3:34 a.m.
Hiyas,
pam_mount just released an update that fixes a security vulnerability:
https://sourceforge.net/project/shownotes.php?release_id=624240
are there some special procedures to get security updates out currently or do
the users have to wait until the transisition to the new signing key is
completed?
Regards,
Till
3:41 a.m.
Till Maas wrote:
Hiyas,
pam_mount just released an update that fixes a security vulnerability:
https://sourceforge.net/project/shownotes.php?release_id=624240
are there some special procedures to get security updates out currently or do
the users have to wait until the transisition to the new signing key is
completed?
There is no special procedure in place now. Letting the rel-eng team
know can't hurt however.
Rahul
3:55 p.m.
On Fri September 5 2008, Till Maas wrote:
pam_mount just released an update that fixes a security
vulnerability:
https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request /
assign a CVE number?
Regards,
Till
[1] https://fedoraproject.org/wiki/Security/TrackingBugs
5:42 p.m.
On Fri September 5 2008, Till Maas wrote:
On Fri September 5 2008, Till Maas wrote:
> pam_mount just released an update that fixes a security vulnerability:
> https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request
/ assign a CVE number?
FYI: I asked via e-mail: upstream did not request a CVE number.
Regards,
Till
7:42 p.m.
New subject: CVE request: pam_mount: conf: re-add luserconf security checks
Till Maas wrote:
On Fri September 5 2008, Till Maas wrote:
> pam_mount just released an update that fixes a security vulnerability:
> https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request /
assign a CVE number?
This email was posted in fedora-security-list@rc.
v0.47 (September 04 2008)
=========================
This release incorporates a security fix (item 3 on the list).
All administrators who have enabled <luserconf> in the configuration
file should upgrade. A workaround is to comment out <luserconf>.
- mount.crypt: add missing null command to conform to sh syntax
(SF bug #2089446)
- conf: fix printing of strings when luser volume options were not ok
- conf: re-add luserconf security checks
[...]
https://sourceforge.net/project/shownotes.php?release_id=624240
http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commitdiff;h=33b91d7659ae3...
Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team
5:23 a.m.
Hi Till!
On Fri, 05 Sep 2008 22:55:26 +0200 Till Maas <opensource(a)till.name>
wrote:
On Fri September 5 2008, Till Maas wrote:
> pam_mount just released an update that fixes a security
> vulnerability:
> https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe
request / assign a CVE number?
I have created 'Security Response' bug for the issue, that can be used
to record further details about the flaw, as well as CVE id once it's
assigned.
I do not see any point in creating tracking bugs once updates are
already submitted in Bodhi. That tracking bugs process was developed
to be similar to process used internally by Red Hat for Red Hat
Enterprise Linux, and it is not applied to Fedora when it makes little
sense. In Fedora, you do not need per-version approved tracking bug to
do the update, and tracking bugs are sometimes viewed as too much
extraneous overhead for those not used to them (which is more than
understandable).
I also did some minor changes to your update requests. One thing that
remains quite unclear with them is why libHX update is included in the
same update request.
Thank you!
--
Tomas Hoger / Red Hat Security Response Team
8:26 a.m.
On Monday 08 September 2008 12:23:40 Tomas Hoger wrote:
I also did some minor changes to your update requests. One thing
that
remains quite unclear with them is why libHX update is included in the
same update request.
The libHX update is included there, because the pam_mount update needs the
newer libHX library. Afaik both packages need to be in one update to make
sure they are both synced to the server at the same time. LibHX is afaik only
used by the upstream maintainer for his various projects. The changelog is
also intended, because there was no 0.42 release of pam_mount afaik.
Regards,
Till
9:19 a.m.
On Mon, 8 Sep 2008 15:26:03 +0200 Till Maas <opensource(a)till.name>
wrote:
On Monday 08 September 2008 12:23:40 Tomas Hoger wrote:
> I also did some minor changes to your update requests. One thing
> that remains quite unclear with them is why libHX update is
> included in the same update request.
The libHX update is included there, because the pam_mount update
needs the newer libHX library. Afaik both packages need to be in one
update to make sure they are both synced to the server at the same
time. LibHX is afaik only used by the upstream maintainer for his
various projects.
Sure, that's understandable. I just prefer to have that explicit in
the update notes, so I added it there.
Thanks!
--
Tomas Hoger / Red Hat Security Response Team
5708
days inactive
5711
days old
security@lists.fedoraproject.org
7 comments
4 participants
participants (4)
-
Eugene Teo -
Rahul Sundaram -
Till Maas -
Tomas Hoger