August 2016 - security-team - Fedora Mailing-Lists

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-09-01 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years

1
0
0 / 0

Fwd: [oss-security] TLS testing results - OS distro vulnerabilities

by Eric Christensen

This could be interesting while doing code audits and while looking for trouble. --Eric -------- Forwarded Message -------- Subject: [oss-security] TLS testing results - OS distro vulnerabilities Date: Sat, 20 Aug 2016 16:50:29 +0000 From: Mauri Miettinen <Mauri.Miettinen(a)student.oulu.fi> Reply-To: oss-security(a)lists.openwall.com To: oss-security(a)lists.openwall.com <oss-security(a)lists.openwall.com> CC: ouspg(a)ee.oulu.fi <ouspg(a)ee.oulu.fi> To whom it may concern, We developed a tool to check if languages and libraries verify TLS certificates properly. While testing this tool we did a shootout against supported versions of the some major Linux distributions. Results are available from: https://github.com/ouspg/trytls/blob/shootout-0.3/shootout/README.md It seems it may be unsafe to do TLS in some of the common distros. E.g. the native Python version in the distros varies, and not all fixes have been backported. In these cases Python still doesn't always have certificate checking enabled by default. We have contacted Python developers about the results. https://mail.python.org/pipermail/python-dev/2016-August/145815.html They gave us a couple of good pointers on how configuration could be used to mitigate the issues in some of the distributions. We are afraid this is still a hazard where neither software developers or users realize that code that works well for the developer may not be safe for the users. Would you have any other resources, advice or pointers we should document when communicating about this in the TryTLS project? Mauri Miettinen PS. Results have indications of weak crypto issues as well.

7 years

2
1
0 / 0

Fedora Security Team Report - 2016-08-25

by Major Hayden

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2016-08-25 08:46:07.499116 |_| \___|\__,_|\___/|_| \__,_| Data from: 2016-08-25 ------------------------------------------------------------------------------- +Tickets by Priority----+-------+---------+ | Priority | Tickets | Owned | Unowned | +-------------+---------+-------+---------+ | medium | 601 | 39 | 562 | | low | 199 | 13 | 186 | | high | 93 | 21 | 72 | | unspecified | 3 | 2 | 1 | +-------------+---------+-------+---------+ +Tickets by Status---+-------+---------+ | Status | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | NEW | 810 | 65 | 745 | | ON_QA | 53 | 7 | 46 | | ASSIGNED | 23 | 3 | 20 | | MODIFIED | 10 | 0 | 10 | +----------+---------+-------+---------+ +Tickets by Severity-+-------+---------+ | Severity | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | medium | 601 | 39 | 562 | | low | 199 | 13 | 186 | | high | 96 | 23 | 73 | +----------+---------+-------+---------+ +Tickets by Component-----+-------+---------+ | Component | Tickets | Owned | Unowned | +---------------+---------+-------+---------+ | mingw-libxml2 | 17 | 0 | 17 | | ImageMagick | 16 | 0 | 16 | | qemu | 15 | 4 | 11 | | bugzilla | 13 | 1 | 12 | | kernel | 12 | 0 | 12 | | imlib2 | 12 | 0 | 12 | | mingw-jasper | 12 | 0 | 12 | | mingw-libtiff | 11 | 0 | 11 | | libxml2 | 10 | 0 | 10 | | glib2 | 10 | 0 | 10 | +---------------+---------+-------+---------+ +Tickets by Distro Version-+-------+---------+ | Distro Version | Tickets | Owned | Unowned | +----------------+---------+-------+---------+ | el6 | 300 | 37 | 263 | | 23 | 246 | 12 | 234 | | 24 | 142 | 0 | 142 | | el5 | 108 | 22 | 86 | | epel7 | 94 | 3 | 91 | | rawhide | 5 | 1 | 4 | | 25 | 1 | 0 | 1 | +----------------+---------+-------+---------+ -- Major Hayden

7 years, 1 month

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-08-25 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years, 1 month

1
0
0 / 0

Self Introduction: Yigit Cakar

by yigit cakar

Hi there, I am Yigit (FAS: yigitcakar, IRC: ycakar) My main interests lie in the realm of development and machine learning, especially natural language generation. I have always been interested in security as a layman, and I have been thinking about branching out to infosec. I am almost a complete newbie when it comes to OS security, but I am a willing student and I'd like to assist the team however I can. I am reading RHEL 7 security guide and will move on to other items in the training section of security team apprenticeship wiki. Any advice is greatly appreciated. Best Regards, Yigit fingerprint: 3444 99F4 7F0B DF9F D22D C6FF D0D8 D5C6 BF2C 7C4E

7 years, 1 month

1
0
0 / 0

Introduction

by Daniel Reyes

Hello my name is Daniel, my FAS ID is prngseed. I am very interested in the field of security, recently with a lot of interest in crypto protocols and code audit. I have a career as Linux administrator and a master degree focused on infrastructure security. I want to join the fedora project and in specific in the security team because I like the Fedora approach, implementing new things, and leading the linux ecosystem in terms of technology. Regards

7 years, 1 month

1
0
0 / 0

Introduction

by Tiago M. Vieira

Hi My name is Tiago (FAS: tiagovieira, IRC: tmoreira). I would like to join the Fedora Security Team. I don't have professional experience with a security job title, despite all side works in the past years doing a lot on securing servers and services, identity management for small and medium companies, risk analysis and assisting developers on writing secure code (making all efforts to avoid the OWASP top 10). I applied for the infra team as well, I wanted to get involved with the Fedora infrastructure and services, and getting focused on security as I learn more all the services Fedora offers. My interests are: security awareness, risk analysis, cloud security, identity management and security development practices. I've got a PG diploma in software and systems security from Univ. of Oxford (UK), RHCSA and RHCE certification and currently I work at Red Hat. My GPG fingerprint is below (signature) and my public key is attached. Hopefully I would be of assistance to the sec team on providing the utmost secure environment to Fedora. I will participate in the meeting tomorrow (Aug 18th) and I'm looking forward to participating in the apprenticeship. Thanks! -- Tiago M. Vieira, RHCE fingerprint = 2525 D9C5 A152 54C0 575F 102E 2CB8 A45A E245 073D

7 years, 1 month

2
1
0 / 0

FST Meeting Time

by Eric Christensen

I don't think we've held a meeting where everyone has been able to make it in a LONG time. Lets do this one more time... http://whenisgood.net/p7r9kte Please include your FAS name/IRC name with your real name so I know who is answering the survey. Thanks, Eric

7 years, 1 month

2
1
0 / 0

Updates to the wiki

by Eric Christensen

I've made a few changes to the organization of our wiki pages and I'm hoping the reorganization of this information will make it easier to find information. First, I moved the main page to a category page[0]. This has the benefit of reducing the clicks necessary when navigating through categories. This also allows quick access to our other pages as all pages that fall under the category of "Security Team" will show up at the bottom of the page. Next, I moved our work flow from the main page to it's own page[1] and added more categories for work flow. These are areas that I want to continue to develop so we'll work on that more in the future. Last, I created a page that shows all our tasks[2], broken down by mission. For established members this will be the go-to page for finding things to work on. If anyone sees a way to further improve these pages please do it[3]! Thanks, Eric [0] https://fedoraproject.org/wiki/Category:Security_Team [1] https://fedoraproject.org/wiki/Security_Team_Work_Flow [2] https://fedoraproject.org/wiki/Security_Team_Tasks [3] It's a wiki, BE BOLD!

7 years, 1 month

1
0
0 / 0

CVE v DWF

by Eric Christensen

This hasn't come up [yet] but I wanted to put something out about this before there is a problem. With the recent integration[0] of CVE[1] and DWF[2] there have been many changes within Red Hat (many of our tools had to be redesigned to handle the longer numbers used in DWF). Eventually I'd like to start using our DWF resources for any vulnerabilities that get reported to us but for now I believe we need to continue using CVEs from MITRE. It seems an agreement with MITRE is lacking and using DWFs could cause problems for vulnerabilities that affect both Fedora and RHEL. This really isn't a change to how we currently do CVEs[3]. When the agreement is fixed I'd like to start working on updating our vulnerability reporting. --Eric [0] https://cve.mitre.org/data/board/archives/2016-04/msg00002.html [1] https://cve.mitre.org/ [2] https://github.com/distributedweaknessfiling/DWF-Documentation [3] https://fedoraproject.org/wiki/Security_Bugs#Reporting_a_Security_Vulnera...

7 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team August 2016