April 2016 - security-team - Fedora Mailing-Lists

Security Team meeting minutes for 2016-04-28

by Eric Christensen

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:02:05 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-04-28/fedora_securi... . Meeting summary --------------- * Roll Call (Sparks, 14:02:12) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:07:29) * Follow up on last week's tasks (Sparks, 14:07:44) * ACTION: pjp to give a status update on security policy in the wiki (carried over) (Sparks, 14:07:50) * ACTION: Sparks to figure out how FST members can get access to Fedora security bugs (carried over) (Sparks, 14:08:00) * ACTION: pjp and d-caf to work on the feature requests for distgit, Koji, and Bodhi for private builds for embargoed vulnerabilities. (carried over) (Sparks, 14:09:35) * Apprenticeship (Sparks, 14:09:45) * LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship (Sparks, 14:15:15) * ACTION: zoglesby to update the reading list for the Apprenticeship (Sparks, 14:17:28) * Open floor discussion/questions/comments (Sparks, 14:17:53) * Outstanding BZ Tickets (Sparks, 14:22:07) * Thursday's numbers: Critical 0 (0), Important 80 (+8), Moderate 520 (+10), Low 180 (+11), Total 780 (+29) (Sparks, 14:22:13) * Open floor discussion/questions/comments (Sparks, 14:26:58) Meeting ended at 14:28:57 UTC. Action Items ------------ * pjp to give a status update on security policy in the wiki (carried over) * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * pjp and d-caf to work on the feature requests for distgit, Koji, and Bodhi for private builds for embargoed vulnerabilities. (carried over) * zoglesby to update the reading list for the Apprenticeship Action Items, by person ----------------------- * d-caf * pjp and d-caf to work on the feature requests for distgit, Koji, and Bodhi for private builds for embargoed vulnerabilities. (carried over) * Sparks * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * zoglesby * zoglesby to update the reading list for the Apprenticeship * **UNASSIGNED** * pjp to give a status update on security policy in the wiki (carried over) People Present (lines said) --------------------------- * Sparks (51) * d-caf (10) * Astradeus (10) * zodbot (10) * zoglesby (6) * c0mrad3 (3) * linuxmodder (3) * nb (1) * dgilmore (1) 14:02:05 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:02:06 <zodbot> Meeting started Thu Apr 28 14:02:05 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:06 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:02:06 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...' 14:02:09 <Sparks> #meetingname Fedora Security Team 14:02:09 <zodbot> The meeting name has been set to 'fedora_security_team' 14:02:12 <Sparks> #topic Roll Call 14:02:15 * Sparks 14:02:17 * d-caf 14:02:23 * Astradeus 14:02:49 <Sparks> #chair d-caf Astradeus 14:02:49 <zodbot> Current chairs: Astradeus Sparks d-caf 14:02:56 * linuxmodder 14:03:11 <linuxmodder> morning everyone 14:03:20 <Sparks> #chair linuxmodder 14:03:20 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder 14:04:19 * zoglesby is here 14:04:50 <Sparks> zoglesby: Welcome 14:07:24 <Sparks> Okay, lets get started. 14:07:29 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:07:32 <Sparks> #chair zoglesby 14:07:32 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder zoglesby 14:07:37 * d-caf will have to bail at 10:30 14:07:44 <Sparks> #topic Follow up on last week's tasks 14:07:50 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over) 14:08:00 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over) 14:08:02 <nb> .hello nb 14:08:03 <zodbot> nb: nb 'Nick Bebout' <nb(a)nb.zone> 14:08:21 <Sparks> d-caf: Did you get a chance to start investigating private builds in Koji and Bodhi? 14:08:54 <dgilmore> Sparks: do not forget the distgit side of that 14:09:01 <d-caf> Sparks: unfortunately not, last few weeks have been messed up, WILL do this week 14:09:13 <Sparks> dgilmore++ 14:09:13 <zodbot> Sparks: Karma for ausil changed to 27 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:09:35 <Sparks> #action pjp and d-caf to work on the feature requests for distgit, Koji, and Bodhi for private builds for embargoed vulnerabilities. (carried over) 14:09:45 <Sparks> #topic Apprenticeship 14:10:02 <Sparks> zoglesby: You ran the meeting last week where we discussed this. What say you? 14:12:05 <linuxmodder> distgit ? 14:13:10 <d-caf> linuxmodder: I assume it references this #link https://fedoraproject.org/wiki/Dist_Git_Project 14:13:54 <Sparks> zoglesby: ??? 14:15:15 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship 14:15:28 <Sparks> Okay, not sure where zoglesby went... 14:15:36 <zoglesby> sorry 14:15:43 <Sparks> Oh there you are. 14:15:47 <Sparks> You have the floor. 14:16:16 <zoglesby> So I did not update the reading list yet, but I will do that as soon as the meeting ends 14:16:35 <zoglesby> Nothing else to report for last week 14:17:08 <Sparks> Okay 14:17:15 <Sparks> #action zoglesby to update the reading list 14:17:19 <Sparks> #undo 14:17:19 <zodbot> Removing item from minutes: ACTION by Sparks at 14:17:15 : zoglesby to update the reading list 14:17:28 <Sparks> #action zoglesby to update the reading list for the Apprenticeship 14:17:53 <Sparks> #topic Open floor discussion/questions/comments 14:18:02 * c0mrad3 waves 14:18:06 <Sparks> Sorry, I don't have numbers of tickets for this week. 14:18:09 <Sparks> Does anyone have anything? 14:18:16 <Astradeus> Sparks: mhayden just sent them 14:18:24 <Astradeus> and yes :) 14:18:38 <Sparks> Astradeus: Go ahead and I'll come back to the numbers. 14:18:42 <d-caf> c0mrad3: Have you had a chance to tackle any tickets, did you still want some help with that? 14:19:07 <Astradeus> today there is the Go/NoGo-meeting for (beta)release - someone requested that every team has a representative there - does that include us? 14:19:29 <Astradeus> and if yes: do we have any issues there? 14:19:44 <zoglesby> I don't think Security has been in that meeting before 14:19:44 <c0mrad3> d-caf: stilll working on it, I got selected to GSoC in Fedora https://summerofcode.withgoogle.com/projects/#4738558669619200 14:20:36 <d-caf> c0mrad3: Congrats! That's great! 14:20:48 <Astradeus> c0mrad3: cool :) 14:21:04 <Sparks> Astradeus: Yeah, we're not on the list so... 14:21:53 <Sparks> c0mrad3++ 14:22:07 <Sparks> #topic Outstanding BZ Tickets 14:22:13 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 80 (+8), Moderate 520 (+10), Low 180 (+11), Total 780 (+29) 14:22:20 <Sparks> +Tickets by Severity-+-------+---------+ 14:22:20 <Sparks> | Severity | Tickets | Owned | Unowned | 14:22:20 <Sparks> +----------+---------+-------+---------+ 14:22:20 <Sparks> | medium | 520 | 40 | 480 | 14:22:20 <Sparks> | low | 180 | 13 | 167 | 14:22:22 <Sparks> | high | 80 | 28 | 52 | 14:22:24 <Sparks> +----------+---------+-------+---------+ 14:22:28 <Sparks> Does anyone have anything ticket related? 14:22:33 <Sparks> ...to discuss? 14:22:41 <d-caf> No, besides needing to work them more 14:22:50 <Astradeus> did they go up much? 14:22:55 <d-caf> We need to own more of those high 14:24:13 <Astradeus> ah, they did.. 8 more high, 10 more medium, 11 more low 14:24:33 <Astradeus> d-caf: definitely 14:24:35 <d-caf> We need to push to get that trend back into negative 14:24:50 <Sparks> d-caf: Yep 14:26:58 <Sparks> #topic Open floor discussion/questions/comments 14:27:05 <Sparks> Does anyone have anything else? 14:27:16 <c0mrad3> no 14:27:18 <Astradeus> not me 14:27:19 <d-caf> nope 14:27:32 * Sparks eyes zoglesby 14:27:45 <zoglesby> I do not 14:28:48 <Sparks> Okay, that's a wrap, then. 14:28:55 <Sparks> See you all on the Intertubez! 14:28:57 <Sparks> #endmeeting

7 years, 7 months

1
0
0 / 0

Fedora Security Team Report - 2016-04-28

by Major Hayden

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2016-04-28 09:14:22.472875 |_| \___|\__,_|\___/|_| \__,_| Data from: 2016-04-28 ------------------------------------------------------------------------------- +Tickets by Priority----+-------+---------+ | Priority | Tickets | Owned | Unowned | +-------------+---------+-------+---------+ | medium | 520 | 40 | 480 | | low | 180 | 13 | 167 | | high | 77 | 26 | 51 | | unspecified | 3 | 2 | 1 | +-------------+---------+-------+---------+ +Tickets by Status---+-------+---------+ | Status | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | NEW | 675 | 70 | 605 | | ON_QA | 63 | 5 | 58 | | ASSIGNED | 26 | 6 | 20 | | MODIFIED | 16 | 0 | 16 | +----------+---------+-------+---------+ +Tickets by Severity-+-------+---------+ | Severity | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | medium | 520 | 40 | 480 | | low | 180 | 13 | 167 | | high | 80 | 28 | 52 | +----------+---------+-------+---------+ +Tickets by Component-----+-------+---------+ | Component | Tickets | Owned | Unowned | +---------------+---------+-------+---------+ | qemu | 14 | 4 | 10 | | imlib2 | 14 | 0 | 14 | | cacti | 14 | 0 | 14 | | mingw-jasper | 12 | 0 | 12 | | jasper | 12 | 0 | 12 | | bugzilla | 11 | 1 | 10 | | mingw-libxml2 | 10 | 0 | 10 | | glibc | 10 | 0 | 10 | | glib2 | 10 | 0 | 10 | | libxml2 | 9 | 0 | 9 | +---------------+---------+-------+---------+ +Tickets by Distro Version-+-------+---------+ | Distro Version | Tickets | Owned | Unowned | +----------------+---------+-------+---------+ | el6 | 271 | 39 | 232 | | 23 | 242 | 15 | 227 | | 22 | 107 | 1 | 106 | | el5 | 87 | 23 | 64 | | epel7 | 66 | 3 | 63 | | 24 | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 21 | 1 | 0 | 1 | +----------------+---------+-------+---------+ -- Major Hayden

7 years, 7 months

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-04-28 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years, 7 months

1
0
0 / 0

Team Meeting 2016-04-21

by Zach Oglesby

Meeting summary Use the RHEL 7 security guide as initial reading for now (mhayden, 14:16:52) ACTION: Rewrite the Fedora Security Guide to be more of what we're looking for (mhayden, 14:17:27) https://fedoraproject.org/wiki/Information_Security_Training (mhayden, 14:18:22) Fedora Defensive Coding docs could be useful, but may need some updating (mhayden, 14:19:08) https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensiv... (mhayden, 14:19:12) ACTION: Sparks to make it so on this CWE/CVE business (mhayden, 14:22:55) https://access.redhat.com/security/updates/classification (Sparks, 14:24:58) https://cve.mitre.org/about/faqs.html (mhayden, 14:25:57) http://www.candlepinproject.org/presentations/pki-crash-course (Sparks, 14:26:14) Understanding packaging is important (mhayden, 14:28:34) https://fedoraproject.org/wiki/Join_the_package_collection_maintainers (mhayden, 14:29:03) https://bettercrypto.org/static/applied-crypto-hardening.pdf (mhayden, 14:32:58) this should be opinioned and about how "we" do things as opposed to just security work in general (mhayden, 14:34:50) Everything sparks touches turns to gold :) (mhayden, 14:40:16) Would be nice to find an example of a security packaging fix done by a non RHT person (mhayden, 14:42:12) AGREED: Heartbleed was a very sad time all around (mhayden, 14:43:14) AGREED: Heartbleed was a very sad time all around (mhayden, 14:44:20) Xen security bugs could be an example -- XSA-108 was a good one (mhayden, 14:46:14) https://access.redhat.com/sites/default/files/riskreportgraphics_branded_... (Sparks, 14:48:00) ACTION: Apprentice wiki page will be updated soon (mhayden, 14:49:19) ACTION: Sparks will ask if he can share some of his internal security apprentice information (mhayden, 14:50:58) Meeting ended at 14:54:29 UTC (full logs). Action items Rewrite the Fedora Security Guide to be more of what we're looking for Sparks to make it so on this CWE/CVE business Apprentice wiki page will be updated soon Sparks will ask if he can share some of his internal security apprentice information Action items, by person Sparks Sparks to make it so on this CWE/CVE business Sparks will ask if he can share some of his internal security apprentice information UNASSIGNED Rewrite the Fedora Security Guide to be more of what we're looking for Apprentice wiki page will be updated soon People present (lines said) mhayden (55) zodbot (12) Sparks (11) skamath (7) Astradeus (5) linuxmodder (2) Full Log: https://meetbot.fedoraproject.org/fedora-meeting/2016-04-21/fedora_securi...

7 years, 7 months

1
0
0 / 0

Fedora Security Team Report - 2016-04-21

by Major Hayden

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2016-04-21 08:57:38.166858 |_| \___|\__,_|\___/|_| \__,_| Data from: 2016-04-21 ------------------------------------------------------------------------------- +Tickets by Priority----+-------+---------+ | Priority | Tickets | Owned | Unowned | +-------------+---------+-------+---------+ | medium | 506 | 40 | 466 | | low | 172 | 13 | 159 | | high | 80 | 26 | 54 | | unspecified | 3 | 2 | 1 | +-------------+---------+-------+---------+ +Tickets by Status---+-------+---------+ | Status | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | NEW | 669 | 71 | 598 | | ON_QA | 48 | 4 | 44 | | ASSIGNED | 27 | 6 | 21 | | MODIFIED | 17 | 0 | 17 | +----------+---------+-------+---------+ +Tickets by Severity-+-------+---------+ | Severity | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | medium | 506 | 40 | 466 | | low | 172 | 13 | 159 | | high | 83 | 28 | 55 | +----------+---------+-------+---------+ +Tickets by Component-----+-------+---------+ | Component | Tickets | Owned | Unowned | +---------------+---------+-------+---------+ | imlib2 | 14 | 0 | 14 | | cacti | 14 | 0 | 14 | | qemu | 13 | 4 | 9 | | mingw-jasper | 12 | 0 | 12 | | jasper | 12 | 0 | 12 | | bugzilla | 11 | 1 | 10 | | mingw-libxml2 | 10 | 0 | 10 | | glib2 | 10 | 0 | 10 | | libxml2 | 9 | 0 | 9 | | moodle | 8 | 1 | 7 | +---------------+---------+-------+---------+ +Tickets by Distro Version-+-------+---------+ | Distro Version | Tickets | Owned | Unowned | +----------------+---------+-------+---------+ | el6 | 268 | 39 | 229 | | 23 | 228 | 15 | 213 | | 22 | 107 | 1 | 106 | | el5 | 86 | 23 | 63 | | epel7 | 65 | 3 | 62 | | 24 | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 21 | 1 | 0 | 1 | +----------------+---------+-------+---------+ -- Major Hayden

7 years, 7 months

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-04-21 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years, 7 months

1
0
0 / 0

Security Team Meeting minutes for 2016-04-14

by Eric Christensen

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:01:10 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-04-14/fedora_securi... . Meeting summary --------------- * Roll Call\ (Sparks, 14:01:16) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:05:46) * Follow up on last week's tasks (Sparks, 14:06:29) * ACTION: pjp to give a status update on security policy in the wiki (carried over) (Sparks, 14:06:47) * ACTION: Sparks to figure out how FST members can get access to Fedora security bugs (carried over) (Sparks, 14:06:59) * ACTION: pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (carried over) (Sparks, 14:07:10) * Apprenticeship (Sparks, 14:11:08) * LINK: https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap... (Sparks, 14:11:17) * AGREED: Next week's meeting will be held via video-teleconference to work through the Apprentice training (Sparks, 14:15:44) * ACTION: mhayden to send an invitation for a VC meeting next week with detailed agenda for reviewing security docs in the wiki (mhayden, 14:17:57) * HELP: -- review of post for personal / commblog http://fpaste.org/355375/ (linuxmodder, 14:18:26) * Handling embargoed vulnerabilities (Sparks, 14:18:46) * ACTION: Sparks to follow up with pjp and d-caf on this project. (Sparks, 14:19:15) * pjp and d-caf were supposed to be working with Koji and Bodhi folks to figure out private builds (carried over) (Sparks, 14:19:26) * Outstanding BZ Tickets (Sparks, 14:19:39) * Thursday's numbers: Critical 0 (0), Important 72 (-1), Moderate 510 (+15), Low 169 (+2), Total 751 (+16) (Sparks, 14:19:45) * Open floor discussion/questions/comments (Sparks, 14:21:40) * LINK: http://fpaste.org/355375/ < proposed badlock post for planet (linuxmodder, 14:22:37) * LINK: https://bodhi.fedoraproject.org/updates/FEDORA-2016-be53260726 (zoglesby, 14:23:55) * gd got the patches out for Fedora fairly quickly for Samba (Sparks, 14:24:35) * LINK: https://access.redhat.com/security/updates/classification/ (Sparks, 14:27:19) * Critical Impact - This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact. (Sparks, 14:27:35) * mhayden wins the weekly prize of having sent the most mail to the list over the last 30 days. (Sparks, 14:32:12) Meeting ended at 14:33:33 UTC. Action Items ------------ * pjp to give a status update on security policy in the wiki (carried over) * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (carried over) * mhayden to send an invitation for a VC meeting next week with detailed agenda for reviewing security docs in the wiki * Sparks to follow up with pjp and d-caf on this project. Action Items, by person ----------------------- * mhayden * mhayden to send an invitation for a VC meeting next week with detailed agenda for reviewing security docs in the wiki * Sparks * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * Sparks to follow up with pjp and d-caf on this project. * **UNASSIGNED** * pjp to give a status update on security policy in the wiki (carried over) * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (carried over) People Present (lines said) --------------------------- * Sparks (59) * linuxmodder (31) * mhayden (22) * zoglesby (12) * zodbot (9) * Southern_Gentlem (1) 14:01:10 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:01:10 <zodbot> Meeting started Thu Apr 14 14:01:10 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:01:10 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...' 14:01:13 <Sparks> #meetingname Fedora Security Team 14:01:13 <zodbot> The meeting name has been set to 'fedora_security_team' 14:01:16 <Sparks> #topic Roll Call\ 14:01:35 <linuxmodder> .hellomynameis corey84 14:01:36 <zodbot> linuxmodder: corey84 'Corey Sheldon' <sheldon.corey(a)gmail.com> 14:01:58 <linuxmodder> mattdm, you here with us today? 14:03:17 <Southern_Gentlem> .hello jbwillia 14:03:17 <zodbot> Southern_Gentlem: jbwillia 'Ben Williams' <vaioof(a)yahoo.com> 14:03:30 * zoglesby 14:03:52 <linuxmodder> c0mrad3, said he'd be absent 14:05:39 <Sparks> Okay, lets get started 14:05:46 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:06:04 <Sparks> #chair zoglesby Southern_Gentlem linuxmodder 14:06:04 <zodbot> Current chairs: Southern_Gentlem Sparks linuxmodder zoglesby 14:06:29 <Sparks> #topic Follow up on last week's tasks 14:06:47 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over) 14:06:59 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over) 14:07:10 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (carried over) 14:07:35 <Sparks> zoglesby: I have down here that you were supposed to take the Apprenticeship discussion to the list. 14:07:51 <Sparks> zoglesby: I believe you did this... Was there an outcome? 14:10:06 <zoglesby> no 14:10:16 <zoglesby> it was taken to the list, I would like to think people are reading docs 14:10:42 <Sparks> ha! 14:11:02 <mhayden> i read through it after i saw it on the list -- i think we had talked about taking the big list and breaking it into maturity levels 14:11:08 <Sparks> #topic Apprenticeship 14:11:17 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap... 14:11:19 <mhayden> so that people would know which content they ought to review based on their maturity level in information security 14:11:38 <zoglesby> that is the plan 14:11:44 <zoglesby> just need to execute on it 14:11:46 <Sparks> I see no responses to the email... 14:12:39 <Sparks> zoglesby: What are next steps? 14:12:48 <linuxmodder> I have had little time this week to do anything on it 14:12:50 <linuxmodder> :( 14:12:58 <Sparks> ditto 14:13:26 <zoglesby> Read and respond to what you think is good for first level 14:13:48 <linuxmodder> on that note for open floor I'd request a review of a blog post for WP / likely the commblog as well on badlock 14:13:54 <mhayden> i wonder if we could do our next meeting via videoconference and just work through it there 14:14:03 <mhayden> we could tag each one and then sort them when the call is over 14:14:27 <Sparks> mhayden: I'm not against that 14:14:43 <mhayden> perhaps a google hangout? 14:14:55 <zoglesby> I *should* be able to do that as well 14:15:09 <linuxmodder> I'd be cool with that 14:15:11 <Sparks> mhayden: I'll let you take the lead on that. 14:15:18 <mhayden> we could get the discussion done real-time and one person could share their screen 14:15:36 <mhayden> Sparks: sure -- i'll send a meeting invitation to the list 14:15:44 <Sparks> #agreed Next week's meeting will be held via video-teleconference to work through the Apprentice training 14:16:13 <mhayden> any objections if i just send a google calendar invitation directly to the list? 14:16:52 <linuxmodder> nfm 14:17:08 <Sparks> mhayden: Might want to follow up to the invite with exactly what we're trying to do if it isn't clear from the invite. 14:17:35 <mhayden> agreed 14:17:57 <mhayden> #action mhayden to send an invitation for a VC meeting next week with detailed agenda for reviewing security docs in the wiki 14:18:18 <mhayden> zoglesby++ 14:18:18 <zodbot> mhayden: Karma for zoglesby changed to 3 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:18:26 <linuxmodder> #help -- review of post for personal / commblog http://fpaste.org/355375/ 14:18:27 <mhayden> thanks for keeping this thing going 14:18:46 <Sparks> #topic Handling embargoed vulnerabilities 14:18:58 <Sparks> Neither pjp or d-caf are here to talk about this. 14:19:06 <zoglesby> : 14:19:09 <zoglesby> :( 14:19:15 <Sparks> #action Sparks to follow up with pjp and d-caf on this project. 14:19:25 <linuxmodder> on that with this weeks unembargoed ^^ badlock planned post on that link 14:19:26 <Sparks> #info pjp and d-caf were supposed to be working with Koji and Bodhi folks to figure out private builds (carried over) 14:19:39 <Sparks> #topic Outstanding BZ Tickets 14:19:45 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 72 (-1), Moderate 510 (+15), Low 169 (+2), Total 751 (+16) 14:19:58 <Sparks> +Tickets by Severity-+-------+---------+ 14:19:58 <Sparks> | Severity | Tickets | Owned | Unowned | 14:19:58 <Sparks> +----------+---------+-------+---------+ 14:19:58 <Sparks> | medium | 510 | 40 | 470 | 14:19:58 <Sparks> | low | 169 | 13 | 156 | 14:20:00 <Sparks> | high | 72 | 29 | 43 | 14:20:03 <Sparks> +----------+---------+-------+---------+ 14:20:18 <Sparks> Anyone have anything to discuss ticket-wise? 14:20:48 <linuxmodder> I should have cycles to tackle a few this week but not on any active tickets 14:21:40 <Sparks> #topic Open floor discussion/questions/comments 14:21:45 <Sparks> Anyone have anything? 14:22:11 <linuxmodder> had some interest at bitcamp for security member joins working on follow ups 14:22:37 <linuxmodder> #link http://fpaste.org/355375/ < proposed badlock post for planet 14:22:42 <linuxmodder> nffm 14:22:43 <Sparks> linuxmodder: I'm sure that would have made better sense had there not been a shortage of punctuation. 14:23:16 <linuxmodder> Sparks, following up with some attendees at bitcamp that showed interest 14:23:37 <Sparks> linuxmodder: I'm sure that even if you were in a SCIF you likely heard about Badlock 14:23:51 <linuxmodder> lol 14:23:54 <zoglesby> also it is now in the main repo 14:23:55 <zoglesby> https://bodhi.fedoraproject.org/updates/FEDORA-2016-be53260726 14:24:11 <Sparks> gd++ 14:24:11 <zodbot> Sparks: Karma for gd changed to 1 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:24:23 <linuxmodder> noted 14:24:35 <Sparks> #info gd got the patches out for Fedora fairly quickly for Samba 14:24:41 <linuxmodder> that was from yesterday before that dropped will update 14:25:14 <linuxmodder> any other issues /comments are welcome 14:25:14 <Sparks> It's important to note that Badlock was not a critical bug. 14:25:46 <linuxmodder> it was only Important correct 14:25:50 <Sparks> ...in spite of all the hype 14:25:52 <Sparks> correct 14:26:12 <linuxmodder> critical has the criterion of active 0day no? 14:26:49 <Sparks> linuxmodder: Not necessarily. It has to be remotely exploitable, I think. 14:27:19 <Sparks> #link https://access.redhat.com/security/updates/classification/ 14:27:21 <linuxmodder> remote with no user interact seems logical 14:27:35 <Sparks> #info Critical Impact - This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact. 14:28:37 <linuxmodder> the fact badlock required auth users saved it from that 14:29:07 <linuxmodder> any other mods from the post before I publish it ? 14:29:07 <Sparks> I don't think the dust has settled completely on this vuln. 14:29:15 <linuxmodder> nor do I 14:29:27 <linuxmodder> residuals would not surprise me 14:29:30 <mhayden> invitation sent for next week -- let me know if i am missing detail 14:29:35 <Sparks> I didn't really read through it for accuracy as I've been overexposed to it now. 14:29:41 <linuxmodder> as this partly allowed drown 14:29:47 <Sparks> mhayden++ 14:29:55 <mhayden> oh no -- i scheduled it for *today* 14:29:58 <linuxmodder> the links were to the access.rh links 14:29:59 <mhayden> rather than next thurs :P 14:30:01 * mhayden goes to fix 14:30:02 <Sparks> mhayden-- 14:30:08 <zoglesby> lol 14:30:25 <linuxmodder> and wiki pages or official docs for the 'terms' 14:30:55 <Sparks> Okay, anything else? 14:31:12 <linuxmodder> if anyone else can give it an accuracy check that would be great 14:31:39 <linuxmodder> << EOF 14:32:12 <Sparks> #info mhayden wins the weekly prize of having sent the most mail to the list over the last 30 days. 14:32:31 <Sparks> And that's all I have. 14:32:44 <mhayden> :| 14:32:47 <mhayden> oopsies 14:32:50 <Sparks> Join us again, next week, when we do this all over again! 14:32:54 <mhayden> #makemailinglistsgreatagain? 14:33:02 <Sparks> mhayden++ 14:33:04 <mhayden> haha 14:33:11 * mhayden orders a red hat 14:33:22 <mhayden> more like a red cap 14:33:30 <Sparks> Okay, see you all in the Intertubez! 14:33:33 <Sparks> #endmeeting

7 years, 7 months

1
0
0 / 0

Updated Invitation: FST Apprentice Wiki Review @ Thu Apr 21, 2016 9am - 10am (major@mhtx.net)

by Major Hayden

This event has been changed. Title: FST Apprentice Wiki Review (Sorry, the last invitation was for the wrong date.) As discussed in today's (2016-04-14) security team meeting, let's do a video conference and work through the apprentice program in the wiki. Relevant links: * https://fedoraproject.org/wiki/Security_Team_Apprenticeship * https://fedoraproject.org/wiki/Information_Security_Training Our goals here should be to: * Remove any unneeded content * Add missing content * Split the training links into security experience level * Create a "pathway" for someone who wants to join the Fedora Security Team Thanks! Major Hayden (changed) When: Thu Apr 21, 2016 9am - 10am Central Time (changed) Where: Google Hangout (see invitation) Video call: https://plus.google.com/hangouts/_/mhtx.net/fst-hangout <https://plus.google.com/hangouts/_/mhtx.net/fst-hangout?hceid=bWFqb3JAbWh...> Calendar: major(a)mhtx.net Who: * Major Hayden - organizer * Major Hayden * security-team(a)lists.fedoraproject.org Event details: https://www.google.com/calendar/event?action=VIEW&eid=b3A4ZjV1NW9pdm9iNzE... Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account security-team(a)lists.fedoraproject.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to modify your RSVP response. Learn more at https://support.google.com/calendar/answer/37135#forwarding

7 years, 7 months

1
0
0 / 0

Invitation: FST Apprentice Wiki Review @ Thu Apr 14, 2016 9am - 10am (major@mhtx.net)

by Major Hayden

You have been invited to the following event. Title: FST Apprentice Wiki Review As discussed in today's (2016-04-14) security team meeting, let's do a video conference and work through the apprentice program in the wiki. Relevant links: * https://fedoraproject.org/wiki/Security_Team_Apprenticeship * https://fedoraproject.org/wiki/Information_Security_Training Our goals here should be to: * Remove any unneeded content * Add missing content * Split the training links into security experience level * Create a "pathway" for someone who wants to join the Fedora Security Team Thanks! Major Hayden When: Thu Apr 14, 2016 9am - 10am Central Time Where: Google Hangout (see invitation) Video call: https://plus.google.com/hangouts/_/mhtx.net/fst-hangout <https://plus.google.com/hangouts/_/mhtx.net/fst-hangout?hceid=bWFqb3JAbWh...> Calendar: major(a)mhtx.net Who: * Major Hayden - organizer * Major Hayden * security-team(a)lists.fedoraproject.org Event details: https://www.google.com/calendar/event?action=VIEW&eid=b3A4ZjV1NW9pdm9iNzE... Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account security-team(a)lists.fedoraproject.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to modify your RSVP response. Learn more at https://support.google.com/calendar/answer/37135#forwarding

7 years, 7 months

1
0
0 / 0

Fedora Security Team Report - 2016-04-14

by Major Hayden

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2016-04-14 08:54:37.474117 |_| \___|\__,_|\___/|_| \__,_| Data from: 2016-04-14 ------------------------------------------------------------------------------- +Tickets by Priority----+-------+---------+ | Priority | Tickets | Owned | Unowned | +-------------+---------+-------+---------+ | medium | 510 | 40 | 470 | | low | 169 | 13 | 156 | | high | 69 | 27 | 42 | | unspecified | 3 | 2 | 1 | +-------------+---------+-------+---------+ +Tickets by Status---+-------+---------+ | Status | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | NEW | 660 | 71 | 589 | | ON_QA | 50 | 5 | 45 | | ASSIGNED | 29 | 6 | 23 | | MODIFIED | 12 | 0 | 12 | +----------+---------+-------+---------+ +Tickets by Severity-+-------+---------+ | Severity | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | medium | 510 | 40 | 470 | | low | 169 | 13 | 156 | | high | 72 | 29 | 43 | +----------+---------+-------+---------+ +Tickets by Component-----+-------+---------+ | Component | Tickets | Owned | Unowned | +---------------+---------+-------+---------+ | cacti | 14 | 0 | 14 | | qemu | 12 | 4 | 8 | | mingw-jasper | 12 | 0 | 12 | | jasper | 12 | 0 | 12 | | imlib2 | 11 | 0 | 11 | | bugzilla | 11 | 1 | 10 | | mingw-libxml2 | 10 | 0 | 10 | | glib2 | 10 | 0 | 10 | | libxml2 | 9 | 0 | 9 | | kernel | 8 | 0 | 8 | +---------------+---------+-------+---------+ +Tickets by Distro Version-+-------+---------+ | Distro Version | Tickets | Owned | Unowned | +----------------+---------+-------+---------+ | el6 | 263 | 40 | 223 | | 23 | 231 | 15 | 216 | | 22 | 106 | 1 | 105 | | el5 | 85 | 23 | 62 | | epel7 | 59 | 3 | 56 | | 24 | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 21 | 1 | 0 | 1 | +----------------+---------+-------+---------+ -- Major Hayden

7 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team April 2016