Separate list for commits
Lubomir Kundrak
lkundrak at redhat.com
Wed Sep 19 09:01:36 UTC 2007
On Tue, 2007-09-18 at 13:42 -0400, Dan Davis wrote:
> I subscribe to this list so I can get alerted to new CVE related bugs.
> While the audit files change log was hard to understand at first, I
> can
> now easily scan for packages my server relies on, and run yum to get
> new
> packages if something is fixed.
>
> Is there a better way for me to learn about vulnerabilities? If this
> is
> the preferred way, then it would be nice to keep the commit log on
> this
> list, so I don't have to subscribe to both.
Well, that sounds fair, but be warned, that the audit files are
specially for our track and doesn't have to be 100% reliable. Watching
the package announce list for [SECURITY] things can be always relied on,
though it will have some latency compared to this, as packagers need
time to roll updates. Anyways, knowing about the vulnerability and not
having the updated package avaliable is not always usable.
> I'd also argue that if this
> is the preferred way, then a new list for security discussions would
> be
> a better way to change things.
So you are for separating the lists. Is the only issue the name of the
list? In that case, the CVS logs traditionally go to -commits mailing
lists. I assume it won't be much of an issue for you to subscribe to
that one and unsubscribe this one eventually, if you're not interested
in discussions, just in raw audit data.
>
> -----Original Message-----
> From: fedora-security-list-bounces at redhat.com
> [mailto:fedora-security-list-bounces at redhat.com] On Behalf Of
> fedora-security-list-request at redhat.com
> Sent: Tuesday, September 18, 2007 12:00 PM
> To: fedora-security-list at redhat.com
> Subject: Fedora-security-list Digest, Vol 19, Issue 15
>
> Send Fedora-security-list mailing list submissions to
> fedora-security-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-security-list
> or, via email, send a message with subject or body 'help' to
> fedora-security-list-request at redhat.com
>
> You can reach the person managing the list at
> fedora-security-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Fedora-security-list digest..."
>
>
> Today's Topics:
>
> 1. Re: Separate list for commits (Kevin Fenzi)
> 2. [Bug 243592] CVE-2007-3112, CVE-2007-3113: cacti DoS
> vulnerabilities (bugzilla at redhat.com)
> 3. [Bug 243592] CVE-2007-3112, CVE-2007-3113: cacti DoS
> vulnerabilities (bugzilla at redhat.com)
> 4. Re: Separate list for commits (Lubomir Kundrak)
> 5. Re: Separate list for commits (Eugene Teo)
> 6. [RFC] Tracking bugs for Fedora; managing security flaws in
> multiple supported releases (Lubomir Kundrak)
> 7. fedora-security/audit fc6,1.260,1.261 fc7,1.108,1.109
> (Tomas Hoger (thoger))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 17 Sep 2007 15:22:35 -0600
> From: Kevin Fenzi <kevin at tummy.com>
> Subject: Re: Separate list for commits
> To: fedora-security-list at redhat.com
> Message-ID: <20070917152235.22da91ac at ghistelwchlohm.scrye.com>
> Keywords: Debian-sarge
> Content-Type: text/plain; charset="us-ascii"
>
> On Mon, 17 Sep 2007 17:27:47 +0200
> Lubomir Kundrak <lkundrak at redhat.com> wrote:
>
> > Hi all,
> >
> > Wit the volume of the commit messagaes and bugzilla mails this list
> > became less suited for discussions. Would anyone mind creating another
>
> > list, say fedora-security-commits-list, where would that sort of mails
>
> > go?
>
> I filter such emails into another box, so discussion shows up just fine
> here.
>
> Perhaps we could use mailman "Topics" support better here?
>
> ie, make all bugzilla and commits emails have their own topic.
> If you just subscribe you get everything, but if you don't want
> everything you can change your topics so you don't get the things you
> don't want?
>
> Or for that matter, perhaps we could just get the regular commits list
> to have a security topic for people who only want security commits?
>
> Just a thought.
>
> > Regards,
>
> kevin
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> Url :
> https://www.redhat.com/archives/fedora-security-list/attachments/2007091
> 7/e611a15e/signature.bin
>
> ------------------------------
>
> Message: 2
> Date: Mon, 17 Sep 2007 23:24:43 -0400
> From: bugzilla at redhat.com
> Subject: [Bug 243592] CVE-2007-3112, CVE-2007-3113: cacti DoS
> vulnerabilities
> To: fedora-security-list at redhat.com
> Message-ID: <200709180324.l8I3OhYr027222 at bz-web2.app.phx.redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> Please do not reply directly to this email. All additional comments
> should be made in the comments box of this bug report.
>
> Summary: CVE-2007-3112, CVE-2007-3113: cacti DoS vulnerabilities
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=243592
>
>
>
>
>
> ------- Additional Comments From updates at fedoraproject.org 2007-09-17
> 23:24 EST -------
> cacti-0.8.6j-8.fc7 has been pushed to the Fedora 7 stable repository.
> If problems still persist, please make note of it in this bug report.
>
> --
> Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: ------- You are on the CC
> list for the bug, or are watching someone who is.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 17 Sep 2007 23:24:44 -0400
> From: bugzilla at redhat.com
> Subject: [Bug 243592] CVE-2007-3112, CVE-2007-3113: cacti DoS
> vulnerabilities
> To: fedora-security-list at redhat.com
> Message-ID: <200709180324.l8I3OiKS027247 at bz-web2.app.phx.redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> Please do not reply directly to this email. All additional
> comments should be made in the comments box of this bug report.
>
> Summary: CVE-2007-3112, CVE-2007-3113: cacti DoS vulnerabilities
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=243592
>
>
> updates at fedoraproject.org changed:
>
> What |Removed |Added
> ------------------------------------------------------------------------
> ----
> Status|ASSIGNED |CLOSED
> Resolution| |ERRATA
> Fixed In Version| |0.8.6j-8.fc7
>
>
>
>
> --
> Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 18 Sep 2007 14:49:41 +0200
> From: Lubomir Kundrak <lkundrak at redhat.com>
> Subject: Re: Separate list for commits
> To: Kevin Fenzi <kevin at tummy.com>
> Cc: fedora-security-list at redhat.com
> Message-ID: <1190119781.3341.13.camel at localhost.localdomain>
> Content-Type: text/plain
>
> On Mon, 2007-09-17 at 15:22 -0600, Kevin Fenzi wrote:
> > On Mon, 17 Sep 2007 17:27:47 +0200
> > Lubomir Kundrak <lkundrak at redhat.com> wrote:
> >
> > > Hi all,
> > >
> > > Wit the volume of the commit messagaes and bugzilla mails this list
> > > became less suited for discussions. Would anyone mind creating
> another
> > > list, say fedora-security-commits-list, where would that sort of
> mails
> > > go?
> >
> > I filter such emails into another box, so discussion shows up just
> > fine here.
> >
> > Perhaps we could use mailman "Topics" support better here?
> >
> > ie, make all bugzilla and commits emails have their own topic.
> > If you just subscribe you get everything, but if you don't want
> > everything you can change your topics so you don't get the things you
> > don't want?
> >
> > Or for that matter, perhaps we could just get the regular commits list
> > to have a security topic for people who only want security commits?
>
> I would want to avoid topics. Most people don't know what they are. I
> find a separate list much more convenient.
>
> --
> Lubomir Kundrak (Red Hat Security Response Team)
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 18 Sep 2007 22:14:15 +0800
> From: Eugene Teo <eugeneteo at kernel.sg>
> Subject: Re: Separate list for commits
> To: Lubomir Kundrak <lkundrak at redhat.com>
> Cc: fedora-security-list at redhat.com
> Message-ID: <20070918141415.GA5736 at kernel.sg>
> Content-Type: text/plain; charset=us-ascii
>
> <quote sender="Lubomir Kundrak">
> > Hi all,
> >
> > Wit the volume of the commit messagaes and bugzilla mails this list
> > became less suited for discussions. Would anyone mind creating another
> > list, say fedora-security-commits-list, where would that sort of mails
> > go?
>
> It makes a lot of sense to do it this way. Generally we want to separate
> these noise from the actual discussion. It also makes searching for
> mails in the archive easier.
>
> Eugene
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 18 Sep 2007 16:40:22 +0200
> From: Lubomir Kundrak <lkundrak at redhat.com>
> Subject: [RFC] Tracking bugs for Fedora; managing security flaws in
> multiple supported releases
> To: fedora-security-list at redhat.com
> Message-ID: <1190126422.3341.25.camel at localhost.localdomain>
> Content-Type: text/plain
>
> Aim: To have a flexile way to deal with flaws affecting multiple
> packages in multiple versions of multiple products.
>
> http://fedoraproject.org/wiki/LubomirKundrak/TrackingBugsDraft
>
> This should grow into documentation on dealing with security flaws for
> both package maintainer and SRT member.
>
> --
> Lubomir Kundrak (Security Response Team)
> Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
> Registered in Brno under #CZ27690016
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 18 Sep 2007 11:43:25 -0400
> From: "Tomas Hoger" (thoger) <fedora-extras-commits at redhat.com>
> Subject: fedora-security/audit fc6,1.260,1.261 fc7,1.108,1.109
> To: fedora-extras-commits at redhat.com
> Message-ID: <200709181543.l8IFhPZr023894 at cvs-int.fedora.redhat.com>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Author: thoger
>
> Update of /cvs/fedora/fedora-security/audit
> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23869/audit
>
> Modified Files:
> fc6 fc7
> Log Message:
> Vulnerable rpc code also part of nfs-utils-lib and libtirpc.
>
>
>
> Index: fc6
> ===================================================================
> RCS file: /cvs/fedora/fedora-security/audit/fc6,v
> retrieving revision 1.260
> retrieving revision 1.261
> diff -u -r1.260 -r1.261
> --- fc6 17 Sep 2007 15:42:28 -0000 1.260
> +++ fc6 18 Sep 2007 15:43:23 -0000 1.261
> @@ -36,6 +36,8 @@
> CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614]
> CVE-2007-4000 backport (krb5) [since FEDORA-2007-690]
> CVE-2007-3999 backport (krb5) [since FEDORA-2007-690]
> +CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294911
> +CVE-2007-3999 VULNERABLE (libtirpc) #294931
> CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on
> Linux
> CVE-2007-3961 ignore (gftp) off-by-one error in fsplib
> CVE-2007-3852 backport (sysstat) #252296 [since FEDORA-2007-675]
>
>
> Index: fc7
> ===================================================================
> RCS file: /cvs/fedora/fedora-security/audit/fc7,v
> retrieving revision 1.108
> retrieving revision 1.109
> diff -u -r1.108 -r1.109
> --- fc7 17 Sep 2007 15:42:28 -0000 1.108
> +++ fc7 18 Sep 2007 15:43:23 -0000 1.109
> @@ -74,6 +74,8 @@
> CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765]
> CVE-2007-4000 backport (krb5) [since FEDORA-2007-2017]
> CVE-2007-3999 backport (krb5) [since FEDORA-2007-2017]
> +CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294901
> +CVE-2007-3999 VULNERABLE (libtirpc) #294921
> CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on
> Linux
> CVE-2007-3961 ignore (gftp) off-by-one error in fsplib
> CVE-2007-3852 backport (sysstat) #252295 [since FEDORA-2007-1697]
>
--
Lubomir Kundrak (Red Hat Security Response Team)
More information about the security
mailing list