Time is running short to disclose this in a coordinated fashion before the holiday weeks. It's clearly not best practice to release a security advisory the days before Christmas.
Nachi: are you comfortable with not disclosing this in the next two weeks (and wait for the first days of January for coordinating the disclosure downstream) ? Are you the original finder that should be credited for finding this ?
Brian: what do you mean by "I saw this patch fix a live environment" ? How public is this already ?
Vish: there is no way to make the patch shorter ? :)
I'm preparing the impact statement / CVE request and need a bit more information about impact. My understanding is that an authentified user can issue commands for any project... Am I right in assuming that (1) you need to be authentified, (2) you can issue any command and (3) this affects both EC2 and OSAPI ?
In particular for (2), I suspect that the user cannot issue *any* command, but just the ones that he would be... entitled to on projects belonging to him ? How do we map roles/users/projects usually ?
Time is running short to disclose this in a coordinated fashion before the holiday weeks. It's clearly not best practice to release a security advisory the days before Christmas.
Nachi: are you comfortable with not disclosing this in the next two weeks (and wait for the first days of January for coordinating the disclosure downstream) ? Are you the original finder that should be credited for finding this ?
Brian: what do you mean by "I saw this patch fix a live environment" ? How public is this already ?
Vish: there is no way to make the patch shorter ? :)
I'm preparing the impact statement / CVE request and need a bit more information about impact. My understanding is that an authentified user can issue commands for any project... Am I right in assuming that (1) you need to be authentified, (2) you can issue any command and (3) this affects both EC2 and OSAPI ?
In particular for (2), I suspect that the user cannot issue *any* command, but just the ones that he would be... entitled to on projects belonging to him ? How do we map roles/users/ projects usually ?