Gentoo Archives: gentoo-project

From: Steve Long <slong@××××××××××××××××××.uk>
To: gentoo-project@l.g.o
Subject: [gentoo-project] Re: gentoo security and
Date: Mon, 24 Sep 2007 13:13:59
Message-Id: fd8clm$eth$
In Reply to: [gentoo-project] gentoo security and by Arturo Garcia
Arturo Garcia wrote:
> The thing is that I haven't been able to contact him, nor anyone from > gentoo-security for over a week (I have written to security@g.o and > the M-L). We are in a deadlock situation at the moment because infra has > requested them to check the site (they have provided taviso with details > and a live setup), and unless it is checked it won't be put live. >
According to: taviso has "sporadic internet access for a while." As such you're unlikely to find him on IRC, and his response to mailing-lists and the like is probably not going to be the best. Given that he's probably starting college or University as well, I doubt that he has much time to spare.
>From the bug: > My first impression: absolutely necessary to rework the whole service. > There are INSERT statements which do not refer to column names but to the > sequence columns were created (INSERT INTO table Values(...)). The CREATE > TABLE scripts miss columns (is_masked and prevarch) and primary keys as > well as joins are (based on) VARCHARs. I'll write a sort of report and > host it somewhere on the mirror (including patch impact analysis) so maybe > the code maintainer has a point to start from. >
This is now all transparent public knowledge. As such no security team worth their salt are going to leave these holes open. Remember that all the code mentioned above has been freely available for several years. If you have the comprehensive report mentioned, please post it to the bug. A patch to implement the fixes you found, would make the _audit_ process even quicker. -- gentoo-project@g.o mailing list


Subject Author
Re: [gentoo-project] Re: gentoo security and Arturo Garcia <arturo.g.arturo@×××××.com>