| 1 |
> On 10 Nov 2022, at 08:43, Jaco Kroon <jaco@××××××.za> wrote: |
| 2 |
> |
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> On 2022/11/10 06:13, John Helmert III wrote: |
| 6 |
>>>> - Drop synopsis and description fields. These fields contain the same |
| 7 |
>>>> information and will be superceded by the existing impact field. |
| 8 |
>>> Well, I'm not saying "no" but it feels a bit weird reading a GLSA that |
| 9 |
>>> doesn't say a word what the problem is but specifies impact. |
| 10 |
>> You're right, but with 19 CVEs (for example), is anyone really |
| 11 |
>> interested in hearing about the problem that caused each of the 19 |
| 12 |
>> issues? In the current format we've resorted to writing descriptions |
| 13 |
>> like... |
| 14 |
> Actually yes! Also a way to check whether my specific configuration is vulnerable for this specific CVE, something like "If you're setting foo=bar in /etc/pkg.conf your system is vulnerable, if you've got foo=phew you're most likely fine". Obviously we could rely a bit more on package maintainers (myself included) to provide these. |
| 15 |
> |
| 16 |
> I don't think I've seen a single "workaround" and usually the text here just says "No known workaround", where the reality is that for something like asterisk just not using the affected module is good enough. So workaround: "Don't use chan_sip, use chan_pjsip instead" would be perfectly fine here. |
| 17 |
> |
| 18 |
|
| 19 |
I can't promise anything but if we've got fewer (IMO) useless/noisy fields, we can try put a bit more effort into these. |
| 20 |
|
| 21 |
But it's a good idea to actually explicitly ask maintainers for suggestions in security bugs! |
| 22 |
|
| 23 |
> One could thus also link GLSA issues to specific USE flags, taking asterisk again, let's say the problem is with the http web server having a buffer overflow in the http basic authenticator, then if that embedded server isn't even compiled in, how can the package be vulnerable? So here vulnerable would be something like <net-misc/asterisk-16.X.Y:16[http], <net-misc/asterisk-18.A.B[http], which then also indicates the "fixed" versions, as has been pointed out "affected" and "not affected" are inverses. |
| 24 |
> |
| 25 |
|
| 26 |
The problem with this is, there's a high cost associated with getting it wrong. A "workaround" is accepted to have some level of fuzziness (we always try to be accurate, but it's not the same as saying something is absolutely not vulnerable with USE=-foo). |
| 27 |
|
| 28 |
But I guess if a library totally isn't used then we can be sure sometimes. Not sure now! I welcome more thoughts on this. |
| 29 |
|
| 30 |
> A mechanism to QUERY which installed packages are affected by known GLSA's would also be tremendously helpful. |
| 31 |
> |
| 32 |
>> |
| 33 |
>> Multiple vulnerabilities have been discovered in $PACKAGE. Please |
| 34 |
>> review the CVE identifiers referenced below for details. |
| 35 |
>> |
| 36 |
>> ... simply because it's infeasible (and in my opinion, not really |
| 37 |
>> necessary) for us to enumerate the issues in this way. Also, I note |
| 38 |
>> that the section being called "impact" doesn't preclude us from |
| 39 |
>> incorporating text that we would currently put in the "description" or |
| 40 |
>> "synopsis" fields. |
| 41 |
> |
| 42 |
> Of course giving the full details in the GLSA is a pain in the backside, is there a way to retrieve this information automatically from the CVE database? In other words, just get the blurp from there and include it here. It won't give full details, but at least it will give some extra details not currently available. Effectively we choose to ignore certain GLSAs if we consider their impact to be low. |
| 43 |
|
| 44 |
1. I really welcome your input here, as we're trying to figure out what people actually want from GLSAs vs what is just noise for both them & us. |
| 45 |
|
| 46 |
2. I think this should be possible, but is it substantially more valuable than doing the reference links like we do now? What if there's absolutely tonnes like 20+? |
| 47 |
|
| 48 |
> |
| 49 |
> It would also help a great deal to automate that if the CVE scores and the "inputs" into that could be made available, eg, CVE score 7.0, remote=yes/no, .... (And I'm fairly certain importing this from the CVE database should be possible). |
| 50 |
> |
| 51 |
|
| 52 |
Yeah, we've talked about this before as well. |
Archives