I want to warn about the way that Fedora treats security, i'm a compulsive reader of security lists like bugtraq, and I've never seen some security advisor published by Fedora Security Coordinator (or something like that) as I've seen in other distros (Debian, Gentoo, SuSE ....) about notifying some important security advisors.
With regularly I am checking for updates using yum and see that there are new RPM updates. I believe that in these updates are the security fixes but I really don't know it because there aren't advisors.
I fed up and i did a little research about security and Fedora, so i took some quite old security advisor relating "lha". Some people found security bugs in these tool, you can see more info here: http://www.securiteam.com/unixfocus/5LP000KCVC.html
Today many distros have the appropriate security advisor and patch, one of these distros is RedHat: http://rhn.redhat.com/errata/RHSA-2004-179.html but Fedora users don't have security advisor or security patch, i check yum and I don't see anything about lha and the lha version shipped with Fedora Core 1 is vulnerable: [ice@laptop ice]$ rpm -qa | grep -i lha lha-1.14i-12
[ice@laptop ice]$ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Segmentation fault [ice@laptop ice]$
Where is the security advisor ??? and the security patch ??? Why Fedora doesn't have a security coordinator or even a security team ??
On Tue, 11 May 2004 13:43:59 +0200, StoneBeat stonebeat@ya.com wrote:
Where is the security advisor ??? and the security patch ???
Security advisories for updates that have been released go here: http://www.redhat.com/archives/fedora-announce-list/
Sercurity advisories for updates in testing go to http://www.redhat.com/archives/fedora-test-list/
FedoraNews even has an rss feed. http://www.fedoranews.org/rss/fedora-updates.xml
Cross-posting the update release annoucements to other lists is something to consider. Why isn't it happening yet? That I don't know, maybe its just one of those tasks waiting for a community volunteer to take responsibility for.
Why Fedora doesn't have a security coordinator or even a security team ??
A difficult question, and probably too important an answer to be sustituted with the assumption i'm working under that Red Hat's security coord is also coordinating fedora security to some extent.
-jef
Hi Jeff, StoneBeat,
Why Fedora doesn't have a security coordinator or even a security team ??
A difficult question, and probably too important an answer to be sustituted with the assumption i'm working under that Red Hat's security coord is also coordinating fedora security to some extent.
Also see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121417 :-)
Also see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121417 :-)
Over the last few days we've been doing some checking of FC1 and FC2 security issues.
For FC1 there are a few cases where updates have been made available but the associated announcement email seems to have been eaten before making it out to fedora-announce-list. Thse are CAN-2004-0179, CAN-2003-0695, CAN-2004-0180, and recent CAN-2004-0421, CAN-2003-0856. We'll have to redo those announcements.
For FC1 there have also been a few cases where updates are required but are not released (I've pinged all the folks responsible for those packages individually and now have bugzilla entries at "security" level). These are CAN-2004-0234/5, CAN-2003-0988, CAN-2004-0409, CAN-2003-0564, CAN-2004-0191, CAN-2004-0113.
For FC2 we went back through the issues of the last 6 months to see if these were fixed by FC2 containing a fixed upstream version or if the FC2 package contained a backport. There are a few issues that will require updates: I've opened bugzila entries for each of these at "security" level. These include CAN-2004-0399/0400, CAN-2004-0403, CAN-2004-0409.
Thanks, Mark
Hi Mark,
Over the last few days we've been doing some checking of FC1 and FC2 security issues.
Thanks for the update, but instead of using only CAN numbers it would be more clear to most when you'd also name the involved packages.
Leonard.
On Wed, 2004-05-12 at 11:32 +0200, Leonard den Ottolander wrote:
Hi Mark,
Over the last few days we've been doing some checking of FC1 and FC2 security issues.
Thanks for the update, but instead of using only CAN numbers it would be more clear to most when you'd also name the involved packages.
Leonard.
Perhaps simply a suggestion of where people should find more information. The purpose of CAN numbers is to clearly, unambiguously, identify issues... so people won't have to explain each issue -- they could indirectly involve numerous packages...
The initial email was from a 'compulsive reader of security lists' so it was fair to assume he knew this.
For CAN-2004-0113 for instance... http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-0113