From deisenst at gtw.net Sat Apr 1 19:06:14 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sat, 1 Apr 2006 13:06:14 -0600 (CST) Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) Message-ID: Hello, The other week, I sent a notice to fedora-legacy-list and fedora- security-list regarding the Macromedia Flash critical vulnerability (CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024) thinking that, even though it is proprietary and therefore Fedora Core, Legacy, & Extras do not distribute it nor provide any support for it, that I could tell my friends on both lists about it, since this bug has the alleged possibility to run abitrary code remotely and so is critical. Here's the post: Some reservations were expressed to me privately about using our mailing list(s) to broadcast such information, after I already sent the thing out. Yet I sent it out, because I felt it would be important for folks who don't get Red Hat Enterprise Linux's security errata to be aware of the issue so they can protect their computers. Perhaps this needs more discussion, however. As participating members of the Fedora Project team, are there things we should not say on the mailing list(s)? I keep reading things about the wiki, for example, that say we mustn't talk (at least on Fedora's official web-pages) about things that aren't "pure" open-source or that violate some standard of open- sourciness; nor should we use the wiki resource to point to outside resources that may have (Linux) software that is proprietary or use features that in some of many jurisdictions might violate patents or other intellectual property laws. If that is so (and it's unclear to me exactly what those boundaries should be), it is unclear to me whether the instance of the buggy Flash player is one of those "no-nos" to talk about on Fedora mailing lists or wiki pages. I would have liked to suggest that someone who is a member of make a post there about this issue like that which I posted to fedora-legacy-list and fedora-security-list, to help inform more of the Fedora community about this critical bug. But I am not sure now that sug- gesting or doing that is appropriate? Can any of you offer any insight into this? Thank you. Thanks and Regards, David Eisenstein From sundaram at fedoraproject.org Sat Apr 1 19:27:40 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sun, 02 Apr 2006 00:57:40 +0530 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: References: Message-ID: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> On Sat, 2006-04-01 at 13:06 -0600, David Eisenstein wrote: > Hello, > > The other week, I sent a notice to fedora-legacy-list and fedora- > security-list regarding the Macromedia Flash critical vulnerability > (CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024) > thinking that, even though it is proprietary and therefore Fedora Core, > Legacy, & Extras do not distribute it nor provide any support for it, that > I could tell my friends on both lists about it, since this bug has the > alleged possibility to run abitrary code remotely and so is critical. > > Here's the post: > > > Some reservations were expressed to me privately about using our mailing > list(s) to broadcast such information, after I already sent the thing out. > Yet I sent it out, because I felt it would be important for folks who > don't get Red Hat Enterprise Linux's security errata to be aware of the > issue so they can protect their computers. You are certainly allowed as a individual to post such warnings to the list. Just make it explicit that you are posting not on behalf of the project when it is controversial. Warren Togami for example made a announcement on the arrangement he had with Macromedia for a flash repository. That might be better suited for Fedora Legacy users too. https://www.redhat.com/archives/fedora-announce-list/2006- March/msg00037.html > Perhaps this needs more discussion, however. As participating members of > the Fedora Project team, are there things we should not say on the mailing > list(s)? I would say the usual netiquette guidelines such as generally being nice to each other apply but anything that doesnt fit the ideals of the project probably shouldnt be promoted in formal capacity. For this kind of issues such as security vulnerabilities is something that we need to be responsible about even when we actually dont ship the applications or support them formally. Rahul Ps: No need to cc me. I am on this list as well now. From fedora at leemhuis.info Sat Apr 1 19:40:25 2006 From: fedora at leemhuis.info (Thorsten Leemhuis) Date: Sat, 01 Apr 2006 21:40:25 +0200 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> Message-ID: <1143920426.2300.13.camel@localhost.localdomain> Am Sonntag, den 02.04.2006, 00:57 +0530 schrieb Rahul Sundaram: > On Sat, 2006-04-01 at 13:06 -0600, David Eisenstein wrote: > > Hello, > > > > The other week, I sent a notice to fedora-legacy-list and fedora- > > security-list regarding the Macromedia Flash critical vulnerability > > (CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024) > > thinking that, even though it is proprietary and therefore Fedora Core, > > Legacy, & Extras do not distribute it nor provide any support for it, that > > I could tell my friends on both lists about it, since this bug has the > > alleged possibility to run abitrary code remotely and so is critical. > > > > Here's the post: > > > > > > Some reservations were expressed to me privately about using our mailing > > list(s) to broadcast such information, after I already sent the thing out. > > Yet I sent it out, because I felt it would be important for folks who > > don't get Red Hat Enterprise Linux's security errata to be aware of the > > issue so they can protect their computers. > > You are certainly allowed as a individual to post such warnings to the > list. Just make it explicit that you are posting not on behalf of the > project when it is controversial. Warren Togami for example made a > announcement on the arrangement he had with Macromedia for a flash > repository. That's would be my opinion, too. Cu thl -- Thorsten Leemhuis From bob at bobjensen.com Sun Apr 2 05:55:52 2006 From: bob at bobjensen.com (Robert 'Bob' Jensen) Date: Sat, 01 Apr 2006 23:55:52 -0600 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1143920426.2300.13.camel@localhost.localdomain> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> Message-ID: <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> On Sat, 2006-04-01 at 21:40 +0200, Thorsten Leemhuis wrote: > Am Sonntag, den 02.04.2006, 00:57 +0530 schrieb Rahul Sundaram: > > > > You are certainly allowed as a individual to post such warnings to the > > list. Just make it explicit that you are posting not on behalf of the > > project when it is controversial. Warren Togami for example made a > > announcement on the arrangement he had with Macromedia for a flash > > repository. > > That's would be my opinion, too. > > Cu > thl I feel that we have a responsibility to inform our users when security is an issue even for items we do not provide that we are sure that a majority of our end users in that segment might have the item installed. I feel that flash would apply to the desktop segment of our target markets. As for where these messages and how they are distributed is a bigger question. I feel they should be visible enough that the effected users will see the messages. Would posting a message about flash be right to a list of server administrators? I do not think so. Is there a current web space that users can look for security issues that may apply to them? If not is this something that should be created and maintained by the community at large? If it does how can we promote this resource so users are aware can do research and can make wise choices? -- Robert 'Bob' Jensen Fedora Unity Project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From Axel.Thimm at ATrpms.net Sun Apr 2 13:58:06 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Sun, 2 Apr 2006 15:58:06 +0200 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: References: Message-ID: <20060402135806.GA3544@neu.nirvana> On Sat, Apr 01, 2006 at 01:06:14PM -0600, David Eisenstein wrote: > Perhaps this needs more discussion, however. As participating members of > the Fedora Project team, are there things we should not say on the mailing > list(s)? I keep reading things about the wiki, for example, that say we > mustn't talk (at least on Fedora's official web-pages) about things that > aren't "pure" open-source or that violate some standard of open- > sourciness; nor should we use the wiki resource to point to outside > resources that may have (Linux) software that is proprietary or use > features that in some of many jurisdictions might violate patents or other > intellectual property laws. It depends. If you post/write something like "use " or "use " you and maybe any official position you are dressing are encouraging the possible patent violation or use of propriatary software. But if you make a statement that this software has security flaws you are not endorsing directly or indirectly any usage of this software. As to how far this is on or off-topic for this list and that webspace: If it really adds value to the target audience then it's always on-topic. And people subscribing to a fedora-security list shouldn't mind the one or other post about security flaws on not directly fedora content. We're not Debian, are we? ;) Of course everything has a line somehwere. Posting about Microsoft Office vulnerabilities because you could run Office under wine on fedora would not only be off-topic, but perhaps an insult to the community ;) -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From kwade at redhat.com Tue Apr 4 04:46:30 2006 From: kwade at redhat.com (Karsten Wade) Date: Mon, 03 Apr 2006 21:46:30 -0700 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> Message-ID: <1144125990.29614.123.camel@erato.phig.org> On Sat, 2006-04-01 at 23:55 -0600, Robert 'Bob' Jensen wrote: > Is there a current web space that users can look for security issues > that may apply to them? If not is this something that should be created > and maintained by the community at large? If it does how can we promote > this resource so users are aware can do research and can make wise > choices? Well, we get many security announcements to f-announce-l. It seems like an extra burden for us to track down and highlight security risks for applications not in Core or Extras; hard to know where to draw the line, and people are always going to think we drew it too far or not far enough. It might be cool if we could get security announcements to all magically appear on a page ... or in a searchable database ... and that would cover us for everything in Core and Extras thoroughly. We could link to external lists of non-FC/FE vulnerabilities for packages in third-party repos. FedoraNews.org and other news/planet sites might be a good place to draw attention to a vulnerability that is outside of the normal FC/FE-sphere but many users may have installed. For example, if there were a vulnerability in XMMS's MP3 plug-in, we would be remiss if no one announced it because it has the evil MP3 word in it. - Karsten -- Karsten Wade, RHCE * Sr. Editor * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Fedora Documentation Project http://fedoraproject.org/wiki/DocsProject Learn. Network. Experience open source. Red Hat Summit Nashville | May 30 - June 2, 2006 Learn more: http://www.redhat.com/promo/summit/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tchung at fedoraproject.org Tue Apr 4 07:05:13 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Tue, 4 Apr 2006 00:05:13 -0700 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1144125990.29614.123.camel@erato.phig.org> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> <1144125990.29614.123.camel@erato.phig.org> Message-ID: <369bce3b0604040005t32527b74lbafc4a559f50a0c7@mail.gmail.com> On 4/3/06, Karsten Wade wrote: > On Sat, 2006-04-01 at 23:55 -0600, Robert 'Bob' Jensen wrote: > > > Is there a current web space that users can look for security issues > > that may apply to them? If not is this something that should be created > > and maintained by the community at large? If it does how can we promote > > this resource so users are aware can do research and can make wise > > choices? > > Well, we get many security announcements to f-announce-l. It seems like > an extra burden for us to track down and highlight security risks for > applications not in Core or Extras; hard to know where to draw the line, > and people are always going to think we drew it too far or not far > enough. > > It might be cool if we could get security announcements to all magically > appear on a page ... or in a searchable database ... and that would > cover us for everything in Core and Extras thoroughly. We could link to > external lists of non-FC/FE vulnerabilities for packages in third-party > repos. > > FedoraNews.org and other news/planet sites might be a good place to draw > attention to a vulnerability that is outside of the normal FC/FE-sphere > but many users may have installed. For example, if there were a > vulnerability in XMMS's MP3 plug-in, we would be remiss if no one > announced it because it has the evil MP3 word in it. >From time to time, I do post security information from third party companies such as Adobe and Real on fedoranews.org. If you believe the information is critical for desktop computing environment, feel free to forward such security announcement and I'll add it under a new category which also generates rss feed. http://fedoranews.org/cms/Categories Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From tchung at fedoraproject.org Tue Apr 4 06:58:25 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Mon, 3 Apr 2006 23:58:25 -0700 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1144125990.29614.123.camel@erato.phig.org> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> <1144125990.29614.123.camel@erato.phig.org> Message-ID: <369bce3b0604032358n7a04676fm42187fdecfa870ef@mail.gmail.com> On 4/3/06, Karsten Wade wrote: > On Sat, 2006-04-01 at 23:55 -0600, Robert 'Bob' Jensen wrote: > > > Is there a current web space that users can look for security issues > > that may apply to them? If not is this something that should be created > > and maintained by the community at large? If it does how can we promote > > this resource so users are aware can do research and can make wise > > choices? > > Well, we get many security announcements to f-announce-l. It seems like > an extra burden for us to track down and highlight security risks for > applications not in Core or Extras; hard to know where to draw the line, > and people are always going to think we drew it too far or not far > enough. > > It might be cool if we could get security announcements to all magically > appear on a page ... or in a searchable database ... and that would > cover us for everything in Core and Extras thoroughly. We could link to > external lists of non-FC/FE vulnerabilities for packages in third-party > repos. > > FedoraNews.org and other news/planet sites might be a good place to draw > attention to a vulnerability that is outside of the normal FC/FE-sphere > but many users may have installed. For example, if there were a > vulnerability in XMMS's MP3 plug-in, we would be remiss if no one > announced it because it has the evil MP3 word in it. >From time to time, I do post security information from third party companies such as Adobe and Real on fedoranews.org. If you believe the information is critical for desktop computing environment, feel free to forward such security announcement and I'll add it under a new category which also generates rss feed. http://fedoranews.org/cms/Categories Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From ronn at emm.org Tue Apr 4 20:45:04 2006 From: ronn at emm.org (Ronald Nissley) Date: Tue, 4 Apr 2006 16:45:04 -0400 Subject: Flaw discovered in Sendmail 8.13.5 Message-ID: A security flaw has been found in Sendmail 8.13.5. The flaw is resolved in 8.13.6 or by patching 8.13.5. You can read more at http://www.sendmail.org under Recent News. What is Fedora's response for issues like this? Are users expected to install the patch, compile/install the fixed version, or will Fedora release 8.13.6 rpms shortly? Thank you, Ronald Nissley From tibbs at math.uh.edu Tue Apr 4 20:55:02 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Tue, 04 Apr 2006 15:55:02 -0500 Subject: Flaw discovered in Sendmail 8.13.5 In-Reply-To: (Ronald Nissley's message of "Tue, 4 Apr 2006 16:45:04 -0400") References: Message-ID: >>>>> "RN" == Ronald Nissley writes: RN> Are users expected to install the patch, compile/install the fixed RN> version, or will Fedora release RN> 8.13.6 rpms shortly? Both Fedora and Fedora Legacy released fixed packages on March 22. - J< From tchung at fedoraproject.org Tue Apr 4 20:57:39 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Tue, 4 Apr 2006 13:57:39 -0700 Subject: Flaw discovered in Sendmail 8.13.5 In-Reply-To: References: Message-ID: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> On 4/4/06, Ronald Nissley wrote: > A security flaw has been found in Sendmail 8.13.5. The flaw is resolved > in 8.13.6 or by patching 8.13.5. You can read more at > http://www.sendmail.org under Recent News. What is Fedora's response for > issues like this? Are users expected to install the patch, > compile/install the fixed version, or will Fedora release 8.13.6 rpms > shortly? Ronald, Fedora Project already pushed 8.13.6 for FC5. http://fedoranews.org/cms/node/466 Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From deisenst at gtw.net Tue Apr 4 23:39:16 2006 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 04 Apr 2006 18:39:16 -0500 Subject: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5 In-Reply-To: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> References: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> Message-ID: <443303A4.5010901@gtw.net> Thomas Chung wrote: > On 4/4/06, Ronald Nissley wrote (to fedora-security-list): > >>A security flaw has been found in Sendmail 8.13.5. The flaw is resolved >>in 8.13.6 or by patching 8.13.5. You can read more at >>http://www.sendmail.org under Recent News. What is Fedora's response for >>issues like this? Are users expected to install the patch, >>compile/install the fixed version, or will Fedora release 8.13.6 rpms >>shortly? >Ronald, >Fedora Project already pushed 8.13.6 for FC5. >http://fedoranews.org/cms/node/466 For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6- 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently published March 22nd, never appeared to make it into the fedora-announce-list archives. But they indeed do appear on the fedoranews.org site, as and , respectively. Where did you get those announcements from, Thomas? Since I consider fedora-announce-list's archives to be a rather "official" repository of what is fixed or updated for Fedora Core, I generally go by the rule that whatever's in fedora-announce-list's archives are things that are fixed; and if it's not there in the archives, it's not fixed. Therefore, I, too, might have been lead to believe that this sendmail vulnerability remained unpatched in Fedora Core. Should these announcements be re-published to fedora-announce-list? Further, should fedora-announce-list be considered an official repository of security and non-security update announcements for Fedora packages? If not, does the Fedora Project need to define such an official repository? -- some web location where we can all agree to point end-users to and say, "Here. This is where all update announcements will reside, so if there's no announcement here about issue xyz, then issue xyz's not been fixed." ?? Warm regards, David Eisenstein ps: By the way, FYI, Fedora Legacy ran into a number of bugs in our initial release of packages that patch the CVE-2006-0058 sendmail issue for three of the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3 packages appeared to be fine on initial release. The bugs were mostly due to the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which broke some things. (See Bugzilla #186277 starting with comments #30 ff. for more info....) We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack- ages that are currently in updates-testing, so updated packages should be released soon. -dde From tchung at fedoraproject.org Wed Apr 5 01:26:10 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Tue, 4 Apr 2006 18:26:10 -0700 Subject: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5 In-Reply-To: <443303A4.5010901@gtw.net> References: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> <443303A4.5010901@gtw.net> Message-ID: <369bce3b0604041826v2fc6e294x87d956c76ec66e7a@mail.gmail.com> On 4/4/06, David Eisenstein wrote: > For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6- > 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently > published March 22nd, never appeared to make it into the fedora-announce-list > archives. But they indeed do appear on the fedoranews.org site, as > and , > respectively. Where did you get those announcements from, Thomas? >From fedora-announcement-list email subscription of course. I believe it's one of those emails got lost during list server problem we had a few weeks ago. Regardless, everyone in Fedora Community should subscribe to fedora-announce-list. (period) Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From lmacken at redhat.com Wed Apr 5 01:44:17 2006 From: lmacken at redhat.com (Luke Macken) Date: Tue, 4 Apr 2006 21:44:17 -0400 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <1144125990.29614.123.camel@erato.phig.org> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> <1144125990.29614.123.camel@erato.phig.org> Message-ID: <20060405014417.GA958@tomservo.boston.redhat.com> On Mon, Apr 03, 2006 at 09:46:30PM -0700, Karsten Wade wrote: > It might be cool if we could get security announcements to all magically > appear on a page ... or in a searchable database ... and that would > cover us for everything in Core and Extras thoroughly. We could link to > external lists of non-FC/FE vulnerabilities for packages in third-party > repos. Doing this would essentially much make Fedora CVE compatible[0] (aside from some minor documentation). Is this something we would even want to pursue? luke [0]: http://www.cve.mitre.org/compatible/ From sundaram at fedoraproject.org Wed Apr 5 01:46:35 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Wed, 05 Apr 2006 07:16:35 +0530 Subject: Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash)) In-Reply-To: <20060405014417.GA958@tomservo.boston.redhat.com> References: <1143919660.3802.863.camel@sundaram.pnq.redhat.com> <1143920426.2300.13.camel@localhost.localdomain> <1143957352.2550.15.camel@cbcclt02.cbcchome.cbccgroup.com> <1144125990.29614.123.camel@erato.phig.org> <20060405014417.GA958@tomservo.boston.redhat.com> Message-ID: <1144201596.24151.87.camel@sundaram.pnq.redhat.com> On Tue, 2006-04-04 at 21:44 -0400, Luke Macken wrote: > On Mon, Apr 03, 2006 at 09:46:30PM -0700, Karsten Wade wrote: > > It might be cool if we could get security announcements to all magically > > appear on a page ... or in a searchable database ... and that would > > cover us for everything in Core and Extras thoroughly. We could link to > > external lists of non-FC/FE vulnerabilities for packages in third-party > > repos. > > Doing this would essentially much make Fedora CVE compatible[0] (aside > from some minor documentation). Is this something we would even want to > pursue? Yes. It would be have the notification mechanisms include these information in the future too. Rahul From kurt at uniqsys.com Wed Apr 5 13:04:23 2006 From: kurt at uniqsys.com (Kurt Bechstein) Date: Wed, 05 Apr 2006 09:04:23 -0400 Subject: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5 In-Reply-To: <443303A4.5010901@gtw.net> References: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> <443303A4.5010901@gtw.net> Message-ID: <1144242263.2980.4.camel@scooby.uniqsys.com> On Tue, 2006-04-04 at 18:39 -0500, David Eisenstein wrote: > For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6- > 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently > published March 22nd, never appeared to make it into the fedora-announce-list > archives. But they indeed do appear on the fedoranews.org site, as > and , > respectively. Where did you get those announcements from, Thomas? > > Since I consider fedora-announce-list's archives to be a rather "official" > repository of what is fixed or updated for Fedora Core, I generally go by the > rule that whatever's in fedora-announce-list's archives are things that are > fixed; and if it's not there in the archives, it's not fixed. Therefore, I, > too, might have been lead to believe that this sendmail vulnerability remained > unpatched in Fedora Core. > > Should these announcements be re-published to fedora-announce-list? > > Further, should fedora-announce-list be considered an official repository of > security and non-security update announcements for Fedora packages? If not, > does the Fedora Project need to define such an official repository? -- some > web location where we can all agree to point end-users to and say, "Here. > This is where all update announcements will reside, so if there's no > announcement here about issue xyz, then issue xyz's not been fixed." ?? > > Warm regards, > David Eisenstein > > ps: By the way, FYI, Fedora Legacy ran into a number of bugs in our initial > release of packages that patch the CVE-2006-0058 sendmail issue for three of > the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3 > packages appeared to be fine on initial release. The bugs were mostly due to > the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which > broke some things. (See Bugzilla #186277 starting with comments #30 ff. for > more info....) > > We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack- > ages that are currently in updates-testing, so updated packages should be > released soon. -dde > Just so I'm clear on this one, do these packages fix something different from the packages referenced on http://fedoranews.org/cms/node/489 ? They seem to reference the same CVE listing so I just wanted to be sure before I have to go patching a boat load of servers again. -- Kurt Bechstein | Unique Systems, Inc. Systems Administrator | 1687 Woodlands Dr. Phone: (419) 861-3331 | Maumee, OH 43537 Email: kurt at uniqsys.com | http://www.uniqsys.com From tchung at fedoraproject.org Wed Apr 5 17:14:07 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Wed, 5 Apr 2006 10:14:07 -0700 Subject: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5 In-Reply-To: <1144242263.2980.4.camel@scooby.uniqsys.com> References: <369bce3b0604041357g7a57fa76w49c051d0d9abeac3@mail.gmail.com> <443303A4.5010901@gtw.net> <1144242263.2980.4.camel@scooby.uniqsys.com> Message-ID: <369bce3b0604051014x11654596hf8dc169f4ba5b855@mail.gmail.com> On 4/5/06, Kurt Bechstein wrote: > Just so I'm clear on this one, do these packages fix something different > from the packages referenced on http://fedoranews.org/cms/node/489 ? > They seem to reference the same CVE listing so I just wanted to be sure > before I have to go patching a boat load of servers again. I assume you're referring to http://fedoranews.org/cms/node/581 For that, I believe you need to contact Fedora Legacy Project for detail. http://fedoralegacy.org Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From bressers at redhat.com Wed Apr 5 19:26:17 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 05 Apr 2006 15:26:17 -0400 Subject: New FE vulnerabilities In-Reply-To: Your message of "Thu, 09 Mar 2006 14:02:55 +0100." <4410277F.5060101@hhs.nl> Message-ID: <200604051926.k35JQHbJ001257@devserv.devel.redhat.com> > Hi, > > Below the results of checking todays lwn.net's new vulnerabilities > against FE. Since no-one seems to be doing it and since the FE security > SIG seems to be not getting anywhere (Am I the only one who cares, I > though there were some other takers?) I've taken this initiative: I'm hoping we can revive this thread. There seems to be marginal interest in a FE security team. I imagine after LWE and FUDCon, there will be a renewed interest, so this may be a fine time to move forward. Since the SIG already exists, I'll let them speak up. If there is no longer a SIG, that's fine too. Is anybody working on any of these things? -- JB From jkeating at redhat.com Wed Apr 5 19:59:03 2006 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 5 Apr 2006 15:59:03 -0400 Subject: New FE vulnerabilities In-Reply-To: <200604051926.k35JQHbJ001257@devserv.devel.redhat.com> References: <200604051926.k35JQHbJ001257@devserv.devel.redhat.com> Message-ID: <200604051559.06970.jkeating@redhat.com> On Wednesday 05 April 2006 15:26, Josh Bressers wrote: > I'm hoping we can revive this thread. ?There seems to be marginal interest > in a FE security team. ?I imagine after LWE and FUDCon, there will be a > renewed interest, so this may be a fine time to move forward. > > Since the SIG already exists, I'll let them speak up. ?If there is no > longer a SIG, that's fine too. ?Is anybody working on any of these things? I am very interested in this as well. If nobody steps up, I'll do what it takes, but largely we need to come up with a security process, and I think we need guidance from Red Hat's security team. Is there a SIG? -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From j.w.r.degoede at hhs.nl Wed Apr 5 20:24:48 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Wed, 05 Apr 2006 22:24:48 +0200 Subject: New FE vulnerabilities In-Reply-To: <200604051559.06970.jkeating@redhat.com> References: <200604051926.k35JQHbJ001257@devserv.devel.redhat.com> <200604051559.06970.jkeating@redhat.com> Message-ID: <44342790.7030102@hhs.nl> Jesse Keating wrote: > On Wednesday 05 April 2006 15:26, Josh Bressers wrote: >> I'm hoping we can revive this thread. There seems to be marginal interest >> in a FE security team. I imagine after LWE and FUDCon, there will be a >> renewed interest, so this may be a fine time to move forward. >> >> Since the SIG already exists, I'll let them speak up. If there is no >> longer a SIG, that's fine too. Is anybody working on any of these things? > > I am very interested in this as well. If nobody steps up, I'll do what it > takes, but largely we need to come up with a security process, and I think we > need guidance from Red Hat's security team. > > Is there a SIG? > There used to be, it consisted of me, Jason L Tibbitts III and Dennis Gilmore. Both me and Jason are currently (also) active in the Games SIG I must say I like the Games SIG much better as there is a lot more getting done there. In the Security Sig it was just all talk, and I'm not a talker but a do-er. I also very much agree that what we need most is some kinda security process we need: -a wiki/Extras/Security page that tells users what todo and expect when they find a security problem. My suggestion: -user should search in bugzilla (by CVE in summary if there is a CVE) Maybe we can create a special form for by CVE searching? -if its not in bugzilla user should submit it there. -this lists gets auto-cc-ed -the maintainer handles it, asking for help (on this list) as needed To make this work / get some real tracking: -if a maintainer finds a bug or pushes a new version with a bug fixed he/she should put this bug in bugzilla and close it immediatly. -a place and an easy way to send FE security announcements last time I brought this up I landed in some xml mumbo jumbo jungle, what wrong with a plain email, with a simple plain text template as base for someone wishing todo an announcement to fill in. Unfortunatly although many maintainers do a great job even on security some don't thus we need: -some kinda rules (FESco action!) when someone can step on a maintainers toes by pushing a fix to CVS and building it because the maintainer is not responding to a security bugzilla entry in a timely fashion. I know that currently anyone can do this if they feel like it, but I for one would like to have a FESco declared policy for this where I can point a maintainer at when he gets pissed (iow I want to be able to hind behind FESco, yes!) What am I willing todo to help? : -lurk on this list -check the new security bugs page of lwn against FE (I have being doing this for the last few weeks) -help people with security problems in C(++) code -audit C(++) code on request (see my scorched3d work f.e.) -audit / check C(++) security patches What am I not willing todo to help? -get involved in policy making / procedure forming -other unneeded bureaucracy (the above is needed!) -talk talk talk, just point me to a broken piece of code please. So in the light of what I like and what I don't like consider this one of my last posts in this thread, but don't mistake this with me being unwilling to help or being uninterested! Regards, Hans p.s. I still don't like the default reply-to setting of this list, but lets not go there. From jkeating at redhat.com Wed Apr 5 20:49:01 2006 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 5 Apr 2006 16:49:01 -0400 Subject: New FE vulnerabilities In-Reply-To: <44342790.7030102@hhs.nl> References: <200604051926.k35JQHbJ001257@devserv.devel.redhat.com> <200604051559.06970.jkeating@redhat.com> <44342790.7030102@hhs.nl> Message-ID: <200604051649.01651.jkeating@redhat.com> On Wednesday 05 April 2006 16:24, Hans de Goede wrote: > -a wiki/Extras/Security page that tells users what todo and expect when > ? they find a security problem. My suggestion: > ? -user should search in bugzilla (by CVE in summary if there is a CVE) > ? ?Maybe we can create a special form for by CVE searching? > ? -if its not in bugzilla user should submit it there. > ? -this lists gets auto-cc-ed > ? -the maintainer handles it, asking for help (on this list) as needed > ? To make this work / get some real tracking: > ? -if a maintainer finds a bug or pushes a new version with a bug fixed > ? ?he/she should put this bug in bugzilla and close it immediatly. This seems very sane. This is how we do Legacy as well. > -a place and an easy way to send FE security announcements last time > ? I brought this up I landed in some xml mumbo jumbo jungle, what wrong > ? with a plain email, with a simple plain text template as base for > ? someone wishing todo an announcement to fill in. Fedora-announce is a great place. We need to make the Fedora Updates software available for Extras (and Legacy) to use. I've talked to Luke Macken who wrote it and he is very for getting it cleaned up and modularized enough so that we can use it for external projects. We should do this before we get into xml update metadata land. This is a solveable problem. > Unfortunatly although many maintainers do a great job even on security > some don't thus we need: > -some kinda rules (FESco action!) when someone can step on a maintainers > ? toes by pushing a fix to CVS and building it because the maintainer is > ? not responding to a security bugzilla entry in a timely fashion. I know > ? that currently anyone can do this if they feel like it, but I for one > ? would like to have a FESco declared policy for this where I can point a > ? maintainer at when he gets pissed (iow I want to be able to hind behind > ? FESco, yes!) So one thing that this SIG can do is come up with and vette a security policy that FESCo will bless and make official. Again, this is a solveable problem. Lets get on it. I proposed a policy, lets start from there. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From tibbs at math.uh.edu Wed Apr 5 20:53:00 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 05 Apr 2006 15:53:00 -0500 Subject: Minor security-related issue with denyhosts Message-ID: I have nowhere to announce this I thought it should at least be mentioned. A minor vulnerability was found in denyhosts: when running in daemon mode (the default for the Extras package) hosts which time out of the blocked list (due to the PURGE_DENY setting) and then generate additional failed login attempts will not be re-added to the blocked list. This is fixed in version 2.3, which I built and pushed last night and seems to have made it out to all of the mirrors. - J< From bressers at redhat.com Wed Apr 5 20:53:50 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 05 Apr 2006 16:53:50 -0400 Subject: Fedora Extras Security Response Team Message-ID: <200604052053.k35KroJu029393@devserv.devel.redhat.com> OK, it seems there is no longer an Extras security SIG. I'm going to contact the FESCO and get this ball moving properly. I'll send a notice to this list when there is something to post. -- JB From dennis at ausil.us Wed Apr 5 21:37:21 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 5 Apr 2006 16:37:21 -0500 Subject: Fedora Extras Security Response Team In-Reply-To: <200604052053.k35KroJu029393@devserv.devel.redhat.com> References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> Message-ID: <200604051637.21805.dennis@ausil.us> On Wednesday 05 April 2006 15:53, Josh Bressers wrote: > OK, it seems there is no longer an Extras security SIG. I'm going to > contact the FESCO and get this ball moving properly. I'll send a notice to > this list when there is something to post. Since When? last i knew the SIG was still alive. http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy yes we need to get things solidified and i thought they pretty much there. I have been watching bugtraq and reporting bugs as needed. Simplest way to go forward is a clear policy. of the things that were unresolved email notices should be sent to fedora-announce. witha copy on a website security.fedoraproject.org if need be i can host it. as far as maintainers dropping support there is the wiki and fedora-extras for now i guess we could ask legacy to include some of the SIG members in with their embargoed email list. If the maintainer does not respond in three days then the SIG will fix the issue and release builds. -- Regards Dennis Gilmore, RHCE Proud Australian From jkeating at redhat.com Wed Apr 5 21:53:54 2006 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 5 Apr 2006 17:53:54 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: <200604051637.21805.dennis@ausil.us> References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> <200604051637.21805.dennis@ausil.us> Message-ID: <200604051753.54807.jkeating@redhat.com> On Wednesday 05 April 2006 17:37, Dennis Gilmore wrote: > of the things ?that were unresolved email notices should be sent to > fedora-announce. ?witha copy on a website ?security.fedoraproject.org if > need be i can host it. Does Fedora currently post their updates and advisories to a webpage anywhere? Before we worry about that, lets at least get to the level that Fedora Core is at, then go beyond. Little steps can lead to a long way. > as far as maintainers dropping support ?there is the wiki and fedora-extras > > for now i guess we could ask legacy ?to include some of the SIG members in > with their embargoed email list. We don't really have much of a SIG, and what did you mean by 'embargoed email list' ? > If the maintainer does not respond in three days ?then the SIG will fix > ?the issue and release builds. Sounds fair. I'll review the posted page hopefully sometime this week, a bit busy w/ LWCE and FUDCon, but I should have time either this week, this weekend, or next week. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From dennis at ausil.us Wed Apr 5 22:14:34 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 5 Apr 2006 17:14:34 -0500 Subject: Fedora Extras Security Response Team In-Reply-To: <200604051753.54807.jkeating@redhat.com> References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> <200604051637.21805.dennis@ausil.us> <200604051753.54807.jkeating@redhat.com> Message-ID: <200604051714.34742.dennis@ausil.us> On Wednesday 05 April 2006 16:53, Jesse Keating wrote: > On Wednesday 05 April 2006 17:37, Dennis Gilmore wrote: > > of the things ?that were unresolved email notices should be sent to > > fedora-announce. ?witha copy on a website ?security.fedoraproject.org if > > need be i can host it. > > Does Fedora currently post their updates and advisories to a webpage > anywhere? Before we worry about that, lets at least get to the level that > Fedora Core is at, then go beyond. Little steps can lead to a long way. Fair enough. I think core just uses fedora-announce so thats a start. what is needed so that SIG members can post to fedora-announce? > > as far as maintainers dropping support ?there is the wiki and > > fedora-extras > > > > for now i guess we could ask legacy ?to include some of the SIG members > > in with their embargoed email list. > > We don't really have much of a SIG, and what did you mean by 'embargoed > email list' ? Non public security reports. however it is that you get them. I should be more involved with legacy as i use it for a few systems. > > If the maintainer does not respond in three days ?then the SIG will fix > > ?the issue and release builds. > > Sounds fair. I'll review the posted page hopefully sometime this week, a > bit busy w/ LWCE and FUDCon, but I should have time either this week, this > weekend, or next week. thats fair. I will be quiet for the next 3 weeks after Sunday. I will have limited net access during that time. -- Regards Dennis Gilmore, RHCE Proud Australian From jkeating at redhat.com Wed Apr 5 22:25:14 2006 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 5 Apr 2006 18:25:14 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: <200604051714.34742.dennis@ausil.us> References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> <200604051753.54807.jkeating@redhat.com> <200604051714.34742.dennis@ausil.us> Message-ID: <200604051825.15119.jkeating@redhat.com> On Wednesday 05 April 2006 18:14, Dennis Gilmore wrote: > > Does Fedora currently post their updates and advisories to a webpage > > anywhere? Before we worry about that, lets at least get to the level that > > Fedora Core is at, then go beyond. ?Little steps can lead to a long way. > > Fair enough. ?I think core just uses fedora-announce ? so ?thats a start. ? > what is needed so that SIG members can post to fedora-announce? I just approve the posts. I have the list password. However I don't currently get notices when something needs to be approved, I know when as I pull the trigger on the Fedora updates and various other Fedora announces. So basically I either get those notices, or we get the announcements CC'd to the security-list as a trigger for me to go approve them. I'll double check policy w/ the Fedora board, but I'm pretty sure they're cool with this. > > > as far as maintainers dropping support ?there is the wiki and > > > fedora-extras > > > > > > for now i guess we could ask legacy ?to include some of the SIG members > > > in with their embargoed email list. > > > > We don't really have much of a SIG, and what did you mean by 'embargoed > > email list' ? > > Non public security reports. ? however it is ?that you get them. I should > be more involved with legacy ?as i use it for a few systems. Ah ok. I applied for and got accepted into Vendor-Sec, the vendor security notification email list. We could nominate one person or so to be on there for Extras. I serve as a filter for Legacy, when there are things related to Legacy packages I forward them on to our Legacy builder team. Before we start doing pre-notifications, we need to define a private bugzilla group so that we can file bugs in private and not have public view. Unfortunately we don't have the ability to do embargo CVS branches within Extras ATM, something we should bring up to FESCo to rectify so that we can generate packages and such prior to embargo date. This is a big hairy thing, we should concentrate on how we handle publicized issues first, then move into pre-notification. Again, small steps. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From bressers at redhat.com Thu Apr 6 00:37:29 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 05 Apr 2006 20:37:29 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: Your message of "Wed, 05 Apr 2006 16:37:21 CDT." <200604051637.21805.dennis@ausil.us> Message-ID: <200604060037.k360bT3s023600@devserv.devel.redhat.com> > > OK, it seems there is no longer an Extras security SIG. I'm going to > > contact the FESCO and get this ball moving properly. I'll send a notice to > > this list when there is something to post. > Since When? last i knew the SIG was still alive. OK, perhaps you could make it a bit more transparent then. > http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy > > yes we need to get things solidified and i thought they pretty much there. > I have been watching bugtraq and reporting bugs as needed. Simplest way > to go forward is a clear policy. There are countless other places that need to be watched other than bugtraq. Here is a post from Mark Cox, a fellow Red Hat Security Response Team member describing our information sources. http://www.awe.com/mark/blog/security/200603211056.html Only 14% of issues come from public mailing lists, and while I don't have the exact number, most of those are not from bugtraq. What will be needed is a way for the various team member to interact and to note which issues are outstanding and which issues need attention. You can't always just blindly create a bug, there are times you have to triage an issue to ensure it does or does not affect us. In the event it doesn't affect us, it should be noted that it doesn't and why. I suggest a CVS module that can contain something a bit like these files: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc4?root=fedora&view=markup http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedora&view=markup I just looked at bugzilla, it seems there are three security bugs for Extras. They seem to be from random people. There should also be some consistency to the bug reports, such as ensuring each issue has a CVE id, along with a proper severity. > > of the things that were unresolved email notices should be sent to > fedora-announce. witha copy on a website security.fedoraproject.org if need > be i can host it. The mail announcements can be done, I'm not too worried about that. > > as far as maintainers dropping support there is the wiki and fedora-extras > > for now i guess we could ask legacy to include some of the SIG members in > with their embargoed email list. Dealing with embargoed issues adds a great deal of process. I would suggest getting the non embargoed process worked out, then adding the ability to handle embargoed issues. > > If the maintainer does not respond in three days then the SIG will fix the > issue and release builds. Has the FESCO approved this idea yet? Part of this process will be assigning a priority to issues. It is likely there will be more work than time, so low issues will probably not get much lovin. -- JB From j.w.r.degoede at hhs.nl Thu Apr 6 09:17:24 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Thu, 06 Apr 2006 11:17:24 +0200 Subject: Results of chekcing todays lwn security page Message-ID: <4434DCA4.4080605@hhs.nl> 2 vulnerabilities in "Extras" found and reported: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188122 http://bugzilla.livna.org/show_bug.cgi?id=889 Also a number in core but I assume those are known: MySQL: logging bypass: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903 php: insecure data: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490 samba: clear text password exposure: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1059 Regards, Hans From j.w.r.degoede at hhs.nl Thu Apr 6 09:19:18 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Thu, 06 Apr 2006 11:19:18 +0200 Subject: Results of chekcing todays lwn security page In-Reply-To: <4434DCA4.4080605@hhs.nl> References: <4434DCA4.4080605@hhs.nl> Message-ID: <4434DD16.5040208@hhs.nl> p.s. What happens if I add fedora-security-list at redhat.com to the CC-list, will this work? If not can someone make this work? From kaboom at oobleck.net Thu Apr 6 13:26:03 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Thu, 6 Apr 2006 09:26:03 -0400 (EDT) Subject: Fedora Extras Security Response Team In-Reply-To: <200604051825.15119.jkeating@redhat.com> References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> <200604051753.54807.jkeating@redhat.com> <200604051714.34742.dennis@ausil.us> <200604051825.15119.jkeating@redhat.com> Message-ID: On Wed, 5 Apr 2006, Jesse Keating wrote: > Ah ok. I applied for and got accepted into Vendor-Sec, the vendor > security notification email list. We could nominate one person or so to > be on there for Extras. I serve as a filter for Legacy, when there are > things related to Legacy packages I forward them on to our Legacy > builder team. Before we start doing pre-notifications, we need to > define a private bugzilla group so that we can file bugs in private and > not have public view. Unfortunately we don't have the ability to do > embargo CVS branches within Extras ATM, something we should bring up to > FESCo to rectify so that we can generate packages and such prior to > embargo date. This is a big hairy thing, we should concentrate on how > we handle publicized issues first, then move into pre-notification. > Again, small steps. As a starting point, is just using the "Fedora Project Contributers" good enough? later, chris From jkeating at redhat.com Thu Apr 6 14:19:08 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 6 Apr 2006 10:19:08 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: References: <200604052053.k35KroJu029393@devserv.devel.redhat.com> <200604051825.15119.jkeating@redhat.com> Message-ID: <200604061019.08302.jkeating@redhat.com> On Thursday 06 April 2006 09:26, Chris Ricker wrote: > As a starting point, is just using the "Fedora Project Contributers" good > enough? I think that's far too large of an audience. They'd much rather a much smaller response team, the SIG say 5~10 people. We can cc the maintainer in question. It is extremely imperative that we don't accidentally disclose the issue prior to the embargo date. That is a quick way to get bounced from Vendor-sec. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From jkeating at redhat.com Thu Apr 6 14:39:09 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 6 Apr 2006 10:39:09 -0400 Subject: Results of chekcing todays lwn security page In-Reply-To: <4434DD16.5040208@hhs.nl> References: <4434DCA4.4080605@hhs.nl> <4434DD16.5040208@hhs.nl> Message-ID: <200604061039.09566.jkeating@redhat.com> On Thursday 06 April 2006 05:19, Hans de Goede wrote: > What happens if I add fedora-security-list at redhat.com to the CC-list, > will this work? If not can someone make this work? Please no. This list is being used to discuss how to create a security response system for Extras. CCing it with bugs will not help. We're trying to determine and create the proper place for these bugs to be cc'd or assigned to. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From bressers at redhat.com Thu Apr 6 14:48:56 2006 From: bressers at redhat.com (Josh Bressers) Date: Thu, 06 Apr 2006 10:48:56 -0400 Subject: Results of chekcing todays lwn security page In-Reply-To: Your message of "Thu, 06 Apr 2006 11:17:24 +0200." <4434DCA4.4080605@hhs.nl> Message-ID: <200604061448.k36Emuag005509@devserv.devel.redhat.com> > > Also a number in core but I assume those are known: Yes, here are the bugs. We place the CVE id in the bug summary to make for quick searching. > MySQL: logging bypass: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903 Bug #183261 > php: insecure data: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490 Bug #187231 > samba: clear text password exposure: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1059 Bug #187170 -- JB From dennis at ausil.us Fri Apr 7 17:07:16 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 7 Apr 2006 12:07:16 -0500 Subject: ClamAV Message-ID: <200604071207.17245.dennis@ausil.us> I just reported a security bug for ClamAV in extras it came to me from bug traq while i know its not the be all and end all of finding issues its a place to start. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188286 -- Regards Dennis Gilmore, RHCE Proud Australian From kaboom at oobleck.net Fri Apr 7 17:14:04 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Fri, 7 Apr 2006 13:14:04 -0400 (EDT) Subject: ClamAV In-Reply-To: <200604071207.17245.dennis@ausil.us> References: <200604071207.17245.dennis@ausil.us> Message-ID: On Fri, 7 Apr 2006, Dennis Gilmore wrote: > I just reported a security bug for ClamAV in extras > > it came to me from bug traq while i know its not the be all and end all of > finding issues its a place to start. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188286 One thought - it might be best in cases like that to file a separate bug for each CVE. I'd think it'll simplify verifying that all CVEs are covered later, and it also accomodates better for having to backport separate patches to fix each CVE if the decision is not to upgrade.... later, chris From tibbs at math.uh.edu Fri Apr 7 17:17:36 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 07 Apr 2006 12:17:36 -0500 Subject: ClamAV In-Reply-To: <200604071207.17245.dennis@ausil.us> (Dennis Gilmore's message of "Fri, 7 Apr 2006 12:07:16 -0500") References: <200604071207.17245.dennis@ausil.us> Message-ID: >>>>> "DG" == Dennis Gilmore writes: DG> I just reported a security bug for ClamAV in extras 0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, at least). - J< From dennis at ausil.us Fri Apr 7 17:24:46 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 7 Apr 2006 12:24:46 -0500 Subject: ClamAV In-Reply-To: References: <200604071207.17245.dennis@ausil.us> Message-ID: <200604071224.46259.dennis@ausil.us> On Friday 07 April 2006 12:17, Jason L Tibbitts III wrote: > >>>>> "DG" == Dennis Gilmore writes: > > DG> I just reported a security bug for ClamAV in extras > > 0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, > at least). > > - J< somehow i dont have the commits emails, its not released yet. This is a package that is widely used and could do with haveing an email sent to fedora-announce when its pushed -- Regards Dennis Gilmore, RHCE Proud Australian From kaboom at oobleck.net Fri Apr 7 17:22:53 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Fri, 7 Apr 2006 13:22:53 -0400 (EDT) Subject: ClamAV In-Reply-To: References: <200604071207.17245.dennis@ausil.us> Message-ID: On Fri, 7 Apr 2006, Jason L Tibbitts III wrote: > >>>>> "DG" == Dennis Gilmore writes: > > DG> I just reported a security bug for ClamAV in extras > > 0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, > at least). Just for those three, which raises the issue of a handoff to Legacy for FC-3, etc later, chris From dennis at ausil.us Fri Apr 7 17:33:43 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 7 Apr 2006 12:33:43 -0500 Subject: ClamAV In-Reply-To: References: <200604071207.17245.dennis@ausil.us> Message-ID: <200604071233.43446.dennis@ausil.us> On Friday 07 April 2006 12:22, Chris Ricker wrote: > On Fri, 7 Apr 2006, Jason L Tibbitts III wrote: > > >>>>> "DG" == Dennis Gilmore writes: > > > > DG> I just reported a security bug for ClamAV in extras > > > > 0.88.1 was checked in and built yesterday (for devel, FC-5 and FC-4, > > at least). > > Just for those three, which raises the issue of a handoff to Legacy for > FC-3, etc > Legacy has stated that they will not support extras as they don't have the resources needed for the extra work load. extras needs to support extras until such time as legacy drops support. when a core release goes into maintainence mode extras should also. which would mean major bugs and security fixes only. the SIG is too small right now to look after all of extras so the maintainers should be strongly encouraged to do it. with support from the security SIG. I have requested that FC-3 also be built. -- Regards Dennis Gilmore, RHCE Proud Australian From tibbs at math.uh.edu Fri Apr 7 17:34:06 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 07 Apr 2006 12:34:06 -0500 Subject: ClamAV In-Reply-To: <200604071224.46259.dennis@ausil.us> (Dennis Gilmore's message of "Fri, 7 Apr 2006 12:24:46 -0500") References: <200604071207.17245.dennis@ausil.us> <200604071224.46259.dennis@ausil.us> Message-ID: >>>>> "DG" == Dennis Gilmore writes: DG> somehow i dont have the commits emails, its not released yet. It's been built and awaiting signature for 23 hours now. Every time something like this comes up a pile of issues reveal themselves: emergency sign&push, procedures for maintainers to drop old releases, where to send announcements. We made plenty of proposals but of course nothing happened. - J< From ville.skytta at iki.fi Fri Apr 7 17:48:28 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Fri, 07 Apr 2006 20:48:28 +0300 Subject: ClamAV In-Reply-To: References: <200604071207.17245.dennis@ausil.us> <200604071224.46259.dennis@ausil.us> Message-ID: <1144432108.2800.14.camel@localhost.localdomain> On Fri, 2006-04-07 at 12:34 -0500, Jason L Tibbitts III wrote: > >>>>> "DG" == Dennis Gilmore writes: > > DG> somehow i dont have the commits emails, its not released yet. > > It's been built and awaiting signature for 23 hours now. FE commit mails were broken, but appear to work again now. > emergency sign&push Mail to extras-signers at fedoraproject.org is delivered to folks who can do that for Extras. I'll take care of this push in a jiffy. From shiva at sewingwitch.com Sat Apr 8 00:04:24 2006 From: shiva at sewingwitch.com (Kenneth Porter) Date: Fri, 07 Apr 2006 17:04:24 -0700 Subject: ClamAV In-Reply-To: <200604071233.43446.dennis@ausil.us> References: <200604071207.17245.dennis@ausil.us> <200604071233.43446.dennis@ausil.us> Message-ID: On Friday, April 07, 2006 12:33 PM -0500 Dennis Gilmore wrote: > the SIG is too small right now to look after all of extras so the > maintainers should be strongly encouraged to do it. with support from > the security SIG. I have requested that FC-3 also be built. FYI, 88.1 from FC5 Extras builds fine on FC2, and I'll be updating my installation later today. I did find that Extras/Development still has the older 88 package, so apparently 88.1 didn't go through Development first. (I've got the SRPM directories for Core/Development and Extras/Development bookmarked and draw from there for my more important FC2 updates.) From tibbs at math.uh.edu Sat Apr 8 00:23:07 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 07 Apr 2006 19:23:07 -0500 Subject: ClamAV In-Reply-To: (Kenneth Porter's message of "Fri, 07 Apr 2006 17:04:24 -0700") References: <200604071207.17245.dennis@ausil.us> <200604071233.43446.dennis@ausil.us> Message-ID: >>>>> "KP" == Kenneth Porter writes: KP> I did find that Extras/Development still has the older 88 package, KP> so apparently 88.1 didn't go through Development first. It's in CVS; it seems Enrico didn't send a build request. KP> (I've got the SRPM directories for Core/Development and KP> Extras/Development bookmarked and draw from there for my more KP> important FC2 updates.) I find it easier to work from CVS; just checkout and type "make i386" to have packages dropped in the current directory. - J< From shiva at sewingwitch.com Sat Apr 8 00:32:19 2006 From: shiva at sewingwitch.com (Kenneth Porter) Date: Fri, 07 Apr 2006 17:32:19 -0700 Subject: ClamAV In-Reply-To: References: <200604071207.17245.dennis@ausil.us> <200604071233.43446.dennis@ausil.us> Message-ID: On Friday, April 07, 2006 7:23 PM -0500 Jason L Tibbitts III wrote: > I find it easier to work from CVS; just checkout and type "make i386" > to have packages dropped in the current directory. Good to know. Might be a good thing to stuff in the wiki somewhere. From j.w.r.degoede at hhs.nl Thu Apr 13 06:59:57 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Thu, 13 Apr 2006 08:59:57 +0200 Subject: Results of todays LWN security page check Message-ID: <443DF6ED.4000200@hhs.nl> As every thursday, see: perl-Imager, CVE-2006-0053: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188315 clamav, CVE-2006-1614 CVE-2006-1615 CVE-2006-1630: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188881 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188882 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188883 mplayer, CVE-2006-1502: http://bugzilla.livna.org/show_bug.cgi?id=849 openvpn, CVE-2006-1629: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188050 plone, CVE-2006-1711: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188886 Regards, Hans From sundaram at fedoraproject.org Thu Apr 13 07:04:22 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 13 Apr 2006 12:34:22 +0530 Subject: Results of todays LWN security page check In-Reply-To: <443DF6ED.4000200@hhs.nl> References: <443DF6ED.4000200@hhs.nl> Message-ID: <1144911862.2294.331.camel@sundaram.pnq.redhat.com> On Thu, 2006-04-13 at 08:59 +0200, Hans de Goede wrote: > As every thursday, see: > > perl-Imager, CVE-2006-0053: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188315 > > clamav, CVE-2006-1614 CVE-2006-1615 CVE-2006-1630: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188881 > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188882 > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188883 > > mplayer, CVE-2006-1502: > http://bugzilla.livna.org/show_bug.cgi?id=849 > > openvpn, CVE-2006-1629: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188050 > > plone, CVE-2006-1711: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188886 > > Regards, > > Hans Maybe we should make it a requirement that all the Fedora Core and Extras package maintainers be subscribed to this list? Rahul From fedora at leemhuis.info Thu Apr 13 07:57:00 2006 From: fedora at leemhuis.info (Thorsten Leemhuis) Date: Thu, 13 Apr 2006 09:57:00 +0200 Subject: Results of todays LWN security page check In-Reply-To: <1144911862.2294.331.camel@sundaram.pnq.redhat.com> References: <443DF6ED.4000200@hhs.nl> <1144911862.2294.331.camel@sundaram.pnq.redhat.com> Message-ID: <1144915021.30432.12.camel@thl.ct.heise.de> Am Donnerstag, den 13.04.2006, 12:34 +0530 schrieb Rahul Sundaram: > On Thu, 2006-04-13 at 08:59 +0200, Hans de Goede wrote: > > As every thursday, see: > Maybe we should make it a requirement that all the Fedora Core and > Extras package maintainers be subscribed to this list? I don't like that idea -- I suspect a lot of people will send all mail to /dev/null. Bugs and direct mails should be enough. Maybe a public reminder with all open issues to fedora-maintainers would be a good idea. CU thl From tibbs at math.uh.edu Thu Apr 13 19:24:08 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Thu, 13 Apr 2006 14:24:08 -0500 Subject: [(nowhere)] [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 Message-ID: This would seem to apply to Extras. What should happen from here? Bugzilla? - J< -------------- next part -------------- An embedded message was scrubbed... From: bugtraq at morph3us.org Subject: [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 Date: 12 Apr 2006 23:59:17 -0000 Size: 7496 URL: -------------- next part -------------- -- Jason L Tibbitts III - tibbs at math.uh.edu - 713/743-3486 - 660PGH - 94 PC800 System Manager: University of Houston Department of Mathematics And with death The knowledge comes It was the life all along We'd been afraid of From jkeating at redhat.com Thu Apr 13 19:28:36 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 13 Apr 2006 15:28:36 -0400 Subject: [(nowhere)] [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 In-Reply-To: References: Message-ID: <1144956517.11789.11.camel@ender> On Thu, 2006-04-13 at 14:24 -0500, Jason L Tibbitts III wrote: > This would seem to apply to Extras. What should happen from here? > Bugzilla? > Yes, bugzilla it against amaya, noting the CVE in the summary. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tibbs at math.uh.edu Thu Apr 13 20:07:22 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Thu, 13 Apr 2006 15:07:22 -0500 Subject: [(nowhere)] [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 In-Reply-To: <1144956517.11789.11.camel@ender> (Jesse Keating's message of "Thu, 13 Apr 2006 15:28:36 -0400") References: <1144956517.11789.11.camel@ender> Message-ID: >>>>> "JK" == Jesse Keating writes: JK> Yes, bugzilla it against amaya, noting the CVE in the summary. Unfortunately there is no CVE that I can find. There is an existing CVE for Amaya (CVE-2005-4728) which is not related to this problem and which seems to be Debian-specific. - J< From gauret at free.fr Thu Apr 13 21:09:11 2006 From: gauret at free.fr (Aurelien Bompard) Date: Thu, 13 Apr 2006 23:09:11 +0200 Subject: [(nowhere)] [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 In-Reply-To: References: <1144956517.11789.11.camel@ender> Message-ID: <200604132309.16032.gauret@free.fr> > JK> Yes, bugzilla it against amaya, noting the CVE in the summary. > > Unfortunately there is no CVE that I can find. There is an existing > CVE for Amaya (CVE-2005-4728) which is not related to this problem and > which seems to be Debian-specific. Yes, a bugzilla is the best way to make sure it's fixed. In the meantime, I used to be the maintainer of Amaya, which I orphaned in september 2005, but I'll try to patch this vuln the best I can. Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From deisenst at gtw.net Mon Apr 17 15:24:33 2006 From: deisenst at gtw.net (David Eisenstein) Date: Mon, 17 Apr 2006 10:24:33 -0500 (CDT) Subject: Heads up! Firefox & Mozilla Message-ID: Hi Folks, Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing a set of critical vulnerabilities. The upstream (mozilla.org) chose *not*, however, to release the Mozilla code for 1.7.13 yet, but I am told that the updated Mozilla will be released officially in the near future. We may, however, be able to get our hands on the sources before then and get it in the pipeline for QA and such. Some of the critical issues (potential remotely exploited code execution) can be mitigated by turning off Javascript, but not all, as there is one issue that I am told that can be triggered by HTML tags. From MFSA 2006-18 , : "A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitary code. "Mozilla mail clients will crash on the tag sequence, but without the ability to run scripts to fill memory with the attack code it may not be possible for an attacker to exploit this crash." These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0, according to CVE-2006-0749. Be careful out there! We'll get these out for Legacy as soon as we can. Regards, David Eisenstein From sundaram at fedoraproject.org Tue Apr 18 16:57:11 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Tue, 18 Apr 2006 22:27:11 +0530 Subject: Heads up! Firefox & Mozilla In-Reply-To: References: Message-ID: <1145379432.349.148.camel@sundaram.pnq.redhat.com> On Mon, 2006-04-17 at 10:24 -0500, David Eisenstein wrote: > Hi Folks, > > Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing > a set of critical vulnerabilities. The upstream (mozilla.org) chose > *not*, however, to release the Mozilla code for 1.7.13 yet, but I am told > that the updated Mozilla will be released officially in the near future. > We may, however, be able to get our hands on the sources before then and > get it in the pipeline for QA and such. > > Some of the critical issues (potential remotely exploited code execution) > can be mitigated by turning off Javascript, but not all, as there is one > issue that I am told that can be triggered by HTML tags. From MFSA > 2006-18 , > : > > "A particular sequence of HTML tags that reliably crash Mozilla clients > was reported by an anonymous researcher via TippingPoint and the Zero > Day Initiative. The crash is due to memory corruption that can be > exploited to run arbitary code. > > "Mozilla mail clients will crash on the tag sequence, but without the > ability to run scripts to fill memory with the attack code it may not > be possible for an attacker to exploit this crash." > > These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and > 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0, > according to CVE-2006-0749. > > Be careful out there! We'll get these out for Legacy as soon as we can. Updates have been announced for Fedora Core 4 and Fedora Core 5. It should be easy enough to rebuild it and provide them for Fedora Legacy. Rahul From deisenst at gtw.net Mon Apr 24 03:07:25 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sun, 23 Apr 2006 22:07:25 -0500 Subject: A few questions about cve.mitre.org Message-ID: <005e01c6674c$3ec4fb30$0100a8c0@homedns.org> Hi there, There is something I've always wondered... How do CVE items in CVE's database have their status changed? In my time of working with vulnerabilities, I have only seen a few items graduate from Status="Candidate" to Status="..." (is it "Confirmed"?). Another question. How does one submit information or corrections to the cve.mitre.org folks? I've been recently mentoring someone on identifying and reporting vulnerabilities into Bugzilla (or "Vulnerability Tracking"). We were reviewing . In reviewing it, I noticed that its description, although true, is not the whole truth: "Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations." Someone reading this summary description (and nothing else) might walk away thinking, "Oh! I run Sendmail 8.11.6, so I am not vulnerable to this issue." Although true that this affects Sendmail 8.13.x before 8.13.x, ac- cording to Bugtraq ID 17192, , it exists also in Sendmail versions 8.12.x, 8.11.x 8.10(.x), 8.9(.x), and 8.8.8. Which is why Red Hat issued updates for RHEL 2.1 and 3 as well as RHEL 4, and why Legacy issued updates for all distro's we maintain. So I would propose that the CVE people need to change the summary description to say something like: "Signal handler race condition in Sendmail versions 8.8.8 before 8.13.6 allows remote attackers to execute arbitrary code by trig- gering timeouts in a way that causes the setjmp and longjmp func- tion calls to be interrupted and modify unexpected memory locations." Also -- What makes the CVE maintainers notice a given advisory and maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned in CVE-2006-0058's references is referring to an obsolete advisory, as Legacy had to re-release sendmail with an updated advisory. * The original Legacy advisory for this issue is at (also at ) * The updated Legacy advisory is at Do we need to renumber the advisory so it will get attention by the CVE folks? Or make a special effort to send mail to the CVE people letting them know that the reference in CVE-2006-0058 needs updating? If so, who do we write? Thanks in advance! Warm regards, David Eisenstein From bressers at redhat.com Mon Apr 24 11:06:09 2006 From: bressers at redhat.com (Josh Bressers) Date: Mon, 24 Apr 2006 07:06:09 -0400 Subject: A few questions about cve.mitre.org In-Reply-To: Your message of "Sun, 23 Apr 2006 22:07:25 CDT." <005e01c6674c$3ec4fb30$0100a8c0@homedns.org> Message-ID: <200604241106.k3OB6902021099@devserv.devel.redhat.com> > > There is something I've always wondered... How do CVE items in > CVE's database have their status changed? In my time of working with > vulnerabilities, I have only seen a few items graduate from > Status="Candidate" to Status="..." (is it "Confirmed"?). This along with much other information is covered here: http://cve.mitre.org/about/ > Another question. How does one submit information or corrections > to the cve.mitre.org folks? You can mail cve at mitre.org with your corrections. Please keep in mind that they are swamped with the volume of security issues, so your correction will take some time. > Also -- What makes the CVE maintainers notice a given advisory and > maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned > in CVE-2006-0058's references is referring to an obsolete advisory, as > Legacy had to re-release sendmail with an updated advisory. > > * The original Legacy advisory for this issue is at > > (also at ) > > * The updated Legacy advisory is at > > > Do we need to renumber the advisory so it will get attention by the CVE > folks? Or make a special effort to send mail to the CVE people letting > them know that the reference in CVE-2006-0058 needs updating? If so, who > do we write? You can mail them telling them where the new advisory is (once again though, this will take time to be updated as this would be a low priority task). This is one of the problems with using a mailing list to publish your advisories. Once it's published, it's read only. -- JB From michael at knox.net.nz Fri Apr 28 19:55:45 2006 From: michael at knox.net.nz (Michael J Knox) Date: Sat, 29 Apr 2006 07:55:45 +1200 Subject: Intro... Message-ID: <44527341.5090401@knox.net.nz> Hey All, Based on Josh Bressers' email to me on devel... I have joined up here to help out with the "Security Response Team / EOL" and to hopefully work on a better way to handle "retired" packages. Michael From bressers at redhat.com Fri Apr 28 20:15:19 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 28 Apr 2006 16:15:19 -0400 Subject: Fedora Extras Security Response Team Message-ID: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Hello everybody. In case you didn't see, there was a post by Thorsten Leemhuis to the fedora-extras list regarding the creation of a Fedora Extras security response team. The message can be seen here: https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html Here are the people I know have an interest in helping out with the security response team: Hans de Goede Jason L Tibbitts III Dennis Gilmore Jochen Schmitt Ville Skytt?? Michael J Knox If you're interested, feel free to chime in. Right now I have a pretty good idea of what's needed to get this project off the ground. We have a mailing list (which would be step one). I need to fix up some CVS space for things like tools and tracking text files. This repository is here: http://cvs.fedora.redhat.com/viewcvs/fedora-security/?root=fedora We will need a package manifest. Basically a file that tells us which packages and versions we're currently shipping in extras. A tool to generate this will also be needed since we'll want to update this file on a regular basis. Given how fast Extras changes I think this will be the easiest way to check if we currently ship package . An errata template is needed. I'm thinking we should copy the current Fedora Core template for now. We can mangle it as we see fit at a later date. Process needs to be documented on the fedoraproject wiki. Since we don't currently have a process, this is the only thing done :) The most important part of this will be making it easy to specify what we expect of ourselves. I hope to have some time this weekend to clean up the security wiki pages a bit. I think this is enough for now. Questions, Comments? -- JB From jkeating at redhat.com Fri Apr 28 20:30:21 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 28 Apr 2006 16:30:21 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> References: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <1146256221.13972.11.camel@ender> On Fri, 2006-04-28 at 16:15 -0400, Josh Bressers wrote: > If you're interested, feel free to chime in. Add me to the list. I can try to help w/ packaging up stuff that gets reported, or reviewing proposed updates. I'm also really trying to drive this policy approval home within Extras. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From bressers at redhat.com Fri Apr 28 20:47:52 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 28 Apr 2006 16:47:52 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: Your message of "Fri, 28 Apr 2006 16:15:19 EDT." <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <200604282047.k3SKlqeM006339@devserv.devel.redhat.com> > Hello everybody. > > In case you didn't see, there was a post by Thorsten Leemhuis to the > fedora-extras list regarding the creation of a Fedora Extras security > response team. The message can be seen here: > https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html It's been suggested that we call this group the "Fedora Security Response Team". I don't have a complaint. Unless someone has a very good reason, we'll say that's the name. -- JB From bressers at redhat.com Fri Apr 28 20:51:27 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 28 Apr 2006 16:51:27 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: Your message of "Fri, 28 Apr 2006 16:23:06 EDT." Message-ID: <200604282051.k3SKpR35007912@devserv.devel.redhat.com> > On Fri, 28 Apr 2006, Josh Bressers wrote: > > > If you're interested, feel free to chime in. > > I'm interested as well > > > We will need a package manifest. Basically a file that tells us which > > packages and versions we're currently shipping in extras. A tool to > > generate this will also be needed since we'll want to update this file on a > > regular basis. Given how fast Extras changes I think this will be the > > easiest way to check if we currently ship package . > > What's the scope here? Should it cover what's in CVS or what's built and > shipped as a package? I can see pros and cons each way I think it's important to keep an eye out for new things, but also there's no reason to track a deprecated package that also happens to be in CVS. A blend of the two will be needed. > > Also, does it need to be part of the Fedora infrastructure stuff (say, a > script run on the repository every time a package push hits), or can it be > client-side (say, once a day I check out CVS trees for FE, walk them to > see what's in them, check results into fedora-security/package or > whatever) I was thinking that initially we just run a manual client side process from time to time. Eventually I would like to see an automated process that updates a package manifest. -- JB From tibbs at math.uh.edu Fri Apr 28 21:10:35 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 28 Apr 2006 16:10:35 -0500 Subject: Fedora Extras Security Response Team In-Reply-To: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> (Josh Bressers's message of "Fri, 28 Apr 2006 16:15:19 -0400") References: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers writes: JB> We will need a package manifest. Basically a file that tells us JB> which packages and versions we're currently shipping in extras. Here's the query script I use: #!/usr/bin/perl -w $OWNERS='/home/tibbs/work/extras-cvs/owners/owners.list'; $MIRROR='/nas/redhat/mirror-extras'; @RELEASES=qw(3 4 5 development); $qa=''; #quiet warning open OWNERS, $OWNERS or die "Can't open $OWNERS: $!"; while (defined($l = )) { next if $l =~ /^#/; chomp $l; ($distro, $package, $desc, $owner, $qa, $cc) = split(/\|/, $l); last if $package eq $ARGV[0]; } unless ($package) { print "Could not find package $ARGV[0] in $OWNERS\n"; exit 1; } print "Found package $package in owners.list:\n"; print " Distro:\t$distro\n"; print " Desc:\t\t$desc\n"; print " Owner:\t$owner\n"; print " CC:\t\t$cc\n"; print " Releases and versions:\n"; for $release (@RELEASES) { $dir = "$MIRROR/$release/SRPMS"; $release eq "development" && ($release = "dev"); opendir DIR, $dir or die "Can't opendir $dir: $!"; while (defined($f = readdir(DIR))) { next unless $f =~ /^$package-(.*)\.src\.rpm$/; next if $1 =~ /-.*-/; ($ver, $rev) = $1 =~ /^([^-]+)-([^-]+)$/; print " $release\t$ver\t$rev\t$dir/$f\n"; } } > releases xmms Found package xmms in owners.list: Distro: Fedora Extras Desc: The X MultiMedia System, a media player which resembles Winamp Owner: ville.skytta at iki.fi CC: Releases and versions: 4 1.2.10 19.fc4 /nas/redhat/mirror-extras/4/SRPMS/xmms-1.2.10-19.fc4.src.rpm 4 1.2.10 21.fc4 /nas/redhat/mirror-extras/4/SRPMS/xmms-1.2.10-21.fc4.src.rpm 5 1.2.10 22.fc5 /nas/redhat/mirror-extras/5/SRPMS/xmms-1.2.10-22.fc5.src.rpm 5 1.2.10 23.fc5 /nas/redhat/mirror-extras/5/SRPMS/xmms-1.2.10-23.fc5.src.rpm dev 1.2.10 23.fc6 /nas/redhat/mirror-extras/development/SRPMS/xmms-1.2.10-23.fc6.src.rpm - J< From lmacken at redhat.com Sat Apr 29 00:50:02 2006 From: lmacken at redhat.com (Luke Macken) Date: Fri, 28 Apr 2006 20:50:02 -0400 Subject: Fedora Extras Security Response Team In-Reply-To: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> References: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <20060429005002.GA16635@tomservo.boston.redhat.com> On Fri, Apr 28, 2006 at 04:15:19PM -0400, Josh Bressers wrote: > Hello everybody. > > In case you didn't see, there was a post by Thorsten Leemhuis to the > fedora-extras list regarding the creation of a Fedora Extras security > response team. The message can be seen here: > https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html > > Here are the people I know have an interest in helping out with the > security response team: > > Hans de Goede > Jason L Tibbitts III > Dennis Gilmore > Jochen Schmitt > Ville Skytt? > Michael J Knox > > If you're interested, feel free to chime in. I'm definitely willing to help out. luke From j.w.r.degoede at hhs.nl Sat Apr 29 07:38:01 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Sat, 29 Apr 2006 09:38:01 +0200 Subject: Fedora Extras Security Response Team In-Reply-To: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> References: <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <445317D9.6050702@hhs.nl> Josh Bressers wrote: > Hello everybody. > > In case you didn't see, there was a post by Thorsten Leemhuis to the > fedora-extras list regarding the creation of a Fedora Extras security > response team. The message can be seen here: > https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html > > Here are the people I know have an interest in helping out with the > security response team: > > Hans de Goede > Jason L Tibbitts III > Dennis Gilmore > Jochen Schmitt > Ville Skytt?? > Michael J Knox > I'm most definetly still interested IOW count me in. I won't be doing much of the monitoring and bookkeeping, expect for the checking of lwn's weekly security report against extras. I already get way to much mail as things are. I'm however "available" for helping out with / reviewing less then trivial fixes (C and C++ only) and I'm available to fix packages where the maintainer is not available or not responsive. I would like to suggest the following procedure for any "help needed (in any form)" requests: -send a mail to this list with the "help" request -if appropriate someone can claim this (assign bz ticket?) -if appropriate once the fix is in CVS the fixer posts a request for a review to this list. Regards, Hans From Christian.Iseli at licr.org Sat Apr 29 07:55:42 2006 From: Christian.Iseli at licr.org (Christian.Iseli at licr.org) Date: Sat, 29 Apr 2006 09:55:42 +0200 Subject: Fedora Extras Security Response Team In-Reply-To: Your message of "Fri, 28 Apr 2006 16:15:19 EDT." <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <200604290755.k3T7thTJ032281@mx3.redhat.com> bressers at redhat.com said: > A tool to generate this will also be needed since we'll want to update this > file on a regular basis. Should be easy to snarf a piece of my script here: http://cvs.fedora.redhat.com/viewcvs/status-report-scripts/?root=fedora Basically, you just need to retain the grabRepoList piece for Extras, keep a bit more info than just the package name, and format the output to taste. If no one beats me to it, I'm happy to do the job some time in the coming days (sorry, a bit swamped right now...). Cheers, Christian (who didn't notice the reply-to was not the list...)