RFC: Setup security@fp.o to individually encrypt to all
by Eric Christensen
I didn't realize this was possible before but the linux-distros list, supports
per-user PGP encryption. Basically, you send an encrypted message in and the
server re-encrypts the message to all subscribers.
I wonder if this would be a better idea for encryption on the security(a)fp.o
email address (and related list) than a shared GPG key. Thoughts?
--Eric
7 years, 7 months
Information Security Training - Recommended Reading
by Eric Christensen
Inside Red Hat I've been compiling lists of resources that we suggest people
use to get a better understanding of information security topics. I'm
liberating some of this information in hopes that we can help others in the
community increase their knowledge and skills.
Earlier today I created a wiki page[0] containing Information Security
learning resources. Feel free to add on to this list. I do ask that all
resources on the list be publicly available for free.
Go and enjoy.
[0] https://fedoraproject.org/wiki/Information_Security_Training
--Eric
7 years, 7 months
Security Team Meeting Minutes for 2015-10-29
by Eric Christensen
Meeting started by Sparks at 14:00:27 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-10-29/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:33)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:05:51)
* Follow up on last week's tasks (Sparks, 14:05:59)
* ACTION: Sparks to add "issues" to fedora-meeting-report on github
(Sparks, 14:06:12)
* ACTION: Sparks to talk with mattdm regarding private security
tickets in BZ. (Sparks, 14:07:01)
* This discussion has begun on the list with a request for a full
response team. (Sparks, 14:07:13)
* ACTION: Sparks to discuss using Bluejeans for an online GPG key
signing event (Sparks, 14:10:31)
* ACTION: mhayden to get Astradeus' changes to the stats script into
the fedora-security-team git repo (Sparks, 14:10:43)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:12:45)
* Education and Training (Sparks, 14:13:08)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:13:15)
* Outstanding BZ Tickets (Sparks, 14:15:56)
* Thursday's numbers: Critical 1 (+1), Important 40 (-3), Moderate 446
(+28), Low 162 (+12), Total 649 (Sparks, 14:16:04)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1256790 (Sparks,
14:19:52)
* Open floor discussion/questions/comments (Sparks, 14:22:21)
Meeting ended at 14:23:52 UTC.
Action Items
------------
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing event
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* pjp to give a status update on security policy in the wiki (carried
over)
Action Items, by person
-----------------------
* mhayden
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* Sparks
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing
event
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (54)
* mhayden (11)
* zodbot (7)
* smdeep (2)
* swati (1)
14:00:27 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:27 <zodbot> Meeting started Thu Oct 29 14:00:27 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:27 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:00:30 <Sparks> #meetingname Fedora Security Team
14:00:30 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:33 <Sparks> #topic Roll Call
14:00:35 * Sparks
14:01:46 <swati> d
14:01:50 <mhayden> .hello mhayden
14:01:50 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:03:13 <Sparks> mhayden: Wow, and I actually had things to talk about today.
14:05:29 <smdeep> .hellomynameis smdeep
14:05:30 <zodbot> smdeep: smdeep 'Sudeep Mukherjee' <smdeep(a)gmail.com>
14:05:36 <Sparks> mhayden: Okay, I'll run down everything I had and then move
the conversation to the list, I guess.
14:05:39 <Sparks> smdeep: Welcome
14:05:51 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:05:55 <smdeep> Sparks, :)
14:05:59 <Sparks> #topic Follow up on last week's tasks
14:06:12 <Sparks> #action Sparks to add "issues" to fedora-meeting-report on
github
14:06:25 <Sparks> mhayden: Do you recall what I was supposed to be adding
issues about?
14:06:47 <mhayden> i'm not sure :/
14:06:52 <Sparks> Okay then
14:07:01 <Sparks> #action Sparks to talk with mattdm regarding private
security tickets in BZ.
14:07:13 <Sparks> #info This discussion has begun on the list with a request
for a full response team.
14:07:22 <Sparks> #action Sparks to start a discussion on the FST list
regarding an online video GPG key signing event.
14:07:39 <Sparks> #action mhayden to kick off a ML thread about finding a foss
A/V conferencing solution of some sort
14:08:03 <Sparks> mhayden: Oh good, it looks like we're both on the same
action. Anything to report here?
14:08:34 <mhayden> nothing yet... still scratching our heads on this one
14:08:45 <mhayden> Astradeus and i tried out fedora's webrtc but it was really
flaky
14:08:53 <Sparks> mhayden: We may just have to use Bluejeans and move on with
life.
14:09:02 <mhayden> i'm fine with that
14:09:15 <Sparks> #undo
14:09:15 <zodbot> Removing item from minutes: ACTION by Sparks at 14:07:39 :
mhayden to kick off a ML thread about finding a foss A/V conferencing solution
of some sort
14:09:40 <Sparks> Okay, I'll just put that on the list and see if anyone has
any problems with that.
14:10:09 <Sparks> #undo
14:10:09 <zodbot> Removing item from minutes: ACTION by Sparks at 14:07:22 :
Sparks to start a discussion on the FST list regarding an online video GPG key
signing event.
14:10:31 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG
key signing event
14:10:43 <Sparks> #action mhayden to get Astradeus' changes to the stats
script into the fedora-security-team git repo
14:10:47 <Sparks> mhayden: Anything on this?
14:11:00 <mhayden> not yet :P we need someplace to host the file + sqlite
14:11:11 <Sparks> mhayden: fedorapeople?
14:11:18 <mhayden> ah, i didn't consider that
14:11:25 <mhayden> i wonder if we could get that to work there
14:11:30 <Sparks> mhayden: Or maybe we can get a virtual server from Infra
14:11:36 <mhayden> i could give fp a try
14:11:53 <Sparks> Or maybe openshift?
14:11:56 <Sparks> IDK
14:12:45 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:13:01 <Sparks> And since pjp isn't here to defend himself we'll move on to
the next topic
14:13:08 <Sparks> #topic Education and Training
14:13:15 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:14:00 <Sparks> I'm working, internally at RH, on education and training
resources for InfoSec. I'm going to try to extend as many of these resources
to the public via Fedora.
14:14:58 <Sparks> Thoughts?
14:15:56 <Sparks> #topic Outstanding BZ Tickets
14:16:04 <Sparks> #info Thursday's numbers: Critical 1 (+1), Important 40
(-3), Moderate 446 (+28), Low 162 (+12), Total 649
14:16:11 <Sparks> +Tickets by Priority--+-------+---------+
14:16:11 <Sparks> | Priority | Count | Owned | Unowned |
14:16:11 <Sparks> +-------------+-------+-------+---------+
14:16:11 <Sparks> | medium | 446 | 45 | 401 |
14:16:11 <Sparks> | low | 162 | 14 | 148 |
14:16:13 <Sparks> | high | 40 | 27 | 13 |
14:16:16 <Sparks> | unspecified | 4 | 0 | 4 |
14:16:18 <Sparks> | urgent | 1 | 0 | 1 |
14:16:21 <Sparks> +-------------+-------+-------+---------+
14:16:24 <Sparks> Anyone have anything related to tickets?
14:16:33 * Sparks goes to query BZ for the new critical
14:16:36 <mhayden> not really -- i've not had the time to jump on them lately
:|
14:19:04 <Sparks> Okay, I'm not sure the critical is a critical.
14:19:52 <Sparks> #link https://bugzilla.redhat.com/show_bug.cgi?id=1256790
14:22:21 <Sparks> #topic Open floor discussion/questions/comments
14:22:27 <Sparks> Okay, does anyone have anything?
14:22:36 <mhayden> not i
14:23:30 <Sparks> Okay, we'll close then.
14:23:49 <Sparks> Thanks, everyone, for coming!
14:23:52 <Sparks> #endmeeting
7 years, 7 months
Fedora Security Team Report - 2015-10-29
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-10-29 08:47:30.505960
|_| \___|\__,_|\___/|_| \__,_|
- -------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 446 | 45 | 401 |
| low | 162 | 14 | 148 |
| high | 40 | 27 | 13 |
| unspecified | 4 | 0 | 4 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 548 | 69 | 479 |
| ON_QA | 69 | 12 | 57 |
| ASSIGNED | 22 | 5 | 17 |
| MODIFIED | 14 | 0 | 14 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 445 | 45 | 400 |
| low | 162 | 14 | 148 |
| high | 43 | 27 | 16 |
| unspecified | 2 | 0 | 2 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Component---+-------+---------+
| Component | Count | Owned | Unowned |
+---------------+-------+-------+---------+
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| nagios | 9 | 9 | 0 |
| mingw-libxml2 | 8 | 0 | 8 |
| glibc | 8 | 0 | 8 |
| ntp | 7 | 0 | 7 |
| quassel | 7 | 1 | 6 |
| mingw-icu | 7 | 0 | 7 |
| mingw-pcre | 6 | 0 | 6 |
+---------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 217 | 41 | 176 |
| 22 | 160 | 3 | 157 |
| 21 | 122 | 7 | 115 |
| el5 | 71 | 20 | 51 |
| epel7 | 39 | 4 | 35 |
| 23 | 35 | 11 | 24 |
| unspecified | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 7.3 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWMiO0AAoJEHNwUeDBAR+xfYcP/jy51KmMji7YsfLPw1kTQFm7
lpfM4taxBn4/JLEk3iLP5P9QtpfUd1im0dhNsm095qIC1qagVdOHl1nosG1+XonY
Xlke+oWj91EWlkFS6IutsdIiVxA1gc0Jb1UxmzGqb3Cl6sacepeYQHfnSe1rTU5G
ENe4c4J5v8ZtUbMQkFtWGKeAVyb8xyx4PTJFUPJVM0qpP/OK6k2NZSk1Owop0PnE
oacfgNyXf/6Yw7Ihf14RTNmZCdWfNMaS30YcykwfPdVt7X3jZUSBRLlgdlqzwJYr
hcE50m5Ip6ICywcRNaoLmgz++yfQrR3lhN8uiV/hcDA6Cky3VltN0t8N6kE5OB/E
PUPf6MaQJLaR59mrkZDZMbkgNw3uW/BEfnVFMm68IARuEE2c/eB4B32mio/p4a5Z
pbCG7TP/R/Kbg/PNk2MYW7P4MVWyRsmNhqQpkQLEByGBuC5ooQavheD5hSFTN4TW
30jfowDt/oIsILQJ0JMmeSKlVMXmchhOOdI5HgITgP9SEusWTZdBqngyxxK/sSXI
C3KOiYBwx7sMOrtIHP0s/sArdthco0PYtmshafUtVSYVwBFHqQN27dQgCoytasUX
fZ6uOjkKITnMY0ySXO0lC+xq/RQkwu3Q47XqP+Ipe6jhkVJeOKMP6fZDm9eLIkU1
RUEIShDHK0ZRijFsEw8t
=YPHv
-----END PGP SIGNATURE-----
7 years, 7 months
Fedora Security Team Report - 2015-10-22
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-10-22 08:40:29.566548
|_| \___|\__,_|\___/|_| \__,_|
- -------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 441 | 45 | 396 |
| low | 153 | 14 | 139 |
| high | 44 | 27 | 17 |
| unspecified | 4 | 0 | 4 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 548 | 69 | 479 |
| ON_QA | 56 | 12 | 44 |
| ASSIGNED | 22 | 5 | 17 |
| MODIFIED | 17 | 0 | 17 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 440 | 45 | 395 |
| low | 153 | 14 | 139 |
| high | 47 | 27 | 20 |
| unspecified | 2 | 0 | 2 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Component+-------+---------+
| Component | Count | Owned | Unowned |
+------------+-------+-------+---------+
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| nagios | 9 | 9 | 0 |
| glibc | 8 | 0 | 8 |
| quassel | 7 | 1 | 6 |
| mingw-icu | 7 | 0 | 7 |
| owncloud | 6 | 0 | 6 |
| mingw-pcre | 6 | 0 | 6 |
| optipng | 6 | 0 | 6 |
+------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 218 | 41 | 177 |
| 22 | 151 | 3 | 148 |
| 21 | 123 | 7 | 116 |
| el5 | 71 | 20 | 51 |
| epel7 | 38 | 4 | 34 |
| 23 | 33 | 11 | 22 |
| unspecified | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 7.3 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWKOgOAAoJEHNwUeDBAR+xXRkP/jBXaF8SuyiEXYMBk0eTH6JJ
BKIV7qbhrZPi7Jmap1Ty1ozo3tEk31ZoVKV2XOeKVutwfGkoUM8VoIL4Zw/KLDtU
bjIA8r0RyTF+E6i2ZYob357MAa4wmijWmwl8Gnu/wivhn+8Qh37ACp/0PC7XOAiJ
ND2XhyeR+GgqdPbdEVzolB0/YNJtsmlLhpFIXh+7GBz2TbAo3ywFUjN/MSecOQe9
x+yVZybEk1FkRetjiExX4j2ZPLt9pY1EQNa12ZWLTZTzvZVgf/Kcm/dABuvU3It+
k8/EVgOjUhjj9325nusoeGzeoV/wQu6phrQJkY3lWiknRe+MOELv2eIKKSG1E7aB
XPbgruxW5hqm0zdMysgZO/0s/K6smgaRxU0tbOTTnJ8g4gARknHHuHaiL5XI4Usy
OyzjtcoLJM8ue9iPcHYJNd3PoUd8rkFTfhW+MrXLiDmBnTdOiF9TUuuP6sQelaDs
XlyEYQGcyDmCNl/XGD+xZahCEe06nAD0Mb5aBSuXITJxUvgu72vezi4Fja1gKQiO
WiPjxGrXYUCz7FdpPQu5rujp8gwES8V07N5NkCPeqTFW20XhPTb/RnJU4Crijk02
6dD9dSuEGndtFTqFvtvgUygKYd6HOgoSqI89k1IT/tf+aQn2gg6hX/t81XTv2Qt6
XvKt2OP3tVgVQKO4JM2/
=WZH1
-----END PGP SIGNATURE-----
7 years, 7 months
developing a SOP for critical updates (the Fedora Bat Signal)
by Matthew Miller
FESCo has asked me to bring this back up, and this seems like the right
place for it. See https://fedorahosted.org/fesco/ticket/1278, and the
very basic outline of a SOP from Paul Frields at
https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
To paste from the ticket:
We need to have responders for
coordination (it helps when one person has the "incident lead"
baton; can be passed around as needed)
communications (drafting and sending community messages; email,
web, social media)
package fixing (ideally package maintainer is security expert,
second best is package maintainer + security expert, third is security
expert with provenpackager privileges or assistance from someone who
has them, or last resort, provenpackager alone)
quality assurance (again, ideally someone with security expertise
to advise and coordinate, but fast widespread testing at all levels
helps)
release engineering (lots of work getting an update out as an
exception to normal flow)
and the ability to get at least one person in each role out of bed in
the event of an emergency.
I expect that in many cases, there are also roles like "communication
with $otherproject security team", and possible handoff from whereever
we learned about the vulnerability.
Security Team, are you interested in helping develop this procedure
(and putting it somewhere so we know what to do in a fire drill)?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
7 years, 7 months
Fedora Security Team Report - 2015-10-15
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-10-15 08:36:44.366418
|_| \___|\__,_|\___/|_| \__,_|
- -------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 426 | 45 | 381 |
| low | 150 | 14 | 136 |
| high | 42 | 27 | 15 |
| unspecified | 4 | 0 | 4 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 533 | 69 | 464 |
| ON_QA | 54 | 12 | 42 |
| ASSIGNED | 22 | 5 | 17 |
| MODIFIED | 14 | 0 | 14 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 425 | 45 | 380 |
| low | 150 | 14 | 136 |
| high | 45 | 27 | 18 |
| unspecified | 2 | 0 | 2 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Component--+-------+---------+
| Component | Count | Owned | Unowned |
+--------------+-------+-------+---------+
| cacti | 10 | 0 | 10 |
| nagios | 9 | 9 | 0 |
| bugzilla | 9 | 1 | 8 |
| glibc | 8 | 0 | 8 |
| quassel | 7 | 1 | 6 |
| mingw-icu | 7 | 0 | 7 |
| mingw-pcre | 6 | 0 | 6 |
| avr-binutils | 6 | 0 | 6 |
| optipng | 6 | 0 | 6 |
+--------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 213 | 41 | 172 |
| 22 | 137 | 3 | 134 |
| 21 | 123 | 7 | 116 |
| el5 | 71 | 20 | 51 |
| epel7 | 37 | 4 | 33 |
| 23 | 33 | 11 | 22 |
| unspecified | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 7.3 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWH6xLAAoJEHNwUeDBAR+xJpwP/AmG3XGUlX5QnwF+OGvUg7UR
OnClH6J/VuQumk4Zq0Yz7ZFTLn4w04Yhan/PNjmhMf7xLXO1eJ9h2nDKdT/hoFnZ
W1+eHmEMn51I8zEBLkoT36LU2VInfPLonNhGwvHJO45yFHWDzIJCNDV8ibHdX+j6
WNdwVdQC0b7mngYnojoYpyiV2yOsFHfYKB/xnDXBwu97X2BBuXiFNvuwKMn0W/UW
AX+NwQMWbhgAsWRiRzB+xq7w6SqWc/UkTOZK7h6rs2Br5Pb2wWvfQbldRC/VKhRg
yemX/MWn6J10bvSWaN8em4GiafFcnZe8zD0EEOb+YovXUzxxE/aGN2DSGv4Y2pa5
IXxuESPnFxrgJQ9FnDUk0+I0bjeeaKUODgb0Eqsuz/Ww1Cc1XAeGPH0vEwwuoQic
RKeoV4rrwAVWNKTGAS7PIXeMf7ehyZ2iVPQX3z7uqfqYehs5Vn9cfYguj5gkdG40
f6kNuwfSfKahKmZB4cAEqcwx99shybHxS92sle3ZbHqz0aGE8j6WXE302ZSO39qx
U7TmRXeOTDKJJbs+5SebpHKNIjZeQq3xXVbobZ6BdstTu4tSWzBWKOLQjsZmAbHR
wLV3OqS6ftzmb0aD9iyxDVFc8O//8bqFOpOI4ZTC2kUvC3vlLzwc1DUs76uaI1ub
CBK2xzgxiAMs7dyuLOJW
=fg9y
-----END PGP SIGNATURE-----
7 years, 7 months
