Secunia pages -- publishing wrong and misleading information about security status of Fedora distros?? RE: [Fedora Project Wiki] Update of "Security" by JoshBressers (fwd)
Josh Bressers
bressers at redhat.com
Sat Mar 4 12:35:53 UTC 2006
> Was noticing one of Josh Bresser's edits to wiki/Security today... (see
> the forward below).
>
> If Secunia's information is incorrect and misleading, misrepresenting the
> true security status of Fedora distributions, oughtn't we get in touch
> with Secunia to help coordinate updating their information to make it
> correct and informative?
I would dare to say it's not worth the effort. The problem becomes who do
you decide to feed information to and who don't you? There are many
organizations like secunia that try to represent security information to
the public at large. I think the best way to show describe security issues
to the Fedora community would be to write a script or two to parse these
files:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc4?root=fedora&view=markup
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedora&view=markup
These are where the security response team tracks every public issue we're
aware of that affects Core.
I'm open to suggests and ideas from anyone who wants to parse this file.
One of the problem is how to display this information in a sensible manner
that doesn't overload a normal person.
These files do have a lack of bugzilla ID, as almost 100% of the issues in
FC4 should have a bugzilla entry. There are certain things we do with
bugzilla to help capture information. The things in FC5 don't always as
the version upgrade as part of distribution creation fixes many issues.
Let's look at bug 182416
The first thing you will probably notice is the CVE id is in the summary.
This makes it very easy to see which issues are which when we do a bug
listing. This also means you can view the CVE information here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0528
The severity is of course "security". The "Status Whiteboard" is
possibly the most interesting thing we keep in a bug. This is also a field
one would want to parse with a security reporting tool.
source=cve,reported=20060202,impact=important,public=20060128
This tells us we found out about this issue when MITRE made not of it in
their database (cve.mitre.org/cve). It's one of the many many things we
spy on to stay ahead of the wave.
We found the issue on 2006-02-02 (reported).
We have classified the issue as "Important":
http://www.redhat.com/security/updates/classification/
And the issue was known to the public at large on 2006-01-28.
Let me know if there are any questions.
I should probably find some time to put all this into a wiki page.
--
JB
More information about the Fedora-security-list
mailing list