In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships
with Apache 1.3.7-9 so I thought I would query BZ and see what I could
find of these. (I am a BZ newbie when it comes to queries).
CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple
CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence
CVE-2003-0993 Apache mod_access Security Bypass
CVE-2004-0700 Apache mod_ssl Format String Vulnerability
Unfortunately I couldn't find any of those in the Comments under Apache
for Fedora Legacy Redhat 7.3. I can't believe that all of those
aren't addressed, so lack of query results suggests to me that I am
missing something. Some of those CVE/CANs are several years old, but
wouldn't the still be in BZ comments somewhere?
Best practice question:
Assuming a security issue in package foo which is shipped and vulnerable
in many distro versions, do people find it better to file one
copy-pasted bug report per distro version or a "combined" one for all
which lists the affected distro versions?
The one-for-all approach would have the benefit of easier copy-pasting
between audit/* files and probably more accurate Bugzilla references in
maintainer %changelog entries as the same specfile is used for all
distro versions in the vast majority of cases. It could make things
slightly harder to track, eg. in Bugzilla queries and such.
The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira
<jpo(a)lsd.di.uminho.pt> just contacted me about the procedure for
getting a security review; it seems the version in FC3 and FC4 has a
vulnerability but he would like some additional review of the
backport. I asked him to contact this list, but I'm not sure it's
open to nonmembers.
In case you didn't see, there was a post by Thorsten Leemhuis to the
fedora-extras list regarding the creation of a Fedora Extras security
response team. The message can be seen here:
Here are the people I know have an interest in helping out with the
security response team:
Hans de Goede
Jason L Tibbitts III
Michael J Knox
If you're interested, feel free to chime in.
Right now I have a pretty good idea of what's needed to get this project
off the ground. We have a mailing list (which would be step one).
I need to fix up some CVS space for things like tools and tracking text
files. This repository is here:
We will need a package manifest. Basically a file that tells us which
packages and versions we're currently shipping in extras. A tool to
generate this will also be needed since we'll want to update this file on a
regular basis. Given how fast Extras changes I think this will be the
easiest way to check if we currently ship package <foo>.
An errata template is needed. I'm thinking we should copy the current
Fedora Core template for now. We can mangle it as we see fit at a later
Process needs to be documented on the fedoraproject wiki. Since we don't
currently have a process, this is the only thing done :)
The most important part of this will be making it easy to specify what we
expect of ourselves. I hope to have some time this weekend to clean up the
security wiki pages a bit.
I think this is enough for now. Questions, Comments?
We're now approved by the FESCO board.
So a few things we need to do, setup wiki space for the security
response group/team/whatever, include in there policy about what we're
doing. Then link to this policy from the Extras main page where
Step 3, profit!
Release Engineer: Fedora
Are security issues that don't have a CVE number tracked somewhere?
Some issues may not have it by the time they're disclosed and I guess
there are ones that for whatever reason don't have and aren't going to
get one. If they're tracked in the usual audit/* files, what's the
preferred format for them?
By the way, if more help is needed, feel free to add me (scop) rights to
commit to the fe files.
Does anyone have any notes for dealing with the CVE lists? I know the
main access page is http://www.cve.mitre.org/cve/, but all you can do
is download the whole list or do a text search. (And the whole list
in plain text is 15MB.) I see that someone at Purdue offers change
lists, but the format is not terribly useful (just the numbers of the
Are there any tools that can extract useful summaries of this data
that we could use? Even number and summary would be helpful.
For example, I know there's a recent clamav vulnerability that affects
Extras. Now, I can search to find out that it's CVE-2006-1989. I
know Enrico pushed 0.88.2 on May 2 so we're not vulnerable.
But, how would I have seen the CVE without knowing it existed? Click
on every link in the daily changelogs and manually read the
description? There has to be a more efficient way.
BTW, what would be the format of the line to add to the fe4 and fe5
files for this?
CVE-2006-1989 version (clamav, fixed 0.88.2)
(no bug number, no announcement obviously)
This may sound silly, but I am trying to figure out if I am on the correct list. I want to keep up with any security notices and patch releases for Fedora (FC4 in particular). Have I subscribed to the right list? Lately, there seems to be a lot of talk about \extras. This isn't a flame, I'm just seeking confirmation that this is the place to be to track security issues for FC.