Per the recent thread on fedora-devel [1], I've pushed perl-MARC-Record-1.02 [2] following upstream's security release before they had a CVE in hand.
Now upstream has a CVE (CVE-2014-1626), so if you want to create a security tracking bug and link up bodhi etc to follow the security process [3], please go ahead!
Thanks, Dan
1. https://lists.fedoraproject.org/pipermail/devel/2014-January/194225.html 2. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19 and https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20 3. https://fedoraproject.org/wiki/Security_Tracking_Bugs
---------- Forwarded message ---------- From: Dan Scott denials@gmail.com Date: Tue, Jan 21, 2014 at 5:09 PM Subject: Re: Security update process without CVEs To: Development discussions related to Fedora devel@lists.fedoraproject.org, Kurt Seifried kseifried@redhat.com
Eric:
On Tue, Jan 21, 2014 at 4:31 PM, Eric H. Christensen sparks@fedoraproject.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, Jan 21, 2014 at 04:26:19PM -0500, Dan Scott wrote:
I tried following https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBu... but it appears to depend on waiting on a CVE, which upstream did not yet have... but upstream had already pushed the new release to CPAN.
You may be able to request the CVE yourself. I'm trying to contact the guy that handles those things for FOSS but a netsplit is keeping me from talking to him at the moment.
Thanks; upstream had already submitted the request for a CVE. They just hadn't received it yet.
Hi Dan!
On Wed, 22 Jan 2014 09:30:09 -0500 Dan Scott wrote:
Per the recent thread on fedora-devel [1], I've pushed perl-MARC-Record-1.02 [2] following upstream's security release before they had a CVE in hand.
It is not that uncommon to see update pushed to stable without having CVE assigned. In cases such as yours, when maintainer immediately acts after seeing upstream announcement and builds Fedora updates, update may reach stable before CVE is assigned.
Now upstream has a CVE (CVE-2014-1626), so if you want to create a security tracking bug and link up bodhi etc to follow the security process [3], please go ahead!
In an other mail sent to the list few minutes ago, I briefly explained how security issue reporting works in Fedora. If we see that Fedora update fixing some issue is already built and pushed to or on the way to stable repositories, we may skip creating bugs for the issue if no other product is affected. We may fail to spot update that is build but not yet in stable, so you may see tracker created.
As for updating Bodhi request, we may not be able to do that. Bodhi checks commit ACL for the package and use that to determine if someone can create or update update request for the component. In practice, that implies that folks who are not in the proven_packager group can not change your update request. E.g. if I try to edit your requests for perl-MARC-XML only to mention the CVE in the update description, Bodhi refuses to save my edits because I'm not on the package commit ACL.
Feel free to update descriptions of those update requests to include the CVE. That may help users and sites that aggregate info on security updates.
security@lists.fedoraproject.org
-
Dan Scott -
Tomas Hoger