not to beat a dead horse
Kevin Fenzi
kevin at tummy.com
Wed Mar 12 17:09:11 UTC 2008
On Wed, 12 Mar 2008 13:04:48 -0400
Luke Macken <lmacken at redhat.com> wrote:
> On Wed, Mar 12, 2008 at 04:37:32PM +0100, Lubomir Kundrak wrote:
> >
> > On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote:
> > > On Mon, 10 Mar 2008 12:20:08 -0600
> > > Jake Edge <jake at lwn.net> wrote:
> > >
> > > Feel free to keep beating... ;) This stuff needs to improve. :(
> > >
> > > > but I am trying to puzzle out the kronolith advisories. They
> > > > do not include either a CVE reference or a bugzilla reference.
> > > > One contains the changelog, one not. And the description of
> > > > the problem is as follows:
> > > >
> > > > Fix privilege escalation in Horde API. Fix missing ownership
> > > > validation on share changes.
> > > >
> > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212.
> > > >
> > > > How am I (or anyone) supposed to figure out what's going on
> > > > here?
> > >
> > > Not easily. ;(
> > >
> > > Kronolith upstream seems pretty happy go lucky. They fixed these
> > > things in their cvs with no upstream bugs filed. As far as I know
> > > they never requested a CVE or anything like it. Their viewcvs
> > > setup makes it pretty impossible to see what changed. They added
> > > other changes into this release instead of just releasing just
> > > the security updates, etc.
> > >
> > > Manually pulling down the two releases and diffing them, got me
> > > the changes, but messy. ;(
> > >
> > > So, what should we do in this case?
> > >
> > > It really is a security update... should we always file
> > > redhat.bugzilla.com bugs and make sure they are updated with
> > > info?
> > >
> > > Should we file upstream bugs and ask them to explain the changes?
> > >
> > > Should we request a CVE and wait for that before pushing the
> > > update?
> > >
> > > Some guidelines here would be good...
> >
> > Who approved these?
> >
> > I noticed this before it got pushed and asked the maintainer to
> > sort the things out (add references to bugs, file them eventually).
>
> Kevin approved the F7 update, and then 3 days later I noticed the F8
> update never made it out, so I approved it.
Yeah, I didn't see the F8 one... but I approved the other one. ;(
I did ask the submitter about bugs or docs or anything, but they said
they had no CVE or procedure to ask for one, or anything usefull from
upstream.
Shall we require that at least a bug is filed against any security
update? That would allow us to add commentary on the bug at least and
hoepfully help people figuring things out. I am fine with that policy,
although it might mean that some updates are delayed while a bug is
filed and such.
>
> luke
>
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20080312/90e79706/attachment.bin
More information about the security
mailing list