Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-project
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-project@g.o
From: Steve Long <slong@...>
Subject: Re: gentoo security and packages.gentoo.org
Date: Mon, 24 Sep 2007 14:08:49 +0100
Arturo Garcia wrote:
>   The thing is that I haven't been able to contact him, nor anyone from
> gentoo-security for over a week (I have written to security@g.o and
> the M-L).  We are in a deadlock situation at the moment because infra has
> requested them to check the site (they have provided taviso with details
> and a live setup), and unless it is checked it won't be put live.
>
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
taviso has "sporadic internet access for a while." As such you're unlikely
to find him on IRC, and his response to mailing-lists and the like is
probably not going to be the best. Given that he's probably starting
college or University as well, I doubt that he has much time to spare.

>From the bug:
> My first impression: absolutely necessary to rework the whole service.
> There are INSERT statements which do not refer to column names but to the
> sequence columns were created (INSERT INTO table Values(...)). The CREATE
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> well as joins are (based on) VARCHARs. I'll write a sort of report and 
> host it somewhere on the mirror (including patch impact analysis) so maybe
> the code maintainer has a point to start from.
>
This is now all transparent public knowledge. As such no security team worth
their salt are going to leave these holes open. Remember that all the code
mentioned above has been freely available for several years.

If you have the comprehensive report mentioned, please post it to the bug. A
patch to implement the fixes you found, would make the _audit_ process even
quicker.


-- 
gentoo-project@g.o mailing list


Replies:
Re: Re: gentoo security and packages.gentoo.org
-- Arturo Garcia
References:
gentoo security and packages.gentoo.org
-- Arturo Garcia
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
gentoo security and packages.gentoo.org
Next by thread:
Re: Re: gentoo security and packages.gentoo.org
Previous by date:
gentoo security and packages.gentoo.org
Next by date:
Re: Re: gentoo security and packages.gentoo.org


Updated Jun 17, 2009

Summary: Archive of the gentoo-project mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.