Fedora treats security as a joke.
StoneBeat
stonebeat at ya.com
Tue May 11 11:43:59 UTC 2004
I want to warn about the way that Fedora treats security, i'm a compulsive
reader of security lists like bugtraq, and I've never seen some security
advisor published by Fedora Security Coordinator (or something like that) as
I've seen in other distros (Debian, Gentoo, SuSE ....) about notifying some
important security advisors.
With regularly I am checking for updates using yum and see that there are new
RPM updates. I believe that in these updates are the security fixes but I
really don't know it because there aren't advisors.
I fed up and i did a little research about security and Fedora, so i took some
quite old security advisor relating "lha". Some people found security bugs in
these tool, you can see more info here:
http://www.securiteam.com/unixfocus/5LP000KCVC.html
Today many distros have the appropriate security advisor and patch, one of
these distros is RedHat: http://rhn.redhat.com/errata/RHSA-2004-179.html
but Fedora users don't have security advisor or security patch, i check yum
and I don't see anything about lha and the lha version shipped with Fedora
Core 1 is vulnerable:
[ice at laptop ice]$ rpm -qa | grep -i lha
lha-1.14i-12
[ice at laptop ice]$ lha x buf_oflow.lha
LHa: Error: Unknown information
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Segmentation fault
[ice at laptop ice]$
Where is the security advisor ??? and the security patch ???
Why Fedora doesn't have a security coordinator or even a security team ??
More information about the fedora-devel-list
mailing list