1 |
Arturo Garcia wrote: |
2 |
> The thing is that I haven't been able to contact him, nor anyone from |
3 |
> gentoo-security for over a week (I have written to security@g.o and |
4 |
> the M-L). We are in a deadlock situation at the moment because infra has |
5 |
> requested them to check the site (they have provided taviso with details |
6 |
> and a live setup), and unless it is checked it won't be put live. |
7 |
> |
8 |
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml |
9 |
taviso has "sporadic internet access for a while." As such you're unlikely |
10 |
to find him on IRC, and his response to mailing-lists and the like is |
11 |
probably not going to be the best. Given that he's probably starting |
12 |
college or University as well, I doubt that he has much time to spare. |
13 |
|
14 |
>From the bug: |
15 |
> My first impression: absolutely necessary to rework the whole service. |
16 |
> There are INSERT statements which do not refer to column names but to the |
17 |
> sequence columns were created (INSERT INTO table Values(...)). The CREATE |
18 |
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as |
19 |
> well as joins are (based on) VARCHARs. I'll write a sort of report and |
20 |
> host it somewhere on the mirror (including patch impact analysis) so maybe |
21 |
> the code maintainer has a point to start from. |
22 |
> |
23 |
This is now all transparent public knowledge. As such no security team worth |
24 |
their salt are going to leave these holes open. Remember that all the code |
25 |
mentioned above has been freely available for several years. |
26 |
|
27 |
If you have the comprehensive report mentioned, please post it to the bug. A |
28 |
patch to implement the fixes you found, would make the _audit_ process even |
29 |
quicker. |
30 |
|
31 |
|
32 |
-- |
33 |
gentoo-project@g.o mailing list |