not to beat a dead horse
Lubomir Kundrak
lkundrak at redhat.com
Wed Mar 12 15:37:32 UTC 2008
On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote:
> On Mon, 10 Mar 2008 12:20:08 -0600
> Jake Edge <jake at lwn.net> wrote:
>
> Feel free to keep beating... ;) This stuff needs to improve. :(
>
> > but I am trying to puzzle out the kronolith advisories. They do not
> > include either a CVE reference or a bugzilla reference. One contains
> > the changelog, one not. And the description of the problem is as
> > follows:
> >
> > Fix privilege escalation in Horde API. Fix missing ownership
> > validation on share changes.
> >
> > This is for FEDORA-2008-2221 and FEDORA-2008-2212.
> >
> > How am I (or anyone) supposed to figure out what's going on here?
>
> Not easily. ;(
>
> Kronolith upstream seems pretty happy go lucky. They fixed these things
> in their cvs with no upstream bugs filed. As far as I know they never
> requested a CVE or anything like it. Their viewcvs setup makes it
> pretty impossible to see what changed. They added other changes into
> this release instead of just releasing just the security updates, etc.
>
> Manually pulling down the two releases and diffing them, got me the
> changes, but messy. ;(
>
> So, what should we do in this case?
>
> It really is a security update... should we always file
> redhat.bugzilla.com bugs and make sure they are updated with info?
>
> Should we file upstream bugs and ask them to explain the changes?
>
> Should we request a CVE and wait for that before pushing the update?
>
> Some guidelines here would be good...
Who approved these?
I noticed this before it got pushed and asked the maintainer to sort the
things out (add references to bugs, file them eventually).
--
Lubomir Kundrak (Red Hat Security Response Team)
More information about the security
mailing list