Bugzilla CCs?
by Jason L Tibbitts III
Would it be reasonable to CC security-related bugzilla tickets here?
Currently it's not possible.
- J<
17 years, 12 months
Apache 1.3.7 (RH73) question wrt CVEs
by Jim Popovitch
In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships
with Apache 1.3.7-9 so I thought I would query BZ and see what I could
find of these. (I am a BZ newbie when it comes to queries).
CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple
Vulnerabilities
CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence
Vulnerabilities
CVE-2003-0993 Apache mod_access Security Bypass
CVE-2004-0700 Apache mod_ssl Format String Vulnerability
Unfortunately I couldn't find any of those in the Comments under Apache
for Fedora Legacy Redhat 7.3. I can't believe that all of those
aren't addressed, so lack of query results suggests to me that I am
missing something. Some of those CVE/CANs are several years old, but
wouldn't the still be in BZ comments somewhere?
-Jim P.
17 years, 12 months
One Bugzilla report per distro version or one for all?
by Ville Skyttä
Best practice question:
Assuming a security issue in package foo which is shipped and vulnerable
in many distro versions, do people find it better to file one
copy-pasted bug report per distro version or a "combined" one for all
which lists the affected distro versions?
The one-for-all approach would have the benefit of easier copy-pasting
between audit/* files and probably more accurate Bugzilla references in
maintainer %changelog entries as the same specfile is used for all
distro versions in the vast majority of cases. It could make things
slightly harder to track, eg. in Bugzilla queries and such.
17 years, 12 months
perl-Net-SSLeay vulnerability
by Jason L Tibbitts III
The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira
<jpo(a)lsd.di.uminho.pt> just contacted me about the procedure for
getting a security review; it seems the version in FC3 and FC4 has a
vulnerability but he would like some additional review of the
backport. I asked him to contact this list, but I'm not sure it's
open to nonmembers.
- J<
17 years, 12 months
Fedora Extras Security Response Team
by Josh Bressers
Hello everybody.
In case you didn't see, there was a post by Thorsten Leemhuis to the
fedora-extras list regarding the creation of a Fedora Extras security
response team. The message can be seen here:
https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html
Here are the people I know have an interest in helping out with the
security response team:
Hans de Goede
Jason L Tibbitts III
Dennis Gilmore
Jochen Schmitt
Ville Skyttä
Michael J Knox
If you're interested, feel free to chime in.
Right now I have a pretty good idea of what's needed to get this project
off the ground. We have a mailing list (which would be step one).
I need to fix up some CVS space for things like tools and tracking text
files. This repository is here:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/?root=fedora
We will need a package manifest. Basically a file that tells us which
packages and versions we're currently shipping in extras. A tool to
generate this will also be needed since we'll want to update this file on a
regular basis. Given how fast Extras changes I think this will be the
easiest way to check if we currently ship package <foo>.
An errata template is needed. I'm thinking we should copy the current
Fedora Core template for now. We can mangle it as we see fit at a later
date.
Process needs to be documented on the fedoraproject wiki. Since we don't
currently have a process, this is the only thing done :)
The most important part of this will be making it easy to specify what we
expect of ourselves. I hope to have some time this weekend to clean up the
security wiki pages a bit.
I think this is enough for now. Questions, Comments?
--
JB
17 years, 12 months
Approved by the board
by Jesse Keating
We're now approved by the FESCO board.
So a few things we need to do, setup wiki space for the security
response group/team/whatever, include in there policy about what we're
doing. Then link to this policy from the Extras main page where
appropriate.
Step 3, profit!
--
Jesse Keating
Release Engineer: Fedora
18 years
Issues with no CVE number
by Ville Skyttä
Are security issues that don't have a CVE number tracked somewhere?
Some issues may not have it by the time they're disclosed and I guess
there are ones that for whatever reason don't have and aren't going to
get one. If they're tracked in the usual audit/* files, what's the
preferred format for them?
By the way, if more help is needed, feel free to add me (scop) rights to
commit to the fe[45] files.
18 years
Hints for working with CVEs?
by Jason L Tibbitts III
Does anyone have any notes for dealing with the CVE lists? I know the
main access page is http://www.cve.mitre.org/cve/, but all you can do
is download the whole list or do a text search. (And the whole list
in plain text is 15MB.) I see that someone at Purdue offers change
lists, but the format is not terribly useful (just the numbers of the
changed entries).
Are there any tools that can extract useful summaries of this data
that we could use? Even number and summary would be helpful.
For example, I know there's a recent clamav vulnerability that affects
Extras. Now, I can search to find out that it's CVE-2006-1989. I
know Enrico pushed 0.88.2 on May 2 so we're not vulnerable.
But, how would I have seen the CVE without knowing it existed? Click
on every link in the daily changelogs and manually read the
description? There has to be a more efficient way.
BTW, what would be the format of the line to add to the fe4 and fe5
files for this?
CVE-2006-1989 version (clamav, fixed 0.88.2)
(no bug number, no announcement obviously)
- J<
18 years
Am I on the right list
by John Stanton
Hello all,
This may sound silly, but I am trying to figure out if I am on the correct list. I want to keep up with any security notices and patch releases for Fedora (FC4 in particular). Have I subscribed to the right list? Lately, there seems to be a lot of talk about \extras. This isn't a flame, I'm just seeking confirmation that this is the place to be to track security issues for FC.
Thanks!
John
18 years
