Security Team FAD
by Zach Oglesby
All,
As per last weeks meeting, we are moving the FAD to March 11. I have a room
at LivingSocial in DC for the whole day. We have a webcam in the room and
Sparks will setup a BlueJeans meeting for remote attendance.
For people who are in DC or will be coming in the address is 1445 New York
Ave NW Washington, District of Columbia 20005 on the 3rd floor. If you are
driving there are a few parking garages near by, but I would recommend the
metro. Either Farragut West Metro Station or Metro Center are in walking
distance. When you arrive at the building let the people at the lobby desk
know you are here for LivingSocial they will let you up the elevator, and
at LivingSocial's front desk (to the right when you leave the elevator)
tell them you are here for me (Zach Oglesby).
We are aiming for a 9 AM start, but show up whenever you can.
7 years, 9 months
update (and questions) on "urgent fixes urgently" solution
by Matthew Miller
See https://fedorahosted.org/rel-eng/ticket/5886 for background. We
reccently had a meeting with release engineering about actually
implementing this. See the notes in comment #33.
This resulted in several questions for the security team.
First: we agreed that we don't want just any update using this -- it
should be for updates that are both critical and urgent. (Remote root
ssh exploit, anyone? *knock on wood*) So, we think it makes sense for
updates to be selected for this process by the security team. The
question is: who should that be exactly, and how should that group be
defined. (An existing FAS group? A special new one? Something else?)
Second, a more technical matter. In order for an update to be treated
specially, it will need something special in Bodhi. One relatively easy
way is to have the security person (from question #1) submit the
update, instead of the packager. (Or, possibly, in *addition* to the
packager submitting the update for the regular repositories.) Since
this is something that hopefully will happen a couple of times a year
(or less!), is that workable? Or, would it be better for the packager
to submit the update as normal, but provide some button or checkbox
available to the security team to escalate the update to the urgent
repo?
Third, any other questions or concerns?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
7 years, 9 months
Fedora Security Team Report - 2016-02-18
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-02-18 07:40:10
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-02-18
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 462 | 39 | 423 |
| low | 181 | 13 | 168 |
| high | 54 | 20 | 34 |
| unspecified | 3 | 0 | 3 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 566 | 64 | 502 |
| ON_QA | 94 | 4 | 90 |
| ASSIGNED | 22 | 4 | 18 |
| MODIFIED | 18 | 0 | 18 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 462 | 39 | 423 |
| low | 181 | 13 | 168 |
| high | 57 | 20 | 37 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| qemu | 16 | 4 | 12 |
| mingw-pcre | 14 | 0 | 14 |
| mingw-libxml2 | 14 | 0 | 14 |
| xen | 14 | 0 | 14 |
| glib2 | 12 | 0 | 12 |
| cacti | 12 | 0 | 12 |
| bugzilla | 11 | 1 | 10 |
| mingw-jasper | 8 | 0 | 8 |
| libxml2 | 8 | 0 | 8 |
| jasper | 8 | 0 | 8 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 245 | 36 | 209 |
| 23 | 189 | 11 | 178 |
| 22 | 114 | 1 | 113 |
| el5 | 80 | 21 | 59 |
| epel7 | 66 | 3 | 63 |
| rawhide | 6 | 0 | 6 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWxcn2AAoJEHNwUeDBAR+xIXwP/R/wt+hxmErCsu25ze4FM265
FPZ4E3KBpcFI2+TIvxA2rmfiiH/k9Jrm2QwovpXAMIE2ZFAq+K2MFqIMnRoyOGtQ
plx6yQcqafgvxRIm2ZqhVZnIrOarH8B0YZ7v6vrLLBPraGwismyMpjjY1SuYjn/m
b0g+2scImsAd9zQCgHBBDm8AOIHubxd4MteI4uOFuf4/DEhyQ0Wc4xCpf3BpEk0o
DMjKvG7w1nw22Zw1birpjYTxoovkETcpclLxEUy0NS6TuXtLEIxKzF9CfIQmBiGv
sOTHrUdkIAMUlqbUcCTyJVIhsZi0MmnJt/h/FfiqXSw54VpIvpv7gW4h5XJWjwhH
KeoZNHBlVKWubgpHYxD9+Glpi3ZVsbfOEUulGodDoSKnFL5aOX9zZya8WHEkMh/I
nbUwBAwPgVarrMZ9x7efyoxH+1CiiUzdyYe7WYMs/rg3pCwXONo9G3QDC2PUAsHF
fyt5yuN7qUGgK1prozfo1vVAe+nHXxDKZVdEz8V3/qvovZdDxLAVmcYJgAiuGewa
cTAURj+0J9HDK86bmElYb/NCA+AacdS3+2sayYmTGti2AaiWzRcZYLWXi1nzhyXC
J9XiHWls9tLaymOnsjf52QFBlFd52oyYSntZDMwSnUqvxd/LqJVSYEiSsKfZT8t1
mwdFr8H9bXaFsp2nmG0S
=jBOj
-----END PGP SIGNATURE-----
7 years, 9 months
Security Team Meeting minutes - 2016-02-11
by David Cafaro
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by d-caf at 14:21:47 UTC. The full logs are available at
http://meetbot.fedoraproject.org/fedora-meeting/2016-02-11/fedora_securit...
.
Meeting summary
---------------
* Roll Call (d-caf, 14:22:13)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (d-caf, 14:27:09)
* Follow up on last week's tasks (d-caf, 14:27:29)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (d-caf, 14:28:10)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (d-caf, 14:28:19)
* ACTION: Sparks to follow up on meeting locations to verify their
availability. (carried over) (d-caf, 14:28:30)
* Fedora Security Team FAD (d-caf, 14:31:00)
* Sparks going to press ahead with the 4 March date and use the 11
March date as a backup for the FAD. (d-caf, 14:32:16)
* Outstanding BZ Tickets (d-caf, 14:33:15)
* Open floor discussion/questions/comments (d-caf, 14:44:56)
* LINK:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
(d-caf, 14:46:12)
Meeting ended at 14:47:25 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* Sparks to follow up on meeting locations to verify their availability.
(carried over)
Action Items, by person
-----------------------
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* Sparks to follow up on meeting locations to verify their
availability. (carried over)
People Present (lines said)
---------------------------
* d-caf (41)
* linuxmodder (9)
* zodbot (5)
* Astradeus (2)
14:21:47<d-caf> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:21:47<zodbot> Meeting started Thu Feb 11 14:21:47 2016 UTC. The chair is d-caf. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:21:47<zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:21:47<zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...'
14:22:03<d-caf> #meetingname Fedora Security Team
14:22:03<zodbot> The meeting name has been set to 'fedora_security_team'
14:22:13<d-caf> #topic Roll Call
14:22:21 * d-caf
14:22:47<linuxmodder> .hello corey84
14:22:48<zodbot> linuxmodder: corey84 'Corey Sheldon' <sheldon.corey(a)gmail.com>
14:24:41<linuxmodder> Sparks ?
14:25:02<d-caf> I believe he is out all month
14:25:09<d-caf> Astradeus: You still there?
14:26:25<linuxmodder> seems not :(
14:26:59<d-caf> ok, then...
14:27:09<d-caf> #info Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better"
14:27:29<d-caf> #topic Follow up on last week's tasks
14:27:55<d-caf> There was no real meeting last week, and old tasks are those not here, and I ahve not heard updates
14:28:10<d-caf> #action pjp to give a status update on security policy in the wiki
(carried over)
14:28:19<d-caf> #action Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
14:28:30<d-caf> #action Sparks to follow up on meeting locations to verify their
availability. (carried over)
14:28:33<Astradeus> d-caf: only partly :/
14:29:00<d-caf> Astradeus: understood
14:29:09<d-caf> Anyone know of any udpates on he above action?
14:30:48<d-caf> ok, moving on
14:30:56<d-caf> #topic Fedora Security Team FAD
14:31:00<d-caf> #topic Fedora Security Team FAD
14:31:34<d-caf> Sparks actually took on an action last time, on this but I haven't heard anything yet, anyone else have an udpate?
14:32:16<d-caf> #info Sparks going to press ahead with the 4 March date and use the 11
March date as a backup for the FAD.
14:33:08<d-caf> and continueing on..
14:33:15<d-caf> #topic Outstanding BZ Tickets
14:34:27<d-caf> I don't have the nice summary that sparks usually does but mhayden did run the numbers this morning
14:34:47<d-caf> +Tickets by Severity-+-------+---------+
14:34:47<d-caf> | Severity | Tickets | Owned | Unowned |
14:34:47<d-caf> +----------+---------+-------+---------+
14:34:47<d-caf> | medium | 480 | 39 | 441 |
14:34:47<d-caf> | low | 182 | 13 | 169 |
14:34:50<d-caf> | high | 57 | 20 | 37 |
14:34:52<d-caf> +----------+---------+-------+---------+
14:35:23<linuxmodder> at least that high number is droppign
14:40:06<d-caf> still a lot of work there
14:40:31<d-caf> an there was that recent one that hit the mailing list, which appears it was never communicated to redhat/fedora before public annouce?
14:41:50<linuxmodder> missed that one in the recent ml flood from several sub projects
14:42:22<d-caf> Yes, did the mailing list get hosed up or something?
14:42:33<d-caf> noticed a nearly 24 hour delay in my response
14:43:10<linuxmodder> mailman had some funky-ness last week iirc
14:43:19<linuxmodder> or was it hyperkitty can't recall
14:44:11<d-caf> anything else bug related?
14:44:19<linuxmodder> not that I've seen
14:44:56<d-caf> #topic Open floor discussion/questions/comments
14:45:01<d-caf> Ok, anything else?
14:45:43<linuxmodder> nah not from me
14:46:00<d-caf> Oh, the vulnerability that came in late was this thread: https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
14:46:12<d-caf> #link
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
14:46:32<d-caf> ok, well, guess that's it
14:47:15<Astradeus> maybe the issue with the fedora-release would be something to discuss?
14:47:25<d-caf> #endmeeting
7 years, 9 months
Fedora Security Team Report - 2016-02-11
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-02-11 07:51:20.104978
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-02-11
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 480 | 39 | 441 |
| low | 182 | 13 | 169 |
| high | 54 | 20 | 34 |
| unspecified | 3 | 0 | 3 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 573 | 64 | 509 |
| ON_QA | 101 | 4 | 97 |
| ASSIGNED | 24 | 4 | 20 |
| MODIFIED | 21 | 0 | 21 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 480 | 39 | 441 |
| low | 182 | 13 | 169 |
| high | 57 | 20 | 37 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-pcre | 32 | 0 | 32 |
| mingw-libxml2 | 19 | 0 | 19 |
| qemu | 14 | 4 | 10 |
| glib2 | 13 | 0 | 13 |
| cacti | 12 | 0 | 12 |
| bugzilla | 11 | 1 | 10 |
| xen | 9 | 0 | 9 |
| mingw-jasper | 8 | 0 | 8 |
| libxml2 | 8 | 0 | 8 |
| jasper | 8 | 0 | 8 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 247 | 36 | 211 |
| 23 | 196 | 11 | 185 |
| 22 | 124 | 1 | 123 |
| el5 | 80 | 21 | 59 |
| epel7 | 66 | 3 | 63 |
| rawhide | 6 | 0 | 6 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWvJH6AAoJEHNwUeDBAR+xQQIQAJ+NsRabFmwU5FOEQ0skDDTc
1b94aHHWELC48830Px33TfrLeqsSBsevlSzrpn58tpPq9h4HbbX1wyhL0xSzURoz
O3OIqXSKSFsidovNeBfDWNKIuUCV7sZZID1b3fQQwKScS4JHyaFIyRPr5S28pwaQ
1jGhVug6ZdnJDju/UXC0WLmEPqCweduKJW8MmvTUyuz8z8Cdab6m4jcKO4SDTu1O
kNcs8YnbZL1mBp6sjiHIG9qJA+SkWySb6md8FfgD+3fXbCS6xNT/eqUjZU5KOgn0
2wLtbVFh2DUz7z7c01vCFhAJcqXN0GUGGJD9NdRU+STdEG8AJpbQYyEPLIeMlhJl
iDGfJAzCuVkB6dfw1I9djjhetNJGxU3XX7+vl7w1qTVR1i9t/YgEUUZJmgbDZto3
Fk604p0/8LtPyZUlUqW+fE6iIKL0EfjCsm7DYzTygYXorc88ZtVPCY02E/ZK5NiJ
BUQ64rOEZJ69ov8D/tLJHasoKopmZ9puAYa9cn/Nvj1HdfOF0GjOo9mMDRrwnmlw
+cciCy60JPJZ6NMB+41Vu/tpKnRjD4YDp5gj9OnRvTpMUVHaN+iubp0RVqOV45WQ
LRINC+84O6Gj2lDa0gRZPXA+kbs0Izad7cejtLvzbt+YtqJvnT5C4bP44m8ywqwC
N3676PkRgObNAIARVNpT
=YVDH
-----END PGP SIGNATURE-----
7 years, 9 months
CVE-2016-1521
by Dan Mossor
Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no
reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat
Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the
part of the user. It can be spread through malvertising, or a minor hack
to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not
specifically addressed this CVE. Can you provide a statement stating
whether it has been fixed or not?
References:
http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing-library-a...
Regards,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Ambassador | Fedora CommOps
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
7 years, 9 months
