not to beat a dead horse
Kevin Fenzi
kevin at tummy.com
Tue Mar 11 18:25:24 UTC 2008
On Mon, 10 Mar 2008 12:20:08 -0600
Jake Edge <jake at lwn.net> wrote:
Feel free to keep beating... ;) This stuff needs to improve. :(
> but I am trying to puzzle out the kronolith advisories. They do not
> include either a CVE reference or a bugzilla reference. One contains
> the changelog, one not. And the description of the problem is as
> follows:
>
> Fix privilege escalation in Horde API. Fix missing ownership
> validation on share changes.
>
> This is for FEDORA-2008-2221 and FEDORA-2008-2212.
>
> How am I (or anyone) supposed to figure out what's going on here?
Not easily. ;(
Kronolith upstream seems pretty happy go lucky. They fixed these things
in their cvs with no upstream bugs filed. As far as I know they never
requested a CVE or anything like it. Their viewcvs setup makes it
pretty impossible to see what changed. They added other changes into
this release instead of just releasing just the security updates, etc.
Manually pulling down the two releases and diffing them, got me the
changes, but messy. ;(
So, what should we do in this case?
It really is a security update... should we always file
redhat.bugzilla.com bugs and make sure they are updated with info?
Should we file upstream bugs and ask them to explain the changes?
Should we request a CVE and wait for that before pushing the update?
Some guidelines here would be good...
> jake
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20080311/25b9ddea/attachment.bin
More information about the security
mailing list