© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Time is running short to disclose this in a coordinated fashion before the holiday weeks. It's clearly not best practice to release a security advisory the days before Christmas.
Nachi: are you comfortable with not disclosing this in the next two weeks (and wait for the first days of January for coordinating the disclosure downstream) ? Are you the original finder that should be credited for finding this ?
Brian: what do you mean by "I saw this patch fix a live environment" ? How public is this already ?
Vish: there is no way to make the patch shorter ? :)
I'm preparing the impact statement / CVE request and need a bit more information about impact. My understanding is that an authentified user can issue commands for any project... Am I right in assuming that (1) you need to be authentified, (2) you can issue any command and (3) this affects both EC2 and OSAPI ?
In particular for (2), I suspect that the user cannot issue *any* command, but just the ones that he would be... entitled to on projects belonging to him ? How do we map roles/users/