Fedora 7 and the Security Response Team
Kevin Fenzi
kevin at tummy.com
Tue Jun 12 03:04:40 UTC 2007
On Mon, 11 Jun 2007 13:24:34 -0400
Josh Bressers <bressers at redhat.com> wrote:
...snipp..
> Ideally, yes. I however don't want people to duplicate work. I
> suspect the easiest way is going to be for someone to just mark a
> block of ids as what they're working on. Something like
>
> **** bressers ****
> CVE blah blah blah
> ... ===> Lots of CVE ids here
> CVE blah blah blah
> **** bressers ****
>
> Check in some bits to make it known you're on it, then start wading
> through the manure.
ok. Looking at the nice big pile you checked in, I think we might be
served better by folks taking particular packages. Ie, if you are
already examining a package for one CVE, it might be easier to just
keep going on that package rather than switch to another one and have
to pull up more cvs files, bugzilla, etc.
Here's the top 10 of the ones you just checked in today:
30 (php)
14 (helixplayer)
11 (tomcat)
8 (fedoradirectoryserver)
7 (flash-plugin)
7 (acroread)
6 (openoffice.org)
6 (kernel)
5 (xscreensaver)
5 (wu-ftpd)
Should all the flash-plugin, acroread and wu-ftpd ones be marked
"ignore" since we don't ship them? Or removed?
Also, what level of scrutiny should we use in checking for fixes?
If a changelog lists the CVE being fixed, mark it? Should we check the
patch against upstream or other distros fix?
>
> Thanks.
>
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20070611/1cf4a019/attachment.bin
More information about the security
mailing list