the template is not so important, the time consuming part is reading the code and working out what they are doing.
14:15:10 <Sona> that is right :)
14:15:44 <lhinds> and we reached the cut off point for release too.
14:16:04 <lhinds> but I did do a cursory glance and that ones not sent out and could not see anything nasty
14:16:50 <lhinds> ok I think that wraps it up.
14:16:57 <lhinds> #topic AOB
14:16:59 <Sona> ok good, thanks
14:17:16 <lhinds> anyone have anything, if not will close up shop till next week
14:17:29 <aripie> just a piece of ETSI info
14:17:36 <aripie> #link https://portal.etsi.org/webapp/MeetingCalendar/MeetingDetails.asp?m_id=18853
14:17:59 <aripie> there is an ETSI SEC f2f this week, expeting to finalize some drafts
14:18:03 <lhinds> oh yeah, I heard about that
14:18:27 <lhinds> they are all in the south of france, drinking wine and talking about what everyone is doing wrong :)
14:18:35 <aripie> so we'll see if they manage to get some drafts to final
14:18:46 <serverascode> south of france, wine, sounds nice
14:18:48 <aripie> ... you said it!
14:19:23 <lhinds> I spoke to one of them last night, drunk as a skunk in a nightclub somewhere.
14:19:31 <lhinds> k..
14:19:33 <lhinds> thanks all!
14:19:51 <lhinds> I will close up, but the channel is 24/7 if anything comes up
14:19:55 <lhinds> #endmeeting