From jake at lwn.net Mon Mar 10 18:20:08 2008 From: jake at lwn.net (Jake Edge) Date: Mon, 10 Mar 2008 12:20:08 -0600 Subject: not to beat a dead horse Message-ID: <47D57BD8.5060905@lwn.net> but I am trying to puzzle out the kronolith advisories. They do not include either a CVE reference or a bugzilla reference. One contains the changelog, one not. And the description of the problem is as follows: Fix privilege escalation in Horde API. Fix missing ownership validation on share changes. This is for FEDORA-2008-2221 and FEDORA-2008-2212. How am I (or anyone) supposed to figure out what's going on here? thanks! jake -- Jake Edge - LWN - jake at lwn.net - http://lwn.net From kevin at tummy.com Tue Mar 11 18:25:24 2008 From: kevin at tummy.com (Kevin Fenzi) Date: Tue, 11 Mar 2008 12:25:24 -0600 Subject: not to beat a dead horse In-Reply-To: <47D57BD8.5060905@lwn.net> References: <47D57BD8.5060905@lwn.net> Message-ID: <20080311122524.58728d59@ghistelwchlohm.scrye.com> On Mon, 10 Mar 2008 12:20:08 -0600 Jake Edge wrote: Feel free to keep beating... ;) This stuff needs to improve. :( > but I am trying to puzzle out the kronolith advisories. They do not > include either a CVE reference or a bugzilla reference. One contains > the changelog, one not. And the description of the problem is as > follows: > > Fix privilege escalation in Horde API. Fix missing ownership > validation on share changes. > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > How am I (or anyone) supposed to figure out what's going on here? Not easily. ;( Kronolith upstream seems pretty happy go lucky. They fixed these things in their cvs with no upstream bugs filed. As far as I know they never requested a CVE or anything like it. Their viewcvs setup makes it pretty impossible to see what changed. They added other changes into this release instead of just releasing just the security updates, etc. Manually pulling down the two releases and diffing them, got me the changes, but messy. ;( So, what should we do in this case? It really is a security update... should we always file redhat.bugzilla.com bugs and make sure they are updated with info? Should we file upstream bugs and ask them to explain the changes? Should we request a CVE and wait for that before pushing the update? Some guidelines here would be good... > jake kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From lkundrak at redhat.com Wed Mar 12 15:37:32 2008 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Wed, 12 Mar 2008 16:37:32 +0100 Subject: not to beat a dead horse In-Reply-To: <20080311122524.58728d59@ghistelwchlohm.scrye.com> References: <47D57BD8.5060905@lwn.net> <20080311122524.58728d59@ghistelwchlohm.scrye.com> Message-ID: <1205336252.9393.28.camel@localhost.localdomain> On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote: > On Mon, 10 Mar 2008 12:20:08 -0600 > Jake Edge wrote: > > Feel free to keep beating... ;) This stuff needs to improve. :( > > > but I am trying to puzzle out the kronolith advisories. They do not > > include either a CVE reference or a bugzilla reference. One contains > > the changelog, one not. And the description of the problem is as > > follows: > > > > Fix privilege escalation in Horde API. Fix missing ownership > > validation on share changes. > > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > > > How am I (or anyone) supposed to figure out what's going on here? > > Not easily. ;( > > Kronolith upstream seems pretty happy go lucky. They fixed these things > in their cvs with no upstream bugs filed. As far as I know they never > requested a CVE or anything like it. Their viewcvs setup makes it > pretty impossible to see what changed. They added other changes into > this release instead of just releasing just the security updates, etc. > > Manually pulling down the two releases and diffing them, got me the > changes, but messy. ;( > > So, what should we do in this case? > > It really is a security update... should we always file > redhat.bugzilla.com bugs and make sure they are updated with info? > > Should we file upstream bugs and ask them to explain the changes? > > Should we request a CVE and wait for that before pushing the update? > > Some guidelines here would be good... Who approved these? I noticed this before it got pushed and asked the maintainer to sort the things out (add references to bugs, file them eventually). -- Lubomir Kundrak (Red Hat Security Response Team) From lmacken at redhat.com Wed Mar 12 17:04:48 2008 From: lmacken at redhat.com (Luke Macken) Date: Wed, 12 Mar 2008 13:04:48 -0400 Subject: not to beat a dead horse In-Reply-To: <1205336252.9393.28.camel@localhost.localdomain> References: <47D57BD8.5060905@lwn.net> <20080311122524.58728d59@ghistelwchlohm.scrye.com> <1205336252.9393.28.camel@localhost.localdomain> Message-ID: <20080312170448.GA4239@crow.redhat.com> On Wed, Mar 12, 2008 at 04:37:32PM +0100, Lubomir Kundrak wrote: > > On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote: > > On Mon, 10 Mar 2008 12:20:08 -0600 > > Jake Edge wrote: > > > > Feel free to keep beating... ;) This stuff needs to improve. :( > > > > > but I am trying to puzzle out the kronolith advisories. They do not > > > include either a CVE reference or a bugzilla reference. One contains > > > the changelog, one not. And the description of the problem is as > > > follows: > > > > > > Fix privilege escalation in Horde API. Fix missing ownership > > > validation on share changes. > > > > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > > > > > How am I (or anyone) supposed to figure out what's going on here? > > > > Not easily. ;( > > > > Kronolith upstream seems pretty happy go lucky. They fixed these things > > in their cvs with no upstream bugs filed. As far as I know they never > > requested a CVE or anything like it. Their viewcvs setup makes it > > pretty impossible to see what changed. They added other changes into > > this release instead of just releasing just the security updates, etc. > > > > Manually pulling down the two releases and diffing them, got me the > > changes, but messy. ;( > > > > So, what should we do in this case? > > > > It really is a security update... should we always file > > redhat.bugzilla.com bugs and make sure they are updated with info? > > > > Should we file upstream bugs and ask them to explain the changes? > > > > Should we request a CVE and wait for that before pushing the update? > > > > Some guidelines here would be good... > > Who approved these? > > I noticed this before it got pushed and asked the maintainer to sort the > things out (add references to bugs, file them eventually). Kevin approved the F7 update, and then 3 days later I noticed the F8 update never made it out, so I approved it. luke From kevin at tummy.com Wed Mar 12 17:09:11 2008 From: kevin at tummy.com (Kevin Fenzi) Date: Wed, 12 Mar 2008 11:09:11 -0600 Subject: not to beat a dead horse In-Reply-To: <20080312170448.GA4239@crow.redhat.com> References: <47D57BD8.5060905@lwn.net> <20080311122524.58728d59@ghistelwchlohm.scrye.com> <1205336252.9393.28.camel@localhost.localdomain> <20080312170448.GA4239@crow.redhat.com> Message-ID: <20080312110911.5ae203fd@ghistelwchlohm.scrye.com> On Wed, 12 Mar 2008 13:04:48 -0400 Luke Macken wrote: > On Wed, Mar 12, 2008 at 04:37:32PM +0100, Lubomir Kundrak wrote: > > > > On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote: > > > On Mon, 10 Mar 2008 12:20:08 -0600 > > > Jake Edge wrote: > > > > > > Feel free to keep beating... ;) This stuff needs to improve. :( > > > > > > > but I am trying to puzzle out the kronolith advisories. They > > > > do not include either a CVE reference or a bugzilla reference. > > > > One contains the changelog, one not. And the description of > > > > the problem is as follows: > > > > > > > > Fix privilege escalation in Horde API. Fix missing ownership > > > > validation on share changes. > > > > > > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > > > > > > > How am I (or anyone) supposed to figure out what's going on > > > > here? > > > > > > Not easily. ;( > > > > > > Kronolith upstream seems pretty happy go lucky. They fixed these > > > things in their cvs with no upstream bugs filed. As far as I know > > > they never requested a CVE or anything like it. Their viewcvs > > > setup makes it pretty impossible to see what changed. They added > > > other changes into this release instead of just releasing just > > > the security updates, etc. > > > > > > Manually pulling down the two releases and diffing them, got me > > > the changes, but messy. ;( > > > > > > So, what should we do in this case? > > > > > > It really is a security update... should we always file > > > redhat.bugzilla.com bugs and make sure they are updated with > > > info? > > > > > > Should we file upstream bugs and ask them to explain the changes? > > > > > > Should we request a CVE and wait for that before pushing the > > > update? > > > > > > Some guidelines here would be good... > > > > Who approved these? > > > > I noticed this before it got pushed and asked the maintainer to > > sort the things out (add references to bugs, file them eventually). > > Kevin approved the F7 update, and then 3 days later I noticed the F8 > update never made it out, so I approved it. Yeah, I didn't see the F8 one... but I approved the other one. ;( I did ask the submitter about bugs or docs or anything, but they said they had no CVE or procedure to ask for one, or anything usefull from upstream. Shall we require that at least a bug is filed against any security update? That would allow us to add commentary on the bug at least and hoepfully help people figuring things out. I am fine with that policy, although it might mean that some updates are delayed while a bug is filed and such. > > luke > kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From lkundrak at redhat.com Wed Mar 12 17:18:30 2008 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Wed, 12 Mar 2008 18:18:30 +0100 Subject: not to beat a dead horse In-Reply-To: <20080312110911.5ae203fd@ghistelwchlohm.scrye.com> References: <47D57BD8.5060905@lwn.net> <20080311122524.58728d59@ghistelwchlohm.scrye.com> <1205336252.9393.28.camel@localhost.localdomain> <20080312170448.GA4239@crow.redhat.com> <20080312110911.5ae203fd@ghistelwchlohm.scrye.com> Message-ID: <1205342310.9393.30.camel@localhost.localdomain> On Wed, 2008-03-12 at 11:09 -0600, Kevin Fenzi wrote: > On Wed, 12 Mar 2008 13:04:48 -0400 > Luke Macken wrote: > > > On Wed, Mar 12, 2008 at 04:37:32PM +0100, Lubomir Kundrak wrote: > > > > > > On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote: > > > > On Mon, 10 Mar 2008 12:20:08 -0600 > > > > Jake Edge wrote: > > > > > > > > Feel free to keep beating... ;) This stuff needs to improve. :( > > > > > > > > > but I am trying to puzzle out the kronolith advisories. They > > > > > do not include either a CVE reference or a bugzilla reference. > > > > > One contains the changelog, one not. And the description of > > > > > the problem is as follows: > > > > > > > > > > Fix privilege escalation in Horde API. Fix missing ownership > > > > > validation on share changes. > > > > > > > > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > > > > > > > > > How am I (or anyone) supposed to figure out what's going on > > > > > here? > > > > > > > > Not easily. ;( > > > > > > > > Kronolith upstream seems pretty happy go lucky. They fixed these > > > > things in their cvs with no upstream bugs filed. As far as I know > > > > they never requested a CVE or anything like it. Their viewcvs > > > > setup makes it pretty impossible to see what changed. They added > > > > other changes into this release instead of just releasing just > > > > the security updates, etc. > > > > > > > > Manually pulling down the two releases and diffing them, got me > > > > the changes, but messy. ;( > > > > > > > > So, what should we do in this case? > > > > > > > > It really is a security update... should we always file > > > > redhat.bugzilla.com bugs and make sure they are updated with > > > > info? > > > > > > > > Should we file upstream bugs and ask them to explain the changes? > > > > > > > > Should we request a CVE and wait for that before pushing the > > > > update? > > > > > > > > Some guidelines here would be good... > > > > > > Who approved these? > > > > > > I noticed this before it got pushed and asked the maintainer to > > > sort the things out (add references to bugs, file them eventually). > > > > Kevin approved the F7 update, and then 3 days later I noticed the F8 > > update never made it out, so I approved it. > > Yeah, I didn't see the F8 one... but I approved the other one. ;( > > I did ask the submitter about bugs or docs or anything, but they said > they had no CVE or procedure to ask for one, or anything usefull from > upstream. > > Shall we require that at least a bug is filed against any security > update? That would allow us to add commentary on the bug at least and > hoepfully help people figuring things out. I am fine with that policy, > although it might mean that some updates are delayed while a bug is > filed and such. Filing a bug is no delay. I'll try to put up some text to refer maintainers to by tomorrow. -- Lubomir Kundrak (Red Hat Security Response Team) From metcalfegreg at qwest.net Wed Mar 12 21:14:37 2008 From: metcalfegreg at qwest.net (Greg Metcalfe) Date: Wed, 12 Mar 2008 14:14:37 -0700 Subject: not to beat a dead horse In-Reply-To: <1205342310.9393.30.camel@localhost.localdomain> References: <47D57BD8.5060905@lwn.net> <20080312110911.5ae203fd@ghistelwchlohm.scrye.com> <1205342310.9393.30.camel@localhost.localdomain> Message-ID: <200803121414.37474.metcalfegreg@qwest.net> On Wednesday 12 March 2008 10:18:30 Lubomir Kundrak wrote: > > Shall we require that at least a bug is filed against any security > > update? That would allow us to add commentary on the bug at least and > > hoepfully help people figuring things out. I am fine with that policy, > > although it might mean that some updates are delayed while a bug is > > filed and such. > > Filing a bug is no delay. I'll try to put up some text to refer > maintainers to by tomorrow. It might be helpful for Red Hat people to mention a standard URL. There will always be new people coming in, wanting to add packages from the wishlist, etc., who could use the info. From bugzilla at redhat.com Thu Mar 20 00:22:52 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Mar 2008 20:22:52 -0400 Subject: [Bug 238723] CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities In-Reply-To: Message-ID: <200803200022.m2K0MqPB023666@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=238723 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version|fc6 |6 berrange at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution| |WONTFIX ------- Additional Comments From berrange at redhat.com 2008-03-19 20:22 EST ------- Fedora Core 6 is end of life and will not receive further updates -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Mar 20 00:22:53 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Mar 2008 20:22:53 -0400 Subject: [Bug 307471] CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities In-Reply-To: Message-ID: <200803200022.m2K0Mrq4023690@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=307471 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version|fc6 |6 Bug 307471 depends on bug 238723, which changed state. Bug 238723 Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=238723 What |Old Value |New Value ---------------------------------------------------------------------------- Status|ASSIGNED |MODIFIED Status|MODIFIED |CLOSED Resolution| |WONTFIX -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.