Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Kevin Bryan <bryank@...>
Subject: Re: No GLSA since January?!?
Date: Fri, 26 Aug 2011 14:08:38 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Although I like having the summary information about what the
vulnerability is, if I'm only reading them for packages I have
installed, then a reference of some kind would suffice.

I'd be fine even if it was just a new variable in the .ebuild file that
somehow indicated which versions it was a fix for, reusing the syntax
for dependency checking.  A reference to the CVE or gentoo bug reference
would be good, too:

SECURITY_FIXES="<www-plugins/adobe-flash-10.1.102.64"
SECURITY_REF="CVE:2010-2169 http://..."
SECURITY_BUG="343089"
SECURITY_IMPACT="remote"

Then would be most of the work the committer needs to do is right there
in a file they are modifying anyway.

The portage @security set could also look for and evaluate these tags,
instead of parsing the GLSA's.

Note on the impact variable: make a few easy to understand tags:
local
remote
remote-user-assist
denial-of-service
...

- --Kevin


On Fri, Aug 26, 2011 at 07:06:35PM +0200, Christian Kauhaus wrote:

> Am 26.08.2011 18:55, schrieb Alex Legler:
> > Compared to other distributions, our advisories have been rather detailed with
> > lots of manually researched information. I'm not sure if we can keep up this
> > very high standard with the limited manpower, but we'll try our best.
> 
> I see the point. I think it would be an achievement over the current situation 
> (which is: no current GLSAs at all) to send out less detailed GLSAs. Even 
> something short as: "$PACKAGE has vulnerabilities, they are fixed in $VERSION, 
> for details see $CVE" would be immensely helpful.
> 
> Is the any viable way to get it at least to this point? Probably the largest 
> part of such a task could be automated. This would lift the burden from the 
> security maintainers.
> 
> Regards
> 
> Christian
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iEYEARECAAYFAk5X4SYACgkQ6ENyPMTUmzpTLwCeIrikkC82ZC/YMALUD3AUOG71
GQ0An02FoagrOJSU4kFQ8RUP+q/1+zQn
=/kf5
-----END PGP SIGNATURE-----


Replies:
Re: No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Daniel A. Avelino
Re: No GLSA since January?!?
-- Alex Legler
References:
No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Alex Legler
Re: No GLSA since January?!?
-- Christian Kauhaus
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: No GLSA since January?!?
Next by thread:
Re: No GLSA since January?!?
Previous by date:
Re: No GLSA since January?!?
Next by date:
Re: No GLSA since January?!?


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.