Hiyas,
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
are there some special procedures to get security updates out currently or do the users have to wait until the transisition to the new signing key is completed?
Regards, Till
Till Maas wrote:
Hiyas,
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
are there some special procedures to get security updates out currently or do the users have to wait until the transisition to the new signing key is completed?
There is no special procedure in place now. Letting the rel-eng team know can't hurt however.
Rahul
On Fri September 5 2008, Till Maas wrote:
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request / assign a CVE number?
Regards, Till
On Fri September 5 2008, Till Maas wrote:
On Fri September 5 2008, Till Maas wrote:
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request / assign a CVE number?
FYI: I asked via e-mail: upstream did not request a CVE number.
Regards, Till
Till Maas wrote:
On Fri September 5 2008, Till Maas wrote:
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request / assign a CVE number?
This email was posted in fedora-security-list@rc.
v0.47 (September 04 2008) ========================= This release incorporates a security fix (item 3 on the list). All administrators who have enabled <luserconf> in the configuration file should upgrade. A workaround is to comment out <luserconf>.
- mount.crypt: add missing null command to conform to sh syntax (SF bug #2089446) - conf: fix printing of strings when luser volume options were not ok - conf: re-add luserconf security checks [...]
https://sourceforge.net/project/shownotes.php?release_id=624240 http://dev.medozas.de/gitweb.cgi?p=pam_mount;a=commitdiff;h=33b91d7659ae3aa7...
Thanks, Eugene
Hi Till!
On Fri, 05 Sep 2008 22:55:26 +0200 Till Maas opensource@till.name wrote:
On Fri September 5 2008, Till Maas wrote:
pam_mount just released an update that fixes a security vulnerability: https://sourceforge.net/project/shownotes.php?release_id=624240
Will someone create the needed tracking bugs[1] for this and maybe request / assign a CVE number?
I have created 'Security Response' bug for the issue, that can be used to record further details about the flaw, as well as CVE id once it's assigned.
I do not see any point in creating tracking bugs once updates are already submitted in Bodhi. That tracking bugs process was developed to be similar to process used internally by Red Hat for Red Hat Enterprise Linux, and it is not applied to Fedora when it makes little sense. In Fedora, you do not need per-version approved tracking bug to do the update, and tracking bugs are sometimes viewed as too much extraneous overhead for those not used to them (which is more than understandable).
I also did some minor changes to your update requests. One thing that remains quite unclear with them is why libHX update is included in the same update request.
Thank you!
On Monday 08 September 2008 12:23:40 Tomas Hoger wrote:
I also did some minor changes to your update requests. One thing that remains quite unclear with them is why libHX update is included in the same update request.
The libHX update is included there, because the pam_mount update needs the newer libHX library. Afaik both packages need to be in one update to make sure they are both synced to the server at the same time. LibHX is afaik only used by the upstream maintainer for his various projects. The changelog is also intended, because there was no 0.42 release of pam_mount afaik.
Regards, Till
On Mon, 8 Sep 2008 15:26:03 +0200 Till Maas opensource@till.name wrote:
On Monday 08 September 2008 12:23:40 Tomas Hoger wrote:
I also did some minor changes to your update requests. One thing that remains quite unclear with them is why libHX update is included in the same update request.
The libHX update is included there, because the pam_mount update needs the newer libHX library. Afaik both packages need to be in one update to make sure they are both synced to the server at the same time. LibHX is afaik only used by the upstream maintainer for his various projects.
Sure, that's understandable. I just prefer to have that explicit in the update notes, so I added it there.
Thanks!
security@lists.fedoraproject.org