Arturo Garcia wrote:
>   The thing is that I haven't been able to contact him, nor anyone from
> gentoo-security for over a week (I have written to security@g.o and
> the M-L).  We are in a deadlock situation at the moment because infra has
> requested them to check the site (they have provided taviso with details
> and a live setup), and unless it is checked it won't be put live.
>
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
taviso has "sporadic internet access for a while." As such you're unlikely
to find him on IRC, and his response to mailing-lists and the like is
probably not going to be the best. Given that he's probably starting
college or University as well, I doubt that he has much time to spare.

>From the bug:
> My first impression: absolutely necessary to rework the whole service.
> There are INSERT statements which do not refer to column names but to the
> sequence columns were created (INSERT INTO table Values(...)). The CREATE
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> well as joins are (based on) VARCHARs. I'll write a sort of report and 
> host it somewhere on the mirror (including patch impact analysis) so maybe
> the code maintainer has a point to start from.
>
This is now all transparent public knowledge. As such no security team worth
their salt are going to leave these holes open. Remember that all the code
mentioned above has been freely available for several years.

If you have the comprehensive report mentioned, please post it to the bug. A
patch to implement the fixes you found, would make the _audit_ process even
quicker.


-- 
gentoo-project@g.o mailing list