Security Working Group meeting - Wednesday Jan 4 - results
jrey at linux.ibm.com
Thu Jan 5 05:59:39 AEDT 2023
An OpenBMC Security Working Group meeting is scheduled for this
Wednesday Jan 4 at 10:00am PDT.
The meeting is on Discord voice.
=== MEETING ACCESS ON DISCORD VOICE ===
First, join Discord via https://discord.gg/69Km47zH98
<https://discord.gg/69Km47zH98> and confirm via email.
Then, to join: navigate Discord > OpenBMC > Voice channels > Security ~
We'll discuss items on the agenda
items proposed on the Discord OpenBMC #security channel, and anything
else that comes up:
Sorry, I neglected to send the meeting reminder. There was one topic...
Attended (Discord screen names): Attendance was low, possibly due to the
recent holiday - Joseph Reynolds, Dick Wilkins, ddaniil, ssekar.
Per Joseph, the OpenBMC BMCWeb team investigated CVE-2022-40259 and
believes it does not apply to OpenBMC. Will remove this agenda item.
In general, is it fair to ask if a non-OpenBMC CVE applies to OpenBMC?
Yes, this analysis is typically requested for high severity CVEs. For
example, a security response team needs definitive information to be
able to make a statement like “We investigated CVE xyz and it does not
In general, do security response teams (such as OpenBMC SRT) reach out
to competing projects for help to perform confidential analysis? Yes,
for example, UEFI reaches out to other SRTs as needed. It is helpful
when analyzing a problem to first expand the scope of the problem, for
example to ask if it affects other implementations.
We discussed alternate options for working with the OpenBMC SRT:
Join the OpenBMC SRT. Note that membership is generally limited to
active members who make fixes in the OpenBMC project.
Attend security working group meetings (this meeting). But note
that private discussions cannot be discussed in this public meeting,
so information about vulnerabilities will be delayed compared to
other communication methods.
The OpenBMC SRT can reach out to other SRTs as needed.
How can OpenBMC SRT reach out to other SRTs? Use their confidential
vulnerability reporting process (variously named Product Security
Incident Response Team (PSIRT), SIRT, Security Team, etc).
Access, agenda and notes are in the OpenBMC Security wiki:
More information about the openbmc