Gentoo Archives: gentoo-security

From: Kevin Bryan <bryank@××××××.edu>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 18:10:49
Message-Id: 20110826180838.GA21426@zen.cs.uri.edu
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Christian Kauhaus
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 Although I like having the summary information about what the
5 vulnerability is, if I'm only reading them for packages I have
6 installed, then a reference of some kind would suffice.
7
8 I'd be fine even if it was just a new variable in the .ebuild file that
9 somehow indicated which versions it was a fix for, reusing the syntax
10 for dependency checking. A reference to the CVE or gentoo bug reference
11 would be good, too:
12
13 SECURITY_FIXES="<www-plugins/adobe-flash-10.1.102.64"
14 SECURITY_REF="CVE:2010-2169 http://..."
15 SECURITY_BUG="343089"
16 SECURITY_IMPACT="remote"
17
18 Then would be most of the work the committer needs to do is right there
19 in a file they are modifying anyway.
20
21 The portage @security set could also look for and evaluate these tags,
22 instead of parsing the GLSA's.
23
24 Note on the impact variable: make a few easy to understand tags:
25 local
26 remote
27 remote-user-assist
28 denial-of-service
29 ...
30
31 - --Kevin
32
33
34 On Fri, Aug 26, 2011 at 07:06:35PM +0200, Christian Kauhaus wrote:
35
36 > Am 26.08.2011 18:55, schrieb Alex Legler:
37 > > Compared to other distributions, our advisories have been rather detailed with
38 > > lots of manually researched information. I'm not sure if we can keep up this
39 > > very high standard with the limited manpower, but we'll try our best.
40 >
41 > I see the point. I think it would be an achievement over the current situation
42 > (which is: no current GLSAs at all) to send out less detailed GLSAs. Even
43 > something short as: "$PACKAGE has vulnerabilities, they are fixed in $VERSION,
44 > for details see $CVE" would be immensely helpful.
45 >
46 > Is the any viable way to get it at least to this point? Probably the largest
47 > part of such a task could be automated. This would lift the burden from the
48 > security maintainers.
49 >
50 > Regards
51 >
52 > Christian
53 >
54 -----BEGIN PGP SIGNATURE-----
55 Version: GnuPG v2.0.18 (GNU/Linux)
56
57 iEYEARECAAYFAk5X4SYACgkQ6ENyPMTUmzpTLwCeIrikkC82ZC/YMALUD3AUOG71
58 GQ0An02FoagrOJSU4kFQ8RUP+q/1+zQn
59 =/kf5
60 -----END PGP SIGNATURE-----

Replies

Subject Author
Re: [gentoo-security] No GLSA since January?!? Alex Legler <a3li@g.o>
Re: [gentoo-security] No GLSA since January?!? "Daniel A. Avelino" <daavelino@×××××.com>
Re: [gentoo-security] No GLSA since January?!? Christian Kauhaus <kc@××××××.com>