| 1 |
Hello William, |
| 2 |
|
| 3 |
Am So, den 28.03.2004 schrieb William Kenworthy um 00:49: |
| 4 |
> A couple of points: |
| 5 |
> Many (Most?) in the list have already been fixed as far as gentoo is |
| 6 |
> concerned |
| 7 |
|
| 8 |
Take a look at the corresponding bugzilla entries. All of the things I |
| 9 |
compiled into the mail are either "NEW" or "ASSIGNED". NONE of these |
| 10 |
issues has been resolved as far as the status in bugzilla is concerned. |
| 11 |
|
| 12 |
Besides: none of these issues has been covered by a GLSA either so I |
| 13 |
have to assume - in association with bugzilla status - that the issue is |
| 14 |
still alive. |
| 15 |
|
| 16 |
> - that is if you have followed policy and upgraded the problem |
| 17 |
> does not exist in the installed packages. |
| 18 |
|
| 19 |
I have added every issue that might affect any ebuild NOT marked as |
| 20 |
"masked" in Portage. This includes older versions of ebuilds that are |
| 21 |
still "emergable" without a note from Portage that they may be buggy. I |
| 22 |
did so to establish the highest level of "full disclosure" possible to |
| 23 |
Gentoo users. After all, not everybody updates software as soon as new |
| 24 |
ebuilds are available. Why should a user update from Apache 2.0.47 to |
| 25 |
Apache 2.0.49 if he isn't aware of security flaws in 2.0.47 and his |
| 26 |
ebuild isn't masked in Portage? |
| 27 |
|
| 28 |
> I think you should: |
| 29 |
> A: add a line to say "fixed in later version - upgrade via portage" or |
| 30 |
> similar (gotta be a better way to say this!) |
| 31 |
|
| 32 |
I might do this. I already tried to name the affected versions where I |
| 33 |
found corresponding informations but most of the time bugzilla entries |
| 34 |
don't contain detailed information about versions affected and I didn't |
| 35 |
find external references for all issues. |
| 36 |
|
| 37 |
This mail is thought as a reminder to encourage users to check twice and |
| 38 |
look for themselves if their version is affected. Seeing their package |
| 39 |
in this mail might very much motivate them to do so. |
| 40 |
|
| 41 |
> B: Highlight ones for which the vulnerability is ongoing, that is those |
| 42 |
> that have no fix of any kind - top of list? |
| 43 |
|
| 44 |
I have ordered them by priority in bugzilla. Order may change since this |
| 45 |
is only a first reminder. There are more things I'll likely change. |
| 46 |
|
| 47 |
> C: give the full package name. Firebird is a name used for both a |
| 48 |
> database and a browser, so I had to look twice at that one. |
| 49 |
|
| 50 |
Good :-) So you actually did something for your security :-) If you have |
| 51 |
taken a look at the cross reference I gave for the Firebird entry then |
| 52 |
you have certainly noticed that quite a lot Firebird products are |
| 53 |
affected. |
| 54 |
|
| 55 |
Remember: This mail is not a security advisory in the sense that it |
| 56 |
contains solutions or workarounds. It is ought to warn you about |
| 57 |
possible problems and encourage you to find out more about them until |
| 58 |
the security team has had time to fix them. |
| 59 |
|
| 60 |
> The problem is that if you are on the current x86 (as an example), none |
| 61 |
> of these should apply so confusion may occur. I know its a bit of a |
| 62 |
> "play on words", but these are not a "compilation of known but |
| 63 |
> unresolved vulnerabilities and security issues in Gentoo Linux." |
| 64 |
|
| 65 |
I have to disagree. Take a look at this: |
| 66 |
|
| 67 |
http://bugs.gentoo.org/buglist.cgi?query_format=&short_desc_type=allwordssubstr&short_desc=&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=VERIFIED&emailassigned_to1=1&emailcc1=1&emailtype1=substring&email1=security%40gentoo.org&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&changedin=&chfieldfrom=&chfieldto=Now&chfieldvalue=&field0-0-0=noop&type0-0-0=noop&value0-0-0=&ctype=csv |
| 68 |
|
| 69 |
None of these is "RESOLVED" in bugzilla. All of these are security |
| 70 |
related. I'd VERY MUCH call these pending vulnerabilities. |
| 71 |
|
| 72 |
> They |
| 73 |
> have been resolved and the packages listed will not/should not be |
| 74 |
> installed, but later fixed versions will. |
| 75 |
|
| 76 |
Nonetheless there are many persons who don't update every package as |
| 77 |
soon as new ones exist in Portage. Especially people running server |
| 78 |
services will most certainly not upgrade if they are unaware of security |
| 79 |
issues and their service is running and stable. Including any package |
| 80 |
that is still in Portage and not masked is thus necessary. Besides, as |
| 81 |
long as a bug exists in bugzilla and hasn't the status "RESOLVED" or |
| 82 |
"dropped" I'll keep noting it as a pending vulnerability. |
| 83 |
|
| 84 |
> Installed systems should have |
| 85 |
> been upgraded by the user when the relevant GLSA appears. |
| 86 |
|
| 87 |
None of these issues has been mentioned in a GLSA. That's why I compiled |
| 88 |
this mail. Users need to have a clue about issues BEFORE they are fixed |
| 89 |
too. They are expected to browse bugzilla. This is complicated and not a |
| 90 |
very comfortable thing so I have decided to compile this mail as a |
| 91 |
service to the community. My second priority is to watch security |
| 92 |
channels as hard as I can and enter the collected issues into bugzilla. |
| 93 |
Obviously, Gentoo is missing people doing this. |
| 94 |
|
| 95 |
> If not ... |
| 96 |
|
| 97 |
GLSA DON'T cover most security issues - yet. |
| 98 |
|
| 99 |
I have collected four more security related issues from full-disclosure |
| 100 |
and bugtraq yesterday and today that will be in bugzilla tomorrow. The |
| 101 |
situation at the moment seems to be that there are simply not enough |
| 102 |
"scouts" who note bugs and make them appear in bugzilla. You can't |
| 103 |
expect users to just rely on GLSAs, especially when there are unfixed |
| 104 |
bugs in bugzilla that are up to two years old. |
| 105 |
|
| 106 |
Thank you for your suggestions. |
| 107 |
|
| 108 |
kind regards, |
| 109 |
Tobias Weisserth |
| 110 |
|
| 111 |
|
| 112 |
|
| 113 |
|
| 114 |
-- |
| 115 |
*************************************************** |
| 116 |
____ _____ |
| 117 |
| _ \| ____| Tobias Weisserth |
| 118 |
| | | | _| tobias@weisserth.[de|com|net|org] |
| 119 |
_| |_| | |___ http://www.weisserth.org |
| 120 |
(_)____/|_____| |
| 121 |
|
| 122 |
Encrypted mail is welcome. |
| 123 |
Key and fingerprint: http://imprint.weisserth.org |
| 124 |
|
| 125 |
*************************************************** |
Archives