Meeting with mattdm and my notes OR The Future of FST
by Eric Christensen
I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
The Problem
----------------
Security bugs come into Fedora/EPEL by way of Red Hat Product Security,
mostly. Any bug that has an embargo is not entered into Bugzilla (BZ) for
Fedora/EPEL until the embargo expires. Eventually we hope to develop a
trusted team that can actively work embargoed vulnerabilities to speed fixes to
users as soon as the embargo expires.
The Solution
----------------
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
The second piece of the solution will be the establishment of a private group
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
Last is a "gentleman's agreement" that those in the trusted group will
maintain confidentiality and abide by certain information security measures to
prevent a leak of information.
It should be noted that none of these private mechanisms are in place to
maintain indefinite confidentiality; quite the opposite, in fact. ALL work done
in BZ will become public as soon as the embargo expires. This is important to
ensure transparency and openness in this process and so as soon as we possibly
can we want to provide the community with all the information that is
available.
The Work
------------
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information on
the apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections of
embargoed information and a policy for working with embargoed information.
Thoughts? Comments? Lets get a discussion going here.
--Eric
[0] https://fedoraproject.org/wiki/Security_Team_Apprenticeship
7 years, 9 months
Fedora Security Team Report - 2015-11-26
by David Kaufmann
No meeting today, but here's the weekly report:
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-11-26 15:28:47
|_| \___|\__,_|\___/|_| \__,_| Data from: 2015-11-26
-------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 451 | 45 | 406 |
| low | 180 | 13 | 167 |
| high | 36 | 27 | 9 |
| unspecified | 2 | 0 | 2 |
| urgent | 1 | 0 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 579 | 69 | 510 |
| ON_QA | 55 | 11 | 44 |
| ASSIGNED | 22 | 5 | 17 |
| MODIFIED | 14 | 0 | 14 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 450 | 45 | 405 |
| low | 180 | 13 | 167 |
| high | 39 | 27 | 12 |
| urgent | 1 | 0 | 1 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-libxml2 | 16 | 0 | 16 |
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| nagios | 9 | 9 | 0 |
| glibc | 8 | 0 | 8 |
| quassel | 7 | 1 | 6 |
| libxml2 | 7 | 0 | 7 |
| mingw-icu | 7 | 0 | 7 |
| mingw-pcre | 6 | 0 | 6 |
| optipng | 6 | 0 | 6 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 231 | 42 | 189 |
| 22 | 142 | 2 | 140 |
| 21 | 113 | 5 | 108 |
| el5 | 76 | 20 | 56 |
| 23 | 57 | 14 | 43 |
| epel7 | 37 | 2 | 35 |
| rawhide | 8 | 0 | 8 |
| unspecified | 3 | 0 | 3 |
| 7.3 | 1 | 0 | 1 |
| 6.7 | 1 | 0 | 1 |
+----------------+---------+-------+---------+
7 years, 10 months
Self-Introduction
by charles profitt
Hello Security Team:
My name is Charles Profitt and while I have used Linux for several
years I am just starting to use Fedora. I am interested in working on
security issues. If anyone on the list has any recommendations to help
me get started please feel free to pass them along.
Thanks,
--
Charles Profitt
Open Source Advocate
https://ftbeowulf.wordpress.com/
4096R/37BEB021
D8A5 6061 25C3 28B7 2264 2B39 3E13 4DD2 37BE B021
7 years, 10 months
Fedora Security Team Report - 2015-11-19
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-11-19 07:58:42.285505
|_| \___|\__,_|\___/|_| \__,_| Data from: 2015-11-19
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 449 | 45 | 404 |
| low | 181 | 13 | 168 |
| high | 41 | 26 | 15 |
| unspecified | 1 | 0 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 574 | 66 | 508 |
| ON_QA | 62 | 13 | 49 |
| ASSIGNED | 21 | 5 | 16 |
| MODIFIED | 15 | 0 | 15 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 448 | 45 | 403 |
| low | 181 | 13 | 168 |
| high | 42 | 26 | 16 |
| urgent | 1 | 0 | 1 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-libxml2 | 16 | 0 | 16 |
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| nagios | 9 | 9 | 0 |
| quassel | 7 | 1 | 6 |
| libxml2 | 7 | 0 | 7 |
| glibc | 7 | 0 | 7 |
| mingw-icu | 7 | 0 | 7 |
| mingw-pcre | 6 | 0 | 6 |
| optipng | 6 | 0 | 6 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 229 | 40 | 189 |
| 22 | 148 | 2 | 146 |
| 21 | 115 | 6 | 109 |
| el5 | 77 | 20 | 57 |
| 23 | 54 | 12 | 42 |
| epel7 | 43 | 4 | 39 |
| rawhide | 6 | 0 | 6 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWTdXmAAoJEHNwUeDBAR+xksoP/REpdrZP1P2EgxBQDE5XPWdx
HwCPazwlkBRHmUJM9TXzIkKLWbi3rAIdguhnzq1LhRlnx+UjH+Y0HyrGAZMe5dUv
XnTwUfdkAnG43YhXXMRQRXvhWOmtHQZqM6BWVwN0EgeiD1Rj8hFLLjr53nK7vVdj
plfpoqaOQy54ct4Ak/mZtH3V2tnik3vYVM9Do72koACUQL/ras1KyWyZHlIB58Lo
m3I4u+d6mTDNDRWrc4maz24wGPO3exFOHb++flh2B8kwaYeLbZsneWieNPtHWgHz
v6w66LWGIrjYT3pHWqXTLxkBtU1jaGkUYgM6pNqp/e6Cm3ck6hpNjfLFFr7+Y76e
cyCqOUZU3pPsSOXVmchFH8Ph4hnbsd0XQlJxi/v/HmgU017E3iBu/jqIfvPncdwD
bnGO8LdeS8eT8c08hOBCDruAnVDWcv+RsSGaVw0iCEcGj+FoEQQy4gTtIX2HLzaY
tuAJOH0e3i3lm2Ll9cThAZD78IQ09bmvSCRfl/fwXsuaPeg276dyMmmt17NA/73Y
xsOssvFIQpmSp+siQl1nC9qPZWttSCdc0OlxLeqquAvK7TB0BnCpcp6nj3jkaPi3
vPeiL1PdJW12dM2DAawa7huxsggtbjLc+816VLqTrJ91tgD6CCJ4cyrOiSDMDHye
2/9x1S4bey/jryDt8I6U
=NGt1
-----END PGP SIGNATURE-----
7 years, 10 months
Security Team meeting minutes for 2015-11-12
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:02:22 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-11-12/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:02:27)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:09:37)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
(mhayden, 14:09:44)
* Follow up on last week's tasks (Sparks, 14:09:52)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:11:22)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:12:35)
* Virtual GPG Key Signing Event (Sparks, 14:13:05)
* Education and Training (Sparks, 14:20:57)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:21:10)
* LINK: http://www.cl.cam.ac.uk/~rja14/book.html (d-caf, 14:24:17)
* LINK: http://www.cl.cam.ac.uk/~rja14/book.html (d-caf, 14:24:25)
* Future of the Team (Sparks, 14:26:30)
* IDEA: Apprenticeship (Sparks, 14:35:33)
* ACTION: Sparks to bring up apprenticeship on list (Sparks,
14:40:49)
* ACTION: Sparks to talk more about the discussion with mattdm on the
list (Sparks, 14:41:12)
* Outstanding BZ Tickets (Sparks, 14:42:08)
* Thursday's numbers: Critical 1 (0), Important 41 (+1), Moderate 454
(-3), Low 178 (+8), Total 674 (Sparks, 14:42:17)
* Current tickets owned: 85 (Sparks, 14:42:30)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1266404
(mhayden, 14:46:22)
* FST Logo (Sparks, 14:50:10)
* LINK:
https://fedorahosted.org/design-team/attachment/ticket/367/fst.png
(Sparks, 14:50:13)
* Open floor discussion/questions/comments (Sparks, 14:50:55)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1209214 (d-caf,
14:53:15)
* LINK: http://paste.fedoraproject.org/289651/73400771/raw/
(mhayden, 14:55:20)
* ACTION: Sparks to send a note to the list regarding to updating f21
tickets (Sparks, 14:58:20)
Meeting ended at 15:00:59 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs
* Sparks to bring up apprenticeship on list
* Sparks to talk more about the discussion with mattdm on the list
* Sparks to send a note to the list regarding to updating f21 tickets
Action Items, by person
-----------------------
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs
* Sparks to bring up apprenticeship on list
* Sparks to talk more about the discussion with mattdm on the list
* Sparks to send a note to the list regarding to updating f21 tickets
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (101)
* mhayden (36)
* d-caf (35)
* Astradeus (7)
* zodbot (5)
* Southern_Gentlem (2)
14:02:22 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:02:22 <zodbot> Meeting started Thu Nov 12 14:02:22 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:22 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:02:25 <Sparks> #meetingname Fedora Security Team
14:02:25 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:27 <Sparks> #topic Roll Call
14:02:28 * Sparks
14:03:35 <mhayden> .hello mhayden
14:03:36 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:03:53 <Astradeus> .hello astra
14:03:54 <zodbot> Astradeus: astra 'David Kaufmann' <astra(a)ionic.at>
14:08:24 <Sparks> Sorry, I'm just updating the agenda
14:09:04 <mhayden> no worries
14:09:09 <d-caf> sorry late
14:09:37 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:09:44 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
14:09:47 <mhayden> ^^ current report
14:09:52 <Sparks> #topic Follow up on last week's tasks
14:10:00 <Sparks> Sparks to talk with mattdm regarding private security
tickets in BZ.
14:10:12 <Sparks> This was done and I'll be talking more about that today
14:10:21 <Sparks> Sparks to discuss using Bluejeans for an online GPG key
signing event
14:11:05 <Sparks> This was done but we didn't get any takers.
14:11:22 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:11:29 <Sparks> And pjp isn't here.
14:11:40 <Sparks> Sparks to work with PST to get our mailling list included on
BZ tickets for critical and important CVEs.
14:11:54 <Sparks> I did this but it may not be possible with our current
tooling.
14:12:25 <Sparks> I contintue to work on this
14:12:35 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:12:42 <Sparks> I need to continue to work on this.
14:13:05 <Sparks> #topic Virtual GPG Key Signing Event
14:14:00 <Sparks> I sent out an email about this but no one followed through
with their fingerprints.
14:14:09 <Astradeus> ah, forgot :/
14:14:18 <mhayden> i like the idea, but i'm not inclined to participate
14:14:25 <d-caf> Yes, sorry, got busy at work, doing extra hours
14:14:56 <Sparks> mhayden: No?
14:15:34 <mhayden> i'm still ancy about having my id captured via webcam
14:15:36 <mhayden> or parts of it
14:15:53 <mhayden> but, then again, i don't get terribly excited about gpg key
signing in the first place, so i'm an oddball
14:15:56 <mhayden> :P
14:16:01 <Sparks> clearly
14:16:11 <mhayden> haha
14:16:15 <Sparks> The ID thing is an interesting arguement.
14:16:19 <mhayden> my wife thinks i'm an oddball as well
14:16:48 <d-caf> mhayden: I'm in the same boat (though I have mostly converted
my wife over the years..)
14:16:55 <Astradeus> i'd probably go with taping something over my birthdate
and unique-number probably
14:17:16 <Sparks> I mostly think it's a strawman arguement since we generally
don't protect our IDs in real life (at least in the US where we have to
present them for various reasons).
14:17:49 <d-caf> Sparks: "some" don't protect there IDs (the guy with an RFID
blocking wallet notes...)
14:18:04 <d-caf> :-)
14:18:13 <Sparks> This is also a "private" event only open to the few of us
so... a much reduced group of people
14:18:25 <Sparks> d-caf: Do you have to provide your ID to buy alcohol?
14:18:37 <Sparks> or to use your credit card?
14:19:04 <d-caf> Sparks: sometimes ID is required, and I try to shield it.
And I have dedicated credit cards for certain types of purchases
14:19:23 <d-caf> Yeah, I add overhead to my life <shrug>
14:19:50 <Sparks> I'm not saying it's dumb to protect your ID, by the way.
14:20:48 <Sparks> Okay, moving on
14:20:51 <d-caf> I'm fine with key-signing, but yes, I will be presenting a
partially redacted ID if I participate
14:20:57 <Sparks> #topic Education and Training
14:21:10 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:21:36 <Sparks> If you know of anything that should go here please let me
know.
14:22:33 <d-caf> It's a good collection, I only had one thing to add at this
point, nice work!
14:22:39 <mhayden> that's a good list
14:23:02 <Sparks> Hopefully it's a useful resource
14:23:05 <mhayden> i could think of some non-free things (like specific classes
from SANS) that might be helpful
14:23:23 <d-caf> There is also the Security Engineering book, and there are
many free Online classes that I need to track down to add
14:23:51 <d-caf> There are also free SANS webinars, but they range in quality
14:24:17 <d-caf> http://www.cl.cam.ac.uk/~rja14/book.html
14:24:25 <d-caf> #link http://www.cl.cam.ac.uk/~rja14/book.html
14:25:24 <Sparks> Cool
14:26:30 <Sparks> #topic Future of the Team
14:26:43 <Sparks> I had a nice chat with mattdm last week.
14:27:57 <Astradeus> any outcomes?
14:27:58 <Sparks> We agree that the FST is an important part of Fedora
14:28:29 <Sparks> We want FST to start working on more projects and be the go-
to group for all things security
14:29:07 <Sparks> This is includes the possibility of working on embargoed
vulnerabilities
14:29:23 <mhayden> doesn't that overshadow Red Hat's Product Security team
work?
14:29:30 <Sparks> No,
14:29:47 <Sparks> In fact, RH PST doesn't actually work on anything Fedora.
14:30:53 <Sparks> Fedora now has to wait for an embargo to be lifted for work
to begin
14:30:58 <Sparks> I want to change that
14:31:14 <d-caf> Sparks: +1
14:31:26 <Sparks> Especially on Fedora-only or EPEL-only vulnerabilities
14:31:31 <mhayden> that'd be helpful
14:31:54 <Sparks> There is much work to do here, though.
14:32:31 <Sparks> Our tool chains don't support activities that don't leak
information
14:32:51 <mhayden> it seems like we need a security-minded person embedded in
some of the bigger sigs/working groups, like server/workstation/cloud
14:32:56 <Sparks> So we'll need to work on that
14:33:02 <Sparks> mhayden: +12
14:33:05 <Sparks> errr
14:33:07 <Sparks> +1
14:33:12 * mhayden has the server wg covered! :P
14:33:56 <Sparks> woot!
14:34:42 <mhayden> i like the mission and i think we need to get more involved
where the action is happening
14:34:57 <Sparks> agreed
14:35:33 <Sparks> #idea Apprenticeship
14:35:34 <mhayden> i'd like to find an automated way to "nag" maintainers to
update their bugzilla tickets + packages
14:36:08 <Sparks> We need a way to establish trust in individuals.
14:36:36 <Sparks> And we need to provide a way to train people
14:36:48 <d-caf> Sparks: individuals? Package maintaniners or FST members?
14:36:58 <Sparks> FST members
14:37:24 <Southern_Gentlem> i will be continueing doing updated lives for the
project so if we have anymore things hit like heartbleed new users can install
after the fix is pushed and not be vulnerable
14:38:05 <Sparks> +1
14:38:27 <d-caf> Southern_Gentlem: +1
14:38:38 <Southern_Gentlem> so you know whatever gets fixed at least is getting
pushed
14:39:12 <mhayden> also, at a minimum, we need a talk at the next flock on the
FST
14:39:30 <mhayden> and it might not hurt to try to get a post onto fedoramag
once or twice per quarter
14:39:33 <Sparks> Where is the next Flock?
14:39:42 <mhayden> Sparks: i assume in Europe since it was in NA this year
14:40:07 <mhayden> i will probably need to pick between traveling for FOSDEM
and Flock :|
14:40:49 <Sparks> #action Sparks to bring up apprenticeship on list
14:41:04 <d-caf> Unfortunately unless they are near where I live chances of me
going or next to nill :-(
14:41:12 <Sparks> #action Sparks to talk more about the discussion with mattdm
on the list
14:41:44 <Sparks> Sorry, I meant to send out a message regarding the meeting
last week.
14:42:01 <Sparks> Okay, lets move on
14:42:08 <Sparks> #topic Outstanding BZ Tickets
14:42:17 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 41 (+1),
Moderate 454 (-3), Low 178 (+8), Total 674
14:42:30 <Sparks> #info Current tickets owned: 85
14:42:38 <Sparks> +Tickets by Priority--+-------+---------+
14:42:38 <Sparks> | Priority | Count | Owned | Unowned |
14:42:38 <Sparks> +-------------+-------+-------+---------+
14:42:38 <Sparks> | medium | 454 | 45 | 409 |
14:42:38 <Sparks> | low | 178 | 14 | 164 |
14:42:40 <Sparks> | high | 41 | 26 | 15 |
14:42:43 <Sparks> | unspecified | 3 | 0 | 3 |
14:42:45 <Sparks> | urgent | 1 | 0 | 1 |
14:42:48 <Sparks> +-------------+-------+-------+---------+
14:42:50 <Sparks> Anyone have anything?
14:43:02 <d-caf> What's the urgent one?
14:43:25 <Sparks> IDK. I thought I had found it and made it not urgent.
Maybe it's a new one?
14:43:53 <d-caf> wierd, nothing in bugzilla
14:43:57 <Sparks> Which is why I want better notification of urgent and high
(critical and important) vulns.
14:44:18 <Sparks> mhayden: Is your script stuck?
14:44:43 <mhayden> let me print out the ticket that is causing the urgent to
show
14:46:09 <mhayden> 1266404
14:46:22 <mhayden> https://bugzilla.redhat.com/show_bug.cgi?id=1266404
14:46:35 <mhayden> why is that one showing up in the Fedora list?
14:46:37 * mhayden digs
14:46:53 <d-caf> weird, well at least it's on QA :-)
14:47:03 <Sparks> It's a RHEL bug
14:47:04 <mhayden> SecurityTracking is in the keywords
14:47:12 <mhayden> that's unusual for RHEL bugs IIRC
14:47:31 <Sparks> Yeah. Need to make sure you're limiting on Product: Fedora,
too
14:48:04 * mhayden edits
14:48:16 <mhayden> haha, oh my
14:48:32 <mhayden> i wonder if limiting on Fedora drops EPEL
14:48:33 <d-caf> Fedora EPEL as well (or Fedora * )
14:49:01 <mhayden> okay, script needs tweaking :)
14:49:31 <Sparks> That's fine.
14:50:10 <Sparks> #topic FST Logo
14:50:13 <Sparks> https://fedorahosted.org/design-team/attachment/ticket/367/fst.png
14:50:31 <Sparks> I hope everyone will provide feedback
14:50:36 <d-caf> Oh, had onemore ticket question, but can cover in open
discussion
14:50:48 <Sparks> Opps, sorry
14:50:55 <Sparks> #topic Open floor discussion/questions/comments
14:50:58 <Sparks> d-caf: Go
14:51:16 <d-caf> This ticket, should it be given a priority?
https://bugzilla.redhat.com/show_bug.cgi?id=1220138
14:51:57 <d-caf> or severity
14:52:44 <Sparks> d-caf: I just marked it as a "high" since one of the
dependencies was a "high" CVE
14:53:06 <d-caf> There is also another ticket taht is marked high, but with no
priority so shows in unknown
14:53:15 <d-caf> https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:53:49 <d-caf> Wondering if we should check on priority and severity? Or
what is the true meaning between those seperate ratings?
14:53:51 <Sparks> We need to make sure that all the unspecified tickets get a
severity and that if it's an actual vulnerability that it gets a CVE via
secalert(a)redhat.com
14:53:51 <Astradeus> so the first bug #1220138 is a "add mono 4 to f22" ?
14:54:31 <d-caf> Well the first bug is they are using an old mono that has lots
of issues, and there proposed fix is updating to mono 4
14:54:47 <d-caf> I have not tracked down the full status of this and how bad
it may be
14:54:53 <Sparks> d-caf: I think priority is set by the project but severity
of a vulnerability should be impact as provided by the CVSS score via RH PST.
14:54:54 <mhayden> correct security team report ->
http://paste.fedoraproject.org/289651/73400771/raw/
14:55:12 <d-caf> Just noticed two unspecified tickets and decided to look at it
this morning
14:55:20 <mhayden> #link http://paste.fedoraproject.org/289651/73400771/raw/
14:55:36 <Sparks> Oh crap
14:55:41 <Astradeus> d-caf: according to the referenced (closed) bug
(#1089426) mono 4 is already in f23
14:55:59 <Sparks> We need someone to start going through the F21 bugs and see
if we need to move them forward to F22 or higher.
14:56:02 * Sparks did that last time
14:56:14 <d-caf> Astradeus: Good, but F22 still may need the same update
14:56:21 <Sparks> Anyone want to handle that?
14:57:37 <Sparks> Okay, I'll send that to the list
14:58:03 <d-caf> We probably also need to udpate our links here:
http://fedoraproject.org/wiki/Security_Team to go off severity and not
priority?
14:58:20 <Sparks> #action Sparks to send a note to the list regarding to
updating f21 tickets
14:58:41 <d-caf> Since this is comming up unknown, but is rated high severity
https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:58:57 <d-caf> Also need to check reporting scripts are doing the same
14:59:22 <Sparks> ya
14:59:30 <Sparks> Okay, last few seconds... anyone have anything?
15:00:41 <Sparks> Okay, lets move these discussions to the list
15:00:52 <Sparks> Thanks, everone, for coming!
15:00:53 <Astradeus> thanks all :)
15:00:57 <d-caf> Sparks: thanks all!
15:00:59 <Sparks> #endmeeting
7 years, 10 months
Fedora Security Team Report - 2015-11-12
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-11-12 07:57:49.491807
|_| \___|\__,_|\___/|_| \__,_| Data from: 2015-11-12
- -------------------------------------------------------------------------------
<Bug #1266404 on https://bugzilla.redhat.com/xmlrpc.cgi at 0x7fe3c02eeed0>
┌Tickets by Priority────┬───────┬─────────┐
│ Priority │ Tickets │ Owned │ Unowned │
├─────────────┼─────────┼───────┼─────────┤
│ medium │ 454 │ 45 │ 409 │
│ low │ 178 │ 14 │ 164 │
│ high │ 41 │ 26 │ 15 │
│ unspecified │ 3 │ 0 │ 3 │
│ urgent │ 1 │ 0 │ 1 │
└─────────────┴─────────┴───────┴─────────┘
┌Tickets by Status───┬───────┬─────────┐
│ Status │ Tickets │ Owned │ Unowned │
├──────────┼─────────┼───────┼─────────┤
│ NEW │ 562 │ 66 │ 496 │
│ ON_QA │ 79 │ 14 │ 65 │
│ ASSIGNED │ 22 │ 5 │ 17 │
│ MODIFIED │ 14 │ 0 │ 14 │
└──────────┴─────────┴───────┴─────────┘
┌Tickets by Severity────┬───────┬─────────┐
│ Severity │ Tickets │ Owned │ Unowned │
├─────────────┼─────────┼───────┼─────────┤
│ medium │ 453 │ 45 │ 408 │
│ low │ 178 │ 14 │ 164 │
│ high │ 44 │ 26 │ 18 │
│ urgent │ 1 │ 0 │ 1 │
│ unspecified │ 1 │ 0 │ 1 │
└─────────────┴─────────┴───────┴─────────┘
┌Tickets by Component─────┬───────┬─────────┐
│ Component │ Tickets │ Owned │ Unowned │
├───────────────┼─────────┼───────┼─────────┤
│ kernel │ 10 │ 0 │ 10 │
│ mingw-libxml2 │ 10 │ 0 │ 10 │
│ cacti │ 10 │ 0 │ 10 │
│ bugzilla │ 9 │ 1 │ 8 │
│ nagios │ 9 │ 9 │ 0 │
│ glibc │ 8 │ 0 │ 8 │
│ quassel │ 7 │ 1 │ 6 │
│ mingw-icu │ 7 │ 0 │ 7 │
│ mingw-pcre │ 6 │ 0 │ 6 │
│ optipng │ 6 │ 0 │ 6 │
└───────────────┴─────────┴───────┴─────────┘
┌Tickets by Distro Version─┬───────┬─────────┐
│ Distro Version │ Tickets │ Owned │ Unowned │
├────────────────┼─────────┼───────┼─────────┤
│ el6 │ 226 │ 41 │ 185 │
│ 22 │ 167 │ 2 │ 165 │
│ 21 │ 115 │ 6 │ 109 │
│ el5 │ 77 │ 20 │ 57 │
│ 23 │ 40 │ 12 │ 28 │
│ epel7 │ 40 │ 4 │ 36 │
│ rawhide │ 6 │ 0 │ 6 │
│ unspecified │ 3 │ 0 │ 3 │
│ 7.3 │ 1 │ 0 │ 1 │
│ 6.7 │ 1 │ 0 │ 1 │
└────────────────┴─────────┴───────┴─────────┘
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWRJshAAoJEHNwUeDBAR+xxMEP/jIFhLnyq1RN+zLZ1wCWL0P6
SmmgnzYDy9qz8+V7GgeSSU9v5zgAGZqBSlO22YXjrHHD+gyRyX3HyTxuGSlDFbae
Tux6zbiztgz3l5P85/GdzS62nu9K2fTQhPBLnqhr3WwQcDr/67r5Bhd/Y7T3MsQo
tvbh8Z08OQ5NQNUO18uIMl/6pgGKDNdnEn4NF4q3aCc96yyScz6hPsSuCArZeJpJ
4YgSOwhllTjCdtA5n29hZYC2Ikc1Rfolk7fjwsV5NCqLQoAHSdx4j3mfKxa2qH2y
dDiga6ZZJCRdzpo9Rf61b3Z0c69if84enHlurouKwHynZ70+XL8zl67bdWDDzoi4
b8fiY21upn3hyoFQTbT0AmK/pwE8KHIWKk4WMv2n1uEnSj+LMBm8t2hdEtgVZOJG
6ZqZP3ELPCC64ALh+DEFI4Pn5+Wy+e7mF/HwsT+rGXQLIpHjwVlaBSSOOGwIFrbb
Otes5aAaaqn81d3iXzcxscnMz6VYR6f0mk3oLQp+ZLpnqUJt7ucOsTvo+SET7SWL
daxQG6GIB5/R6SgjyCVwbx8jAIcm440N7p36wHZ2B/GEJILO880cppvA9kLPjMq1
gHbX2n2BEi3AGf6CPhz/oLxqaT40aA21BIwN8lZMf1QjUN9tnz2fs/fst5xHDi1h
yKWAz+L5mncZMlWXEtBT
=dnCG
-----END PGP SIGNATURE-----
7 years, 10 months
