I just reported a security bug for ClamAV in extras
it came to me from bug traq while i know its not the be all and end all of finding issues its a place to start.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188286
On Fri, 7 Apr 2006, Dennis Gilmore wrote:
I just reported a security bug for ClamAV in extras
it came to me from bug traq while i know its not the be all and end all of finding issues its a place to start.
One thought - it might be best in cases like that to file a separate bug for each CVE. I'd think it'll simplify verifying that all CVEs are covered later, and it also accomodates better for having to backport separate patches to fix each CVE if the decision is not to upgrade....
later, chris
On Fri, 7 Apr 2006, Jason L Tibbitts III wrote:
"DG" == Dennis Gilmore dennis@ausil.us writes:
DG> I just reported a security bug for ClamAV in extras
0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, at least).
Just for those three, which raises the issue of a handoff to Legacy for FC-3, etc
later, chris
On Friday 07 April 2006 12:22, Chris Ricker wrote:
On Fri, 7 Apr 2006, Jason L Tibbitts III wrote:
> "DG" == Dennis Gilmore dennis@ausil.us writes:
DG> I just reported a security bug for ClamAV in extras
0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, at least).
Just for those three, which raises the issue of a handoff to Legacy for FC-3, etc
Legacy has stated that they will not support extras as they don't have the resources needed for the extra work load. extras needs to support extras until such time as legacy drops support.
when a core release goes into maintainence mode extras should also. which would mean major bugs and security fixes only.
the SIG is too small right now to look after all of extras so the maintainers should be strongly encouraged to do it. with support from the security SIG. I have requested that FC-3 also be built.
On Friday, April 07, 2006 12:33 PM -0500 Dennis Gilmore dennis@ausil.us wrote:
the SIG is too small right now to look after all of extras so the maintainers should be strongly encouraged to do it. with support from the security SIG. I have requested that FC-3 also be built.
FYI, 88.1 from FC5 Extras builds fine on FC2, and I'll be updating my installation later today. I did find that Extras/Development still has the older 88 package, so apparently 88.1 didn't go through Development first. (I've got the SRPM directories for Core/Development and Extras/Development bookmarked and draw from there for my more important FC2 updates.)
"KP" == Kenneth Porter shiva@sewingwitch.com writes:
KP> I did find that Extras/Development still has the older 88 package, KP> so apparently 88.1 didn't go through Development first.
It's in CVS; it seems Enrico didn't send a build request.
KP> (I've got the SRPM directories for Core/Development and KP> Extras/Development bookmarked and draw from there for my more KP> important FC2 updates.)
I find it easier to work from CVS; just checkout and type "make i386" to have packages dropped in the current directory.
- J<
On Friday, April 07, 2006 7:23 PM -0500 Jason L Tibbitts III tibbs@math.uh.edu wrote:
I find it easier to work from CVS; just checkout and type "make i386" to have packages dropped in the current directory.
Good to know. Might be a good thing to stuff in the wiki somewhere.
On Friday 07 April 2006 12:17, Jason L Tibbitts III wrote:
"DG" == Dennis Gilmore dennis@ausil.us writes:
DG> I just reported a security bug for ClamAV in extras
0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, at least).
- J<
somehow i dont have the commits emails, its not released yet. This is a package that is widely used and could do with haveing an email sent to fedora-announce when its pushed
"DG" == Dennis Gilmore dennis@ausil.us writes:
DG> somehow i dont have the commits emails, its not released yet.
It's been built and awaiting signature for 23 hours now.
Every time something like this comes up a pile of issues reveal themselves: emergency sign&push, procedures for maintainers to drop old releases, where to send announcements. We made plenty of proposals but of course nothing happened.
- J<
On Fri, 2006-04-07 at 12:34 -0500, Jason L Tibbitts III wrote:
"DG" == Dennis Gilmore dennis@ausil.us writes:
DG> somehow i dont have the commits emails, its not released yet.
It's been built and awaiting signature for 23 hours now.
FE commit mails were broken, but appear to work again now.
emergency sign&push
Mail to extras-signers at fedoraproject.org is delivered to folks who can do that for Extras. I'll take care of this push in a jiffy.
security@lists.fedoraproject.org
-
Chris Ricker -
Dennis Gilmore -
Jason L Tibbitts III -
Kenneth Porter -
Ville Skyttä