November 2015 - security-team [ARCHIVED]

FST virtual key signing party on 2015-11-12

by Eric Christensen

Next week we'll do our virtual key signing party using Bluejeans[0] during our normal meeting time. We'll be using the Keysigning Party HOWTO[1] to help organize the event of which I'm leaning toward the Hash Based Method[2]. It's okay if you aren't comfortable using this method of keysigning but I did want to make this available as an option to help extend trust among FST members. If you want to participate please send me your PGP/GPG key fingerprint via a signed and encrypted email to sparks(a)fedoraproject.org using my key 0x024BB3D1 (fingerprint 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1). Please also make sure that your public key is available on the Fedora Key server[3]. When I receive your fingerprint I'll add you to an invitation list where you will receive a unique URL and passphrase to access the event. This will hopefully improve the integrity of the event. Each participant will need to bring some form of identification to the event. After the event I would highly recommend using caff[4] to sign and distribute the signatures. This tool encrypts the signature in an email which forces the recipient to prove they have access to not only the email address but also the key to obtain the signature. Question? Did I miss anything? Reply now! Otherwise, please send me your key fingerprints and we'll get this event going. Thanks! [0] Yeah, while not a FOSS solution, it at least supports Linux. I really couldn't find a good FOSS solution for this but am open to suggestions in the future. [1] http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html [2] http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.h... [3] https://keys.fedoraproject.org/ [4] https://sparkslinux.wordpress.com/2014/06/21/signing-pgp-keys/ --Eric

8 years, 5 months

2
4
0 / 0

Security Team meeting minutes for 2015-11-05

by Eric Christensen

Meeting started by Sparks at 14:00:21 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2015-11-05/fedora_securit... . Meeting summary --------------- * Roll Call (Sparks, 14:00:26) * LINK: https://lists.fedoraproject.org/pipermail/security-team/2015-November/000... (mhayden, 14:05:21) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:14:32) * Follow up on last week's tasks (Sparks, 14:15:03) * ACTION: Sparks to talk with mattdm regarding private security tickets in BZ. (Sparks, 14:15:26) * This was started but hasn't really moved forward. (Sparks, 14:15:42) * ACTION: Sparks to discuss using Bluejeans for an online GPG key signing event (Sparks, 14:15:50) * This isn't mandatory so if you don't feel comfortable participating or don't feel comfortable with not holding an ID in your hands then you don't have to participate. (Sparks, 14:18:05) * ACTION: mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo (Sparks, 14:22:29) * ACTION: pjp to give a status update on security policy in the wiki (carried over) (Sparks, 14:23:37) * Education and Training (Sparks, 14:23:42) * LINK: https://fedoraproject.org/wiki/Information_Security_Training (Sparks, 14:23:49) * LINK: https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be there? (fenrus02, 14:25:27) * LINK: https://wiki.mozilla.org/Security/Server_Side_TLS .. and .. https://mozilla.github.io/server-side-tls/ssl-config-generator/ ? or too much detail ? (fenrus02, 14:27:53) * Astradeus' changes for the script are now merged ;) (mhayden, 14:27:59) * Outstanding BZ Tickets (Sparks, 14:31:29) * Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457 (+11), Low 170 (+8), Total 668 (Sparks, 14:31:36) * Current tickets owned: 85 (Sparks, 14:31:42) * IDEA: FST gets copied on critical and important CVEs that come to Fedora/EPEL. (Sparks, 14:34:49) * ACTION: Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs. (Sparks, 14:39:03) * Apparently FST members can't look at security bugs. This is likely a problem if we're supposed to be fixing such things. (Sparks, 14:40:32) * ACTION: Sparks to figure out how FST members can get access to Fedora security bugs (Sparks, 14:40:47) * Anyone finding a security bug in Fedora that doesn't have a CVE should let PST know so we can get a CVE issued. secalert(a)redhat.com (Sparks, 14:41:32) * Open floor discussion/questions/comments (Sparks, 14:43:34) Meeting ended at 14:46:52 UTC. Action Items ------------ * Sparks to talk with mattdm regarding private security tickets in BZ. * Sparks to discuss using Bluejeans for an online GPG key signing event * pjp to give a status update on security policy in the wiki (carried over) * Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs. * Sparks to figure out how FST members can get access to Fedora security bugs Action Items, by person ----------------------- * Astradeus * mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo * mattdm * Sparks to talk with mattdm regarding private security tickets in BZ. * mhayden * mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo * Sparks * Sparks to talk with mattdm regarding private security tickets in BZ. * Sparks to discuss using Bluejeans for an online GPG key signing event * Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs. * Sparks to figure out how FST members can get access to Fedora security bugs * **UNASSIGNED** * pjp to give a status update on security policy in the wiki (carried over) People Present (lines said) --------------------------- * Sparks (72) * mhayden (17) * fenrus02 (6) * Astradeus (6) * zodbot (4) * mattdm (3) * rishi (2) * jsmith (1) 14:00:21 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:21 <zodbot> Meeting started Thu Nov 5 14:00:21 2015 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:24 <Sparks> #meetingname Fedora Security Team 14:00:24 <zodbot> The meeting name has been set to 'fedora_security_team' 14:00:26 <Sparks> #topic Roll Call 14:00:29 * Sparks 14:01:50 * Astradeus 14:03:11 <Sparks> mhayden: ping 14:03:11 <zodbot> Sparks: Ping with data, please: https://fedoraproject.org/wiki/No_naked_pings 14:03:22 <mhayden> Sparks: aaaaack, DST 14:03:28 <mhayden> :P 14:03:35 <Sparks> mhayden: We're on zulu time! 14:03:42 * mhayden scurries over to his calendar to adjust the invitation 14:03:48 <Sparks> mhayden: Could you run your script for numbers, please? 14:03:51 <mhayden> on it 14:03:56 <Sparks> TU 14:04:01 <Sparks> mattdm: You around? 14:05:21 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000... 14:05:23 <mhayden> ^^ stats 14:08:01 <Sparks> Hmmm, I thought I took care of that Critical last week. 14:09:04 <rishi> fg 14:09:07 <rishi> sorry 14:10:56 <Sparks> Sorry for the delay, I'm still tweeking the minutes. 14:11:01 * Sparks is running behind this morning 14:13:15 <mhayden> DSt made all of my meetings scoot up 14:14:32 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:14:48 <Sparks> mhayden: Just put the TZ for this meeting as UTC and it'll always be correct. :) 14:14:53 <Sparks> Okay, lets get started. 14:15:03 <Sparks> #topic Follow up on last week's tasks 14:15:13 <mhayden> figured out how to do that in android -- makes up for Exchange's shortcomings :P 14:15:26 <Sparks> #action Sparks to talk with mattdm regarding private security tickets in BZ. 14:15:42 <Sparks> #info This was started but hasn't really moved forward. 14:15:50 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG key signing event 14:16:04 <Sparks> I haven't done this but does anyone have a problem with doing this? 14:16:12 <mhayden> i did my first gpg key signing at the last flock, it was fun! 14:16:45 <mhayden> i'm not sure how some folks might feel about their identification cards/passports/licenses being on screen 14:16:52 <mhayden> someone could screenshot it and do nefarious things 14:17:17 <Sparks> Well, lots of people could do lots of things... I'm not sure that it requires a screenshot. 14:17:26 <mhayden> haha 14:18:05 <Sparks> #info This isn't mandatory so if you don't feel comfortable participating or don't feel comfortable with not holding an ID in your hands then you don't have to participate. 14:18:18 <mattdm> Sparks: I'm around for, like, 11 minutes 14:18:51 <Sparks> mattdm: Can I get on your calendar for later today to discuss furthering the mission of the FST? 14:19:05 <Astradeus> i think in that case hiding the passport number should be enough to make it a little bit protected - the rest of the security features is the same on all other identification-things 14:19:51 <Astradeus> e.g. the hologram and the name needs to be visible i think, the passport number does not need to be 14:20:04 <Sparks> Okay, I'll try to send something to the list just after the meeting while it's fresh on my mind. 14:20:15 <Sparks> Astradeus: True 14:20:24 <mhayden> i think sgallagh arranged the last signing at flock 14:20:42 <Sparks> Astradeus: I suspect that most Customs folks are using the RFID chip for auth now anyway. 14:20:59 * mhayden is one of the few without a chipped passport at the moment :P 14:21:09 <mattdm> Sparks: -- yes... maybe 3pm (US/Eastern)? 14:21:15 <Sparks> mhayden: Yeah, likely. I've usually done them at events around here. 14:21:41 <Sparks> mattdm: 3pm ET works for me. I'll send you info. Thanks! 14:22:20 <Sparks> mhayden: What?!? How can you survive without the little chip thingy? :) 14:22:25 <Sparks> Okay, moving on... 14:22:29 <Sparks> #action mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo 14:22:38 <Sparks> mhayden: ^^^ did this happen? 14:23:15 <mattdm> Sparks: cool 14:23:20 <mhayden> nah, but i am going to look at it right now ;) 14:23:37 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over) 14:23:42 <Sparks> #topic Education and Training 14:23:49 <Sparks> #link https://fedoraproject.org/wiki/Information_Security_Training 14:23:57 <Sparks> (From last week...) 14:24:31 <Sparks> I've started compiling training aids for learning about information security. I've created the above wiki page to list them. 14:25:08 <Astradeus> i've been skipping over a few entries already - nice page :) 14:25:27 <fenrus02> https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be there? 14:26:29 <Sparks> fenrus02: IDK. Is that educational or just benchmark information? 14:26:43 <fenrus02> how / why to make alterations 14:27:05 <Sparks> It could be. Feel free to add it. 14:27:21 <fenrus02> ditto for https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ ? 14:27:53 <fenrus02> https://wiki.mozilla.org/Security/Server_Side_TLS .. and .. https://mozilla.github.io/server-side-tls/ssl-config-generator/ ? or too much detail ? 14:27:59 <mhayden> #info Astradeus' changes for the script are now merged ;) 14:28:30 <Sparks> fenrus02: Yes, but use a WorldCat URL for books. https://www.worldcat.org/title/bulletproof-ssl-and-tls/oclc/889874499 14:28:47 <fenrus02> ok. why worldcat instead of the publisher page? 14:29:09 <Sparks> Worldcat shows where to get the book (and not just from Amazon) like libraries 14:29:27 <Sparks> I want to make it easier for folks to find the materials. 14:29:37 <Sparks> Especially if they can get them for free. 14:31:29 <Sparks> #topic Outstanding BZ Tickets 14:31:36 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457 (+11), Low 170 (+8), Total 668 14:31:42 <Sparks> #info Current tickets owned: 85 14:31:55 <Sparks> +Tickets by Priority--+-------+---------+ 14:31:55 <Sparks> | Priority | Count | Owned | Unowned | 14:31:55 <Sparks> +-------------+-------+-------+---------+ 14:31:55 <Sparks> | medium | 457 | 45 | 412 | 14:31:56 <Sparks> | low | 170 | 14 | 156 | 14:31:58 <Sparks> | high | 40 | 26 | 14 | 14:32:00 <Sparks> | unspecified | 4 | 0 | 4 | 14:32:03 <Sparks> | urgent | 1 | 0 | 1 | 14:32:05 <Sparks> +-------------+-------+-------+---------+ 14:32:09 <Astradeus> i didn't have the time to look at tickets unfortunately :/ 14:32:16 <Sparks> Anyone have anything ticket-wise to discuss? 14:34:26 <Sparks> Oh, I have something. 14:34:49 <Sparks> #idea FST gets copied on critical and important CVEs that come to Fedora/EPEL. 14:35:03 <fenrus02> +1 14:35:43 <Sparks> I figure that way we will get notified immediately instead of finding out something has been there after a few days/weeks. 14:37:01 <Sparks> mhayden: ^^^ 14:37:17 <mhayden> that'd be nifty 14:39:03 <Sparks> #action Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs. 14:40:32 <Sparks> #info Apparently FST members can't look at security bugs. This is likely a problem if we're supposed to be fixing such things. 14:40:47 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs 14:41:32 <Sparks> #info Anyone finding a security bug in Fedora that doesn't have a CVE should let PST know so we can get a CVE issued. secalert(a)redhat.com 14:42:08 <Sparks> Anyone have anything else? 14:42:14 * jsmith shows up late, and has nothing :-( 14:42:27 <Sparks> jsmith: Welcome! 14:43:34 <Sparks> #topic Open floor discussion/questions/comments 14:43:45 <Sparks> Okay, does anyone have anything before we close for the day? 14:45:16 <Sparks> Nothing? 14:45:52 <Sparks> Okay, I'm going to go ahead and close the meeting and try to update next week's agenda now (for a change) and start working on my action items. 14:45:57 <Sparks> Thanks, all, for coming out! 14:46:11 <Astradeus> thank you for managing the meeting :) 14:46:52 <Sparks> #endmeeting

8 years, 5 months

2
1
0 / 0

Fedora Security Team Report - 2015-11-05

by Major Hayden

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 __ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2015-11-05 08:04:30.816513 |_| \___|\__,_|\___/|_| \__,_| - ------------------------------------------------------------------------------- +Tickets by Priority--+-------+---------+ | Priority | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 457 | 45 | 412 | | low | 170 | 14 | 156 | | high | 40 | 26 | 14 | | unspecified | 4 | 0 | 4 | | urgent | 1 | 0 | 1 | +-------------+-------+-------+---------+ +Tickets by Status-+-------+---------+ | Status | Count | Owned | Unowned | +----------+-------+-------+---------+ | NEW | 561 | 66 | 495 | | ON_QA | 65 | 14 | 51 | | MODIFIED | 24 | 0 | 24 | | ASSIGNED | 22 | 5 | 17 | +----------+-------+-------+---------+ +Tickets by Severity--+-------+---------+ | Severity | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 456 | 45 | 411 | | low | 170 | 14 | 156 | | high | 43 | 26 | 17 | | urgent | 2 | 0 | 2 | | unspecified | 1 | 0 | 1 | +-------------+-------+-------+---------+ +Tickets by Component---+-------+---------+ | Component | Count | Owned | Unowned | +---------------+-------+-------+---------+ | mingw-libxml2 | 10 | 0 | 10 | | cacti | 10 | 0 | 10 | | bugzilla | 9 | 1 | 8 | | nagios | 9 | 9 | 0 | | glibc | 8 | 0 | 8 | | kernel | 7 | 0 | 7 | | quassel | 7 | 1 | 6 | | mingw-icu | 7 | 0 | 7 | | libsndfile | 6 | 0 | 6 | +---------------+-------+-------+---------+ +Tickets by Distro Version-------+---------+ | Distro Version | Count | Owned | Unowned | +----------------+-------+-------+---------+ | el6 | 228 | 41 | 187 | | 22 | 166 | 2 | 164 | | 21 | 116 | 6 | 110 | | el5 | 76 | 20 | 56 | | epel7 | 41 | 4 | 37 | | 23 | 34 | 12 | 22 | | rawhide | 5 | 0 | 5 | | unspecified | 3 | 0 | 3 | | 7.3 | 1 | 0 | 1 | +----------------+-------+-------+---------+ - -- Major Hayden -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWO2ICAAoJEHNwUeDBAR+xk00QAKDAGawRcLVrEP0wjtkySrHC jGj3gLEbSdDVE2hy2JvZ1iggcWhPJkW3bBnpvVKQhOub99uBhhxy/7hxVAglb0Gg eRqdOA7p6ohC3z5z3b0NIwHqNvn3B4penNFSNjX27UspNl7jHqhLD9jB4JLPP+Qe fgf+DPmQso9xCBSC4tyNZPcNFdj9iRVVE6sQCUc8drgRf845TwpHXHlAFm0v89Ly Th4ppw3Ojs3kYxGzAj8s1Of66yZuMtX4+8nyFLNCH0ST4rZ4zy0H+kif70W2g3M1 D06Kkx+ocA4C5SZivgbDWPUYv+rqVobqD4QYpeqje7EU1mM7N3xbMC/gvb8mX+xy +hah2D6jRBKYMHB3YRyYo6bcqbbuJE8SllWTKhUyNvu4a1A6e8QBfMdc9vB0Kqyu IM2cCiusocClY+EMcAvXQ9uAWHUISkF54yOxg5NKIs88UpLTzB9xCsf1jBTNrNhR zSQ171O0xs4g5JhwJ4iL8bDa6aNN4ADb5+DdnXEUkadtFCeaShIeS9x6EKOSirVG iRxC6s/RnXNqmu90prmeySHvi8EE8a6fapZ4P1u4+LtKPn3rLsDe1aVCjVMwgdV6 He55wWQd9WF4sArL9sDKwOsV6utart2LSPBRQu4NTwaa2CruMK8rD3cTxitumV20 Se/rNSzB6uuLSJH/XGeE =1p3a -----END PGP SIGNATURE-----

8 years, 5 months

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2015-11-05 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

8 years, 5 months

1
0
0 / 0

Infrastructure improvement: X.509 certificates

by Florian Weimer

I wonder what it takes to get these tickets fixed: https://fedorahosted.org/fedora-infrastructure/ticket/2324 I now have Git access over SSH, but for years, I had to download repositories over an insecure channel. I don't know why this problem exists: https://fedorahosted.org/fedora-infrastructure/ticket/4945 At least there is a workaround to accept the server certificate in the browser. But it doesn't help if you are downloading packages from Koji in a fresh VM. Florian

8 years, 5 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team [ARCHIVED] November 2015