| 1 |
Arturo Garcia wrote: |
| 2 |
> The thing is that I haven't been able to contact him, nor anyone from |
| 3 |
> gentoo-security for over a week (I have written to security@g.o and |
| 4 |
> the M-L). We are in a deadlock situation at the moment because infra has |
| 5 |
> requested them to check the site (they have provided taviso with details |
| 6 |
> and a live setup), and unless it is checked it won't be put live. |
| 7 |
> |
| 8 |
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml |
| 9 |
taviso has "sporadic internet access for a while." As such you're unlikely |
| 10 |
to find him on IRC, and his response to mailing-lists and the like is |
| 11 |
probably not going to be the best. Given that he's probably starting |
| 12 |
college or University as well, I doubt that he has much time to spare. |
| 13 |
|
| 14 |
>From the bug: |
| 15 |
> My first impression: absolutely necessary to rework the whole service. |
| 16 |
> There are INSERT statements which do not refer to column names but to the |
| 17 |
> sequence columns were created (INSERT INTO table Values(...)). The CREATE |
| 18 |
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as |
| 19 |
> well as joins are (based on) VARCHARs. I'll write a sort of report and |
| 20 |
> host it somewhere on the mirror (including patch impact analysis) so maybe |
| 21 |
> the code maintainer has a point to start from. |
| 22 |
> |
| 23 |
This is now all transparent public knowledge. As such no security team worth |
| 24 |
their salt are going to leave these holes open. Remember that all the code |
| 25 |
mentioned above has been freely available for several years. |
| 26 |
|
| 27 |
If you have the comprehensive report mentioned, please post it to the bug. A |
| 28 |
patch to implement the fixes you found, would make the _audit_ process even |
| 29 |
quicker. |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-project@g.o mailing list |
Archives