Versions Compared

Old Version 2

changes.mady.by.user Craig McNally

Saved on

compared with

New Version 3

changes.mady.by.user Craig McNally

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NamePresent

Craig McNally 

Y
Julian Ladisch 
Y

Axel Dörrer 

Y
Ryan Berger 

Chris Rutledge 

Y

Jakub Skoczen 

Y
John Coburn 

Skott Klebe 




Discussion items

TimeItemWhoNotes
*Timing of releasesTeam

Should we release both fixes together, or independently?

  • A fix for the first module (more critical) can be released as soon as tomorrow AM ET.
  • A fix for second module can be released no sooner than Thursday

Now that the question has been posed to #Sys-Ops, how long do we wait for responses before making a decision/plan?

We agreed that releasing

  • Give it a few hours (3:00 PM ET) and make a call.

From the Security team's perspective it would be preferred to release both modules at the same time on Thursday is the preferred approach.

Craig McNally will convey this to Oleksii P. and the two development teams involved once a decision has been made.

We agree with the approach of announcing the module releases to the sys-ops community prior to announcing the CSP in which these module releases will eventually be part of.  The CSP release announcements are made to a broader swath of the community.

*Preparing notifications to send out when releases are availableTeam

The fix involves not only updating the module, but also specifying the system user password via environment variableadditional operational changes.  How do we want to communicate this w/o essentially describing the exploit?

  • There's nothing we can do about it.  We need to describe how to patch the vulnerability.  It's inevitable that some will read between the lines and gain an understanding of the exploit from this information.

Action items

  •