1 |
Hello William, |
2 |
|
3 |
Am So, den 28.03.2004 schrieb William Kenworthy um 00:49: |
4 |
> A couple of points: |
5 |
> Many (Most?) in the list have already been fixed as far as gentoo is |
6 |
> concerned |
7 |
|
8 |
Take a look at the corresponding bugzilla entries. All of the things I |
9 |
compiled into the mail are either "NEW" or "ASSIGNED". NONE of these |
10 |
issues has been resolved as far as the status in bugzilla is concerned. |
11 |
|
12 |
Besides: none of these issues has been covered by a GLSA either so I |
13 |
have to assume - in association with bugzilla status - that the issue is |
14 |
still alive. |
15 |
|
16 |
> - that is if you have followed policy and upgraded the problem |
17 |
> does not exist in the installed packages. |
18 |
|
19 |
I have added every issue that might affect any ebuild NOT marked as |
20 |
"masked" in Portage. This includes older versions of ebuilds that are |
21 |
still "emergable" without a note from Portage that they may be buggy. I |
22 |
did so to establish the highest level of "full disclosure" possible to |
23 |
Gentoo users. After all, not everybody updates software as soon as new |
24 |
ebuilds are available. Why should a user update from Apache 2.0.47 to |
25 |
Apache 2.0.49 if he isn't aware of security flaws in 2.0.47 and his |
26 |
ebuild isn't masked in Portage? |
27 |
|
28 |
> I think you should: |
29 |
> A: add a line to say "fixed in later version - upgrade via portage" or |
30 |
> similar (gotta be a better way to say this!) |
31 |
|
32 |
I might do this. I already tried to name the affected versions where I |
33 |
found corresponding informations but most of the time bugzilla entries |
34 |
don't contain detailed information about versions affected and I didn't |
35 |
find external references for all issues. |
36 |
|
37 |
This mail is thought as a reminder to encourage users to check twice and |
38 |
look for themselves if their version is affected. Seeing their package |
39 |
in this mail might very much motivate them to do so. |
40 |
|
41 |
> B: Highlight ones for which the vulnerability is ongoing, that is those |
42 |
> that have no fix of any kind - top of list? |
43 |
|
44 |
I have ordered them by priority in bugzilla. Order may change since this |
45 |
is only a first reminder. There are more things I'll likely change. |
46 |
|
47 |
> C: give the full package name. Firebird is a name used for both a |
48 |
> database and a browser, so I had to look twice at that one. |
49 |
|
50 |
Good :-) So you actually did something for your security :-) If you have |
51 |
taken a look at the cross reference I gave for the Firebird entry then |
52 |
you have certainly noticed that quite a lot Firebird products are |
53 |
affected. |
54 |
|
55 |
Remember: This mail is not a security advisory in the sense that it |
56 |
contains solutions or workarounds. It is ought to warn you about |
57 |
possible problems and encourage you to find out more about them until |
58 |
the security team has had time to fix them. |
59 |
|
60 |
> The problem is that if you are on the current x86 (as an example), none |
61 |
> of these should apply so confusion may occur. I know its a bit of a |
62 |
> "play on words", but these are not a "compilation of known but |
63 |
> unresolved vulnerabilities and security issues in Gentoo Linux." |
64 |
|
65 |
I have to disagree. Take a look at this: |
66 |
|
67 |
http://bugs.gentoo.org/buglist.cgi?query_format=&short_desc_type=allwordssubstr&short_desc=&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=VERIFIED&emailassigned_to1=1&emailcc1=1&emailtype1=substring&email1=security%40gentoo.org&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&changedin=&chfieldfrom=&chfieldto=Now&chfieldvalue=&field0-0-0=noop&type0-0-0=noop&value0-0-0=&ctype=csv |
68 |
|
69 |
None of these is "RESOLVED" in bugzilla. All of these are security |
70 |
related. I'd VERY MUCH call these pending vulnerabilities. |
71 |
|
72 |
> They |
73 |
> have been resolved and the packages listed will not/should not be |
74 |
> installed, but later fixed versions will. |
75 |
|
76 |
Nonetheless there are many persons who don't update every package as |
77 |
soon as new ones exist in Portage. Especially people running server |
78 |
services will most certainly not upgrade if they are unaware of security |
79 |
issues and their service is running and stable. Including any package |
80 |
that is still in Portage and not masked is thus necessary. Besides, as |
81 |
long as a bug exists in bugzilla and hasn't the status "RESOLVED" or |
82 |
"dropped" I'll keep noting it as a pending vulnerability. |
83 |
|
84 |
> Installed systems should have |
85 |
> been upgraded by the user when the relevant GLSA appears. |
86 |
|
87 |
None of these issues has been mentioned in a GLSA. That's why I compiled |
88 |
this mail. Users need to have a clue about issues BEFORE they are fixed |
89 |
too. They are expected to browse bugzilla. This is complicated and not a |
90 |
very comfortable thing so I have decided to compile this mail as a |
91 |
service to the community. My second priority is to watch security |
92 |
channels as hard as I can and enter the collected issues into bugzilla. |
93 |
Obviously, Gentoo is missing people doing this. |
94 |
|
95 |
> If not ... |
96 |
|
97 |
GLSA DON'T cover most security issues - yet. |
98 |
|
99 |
I have collected four more security related issues from full-disclosure |
100 |
and bugtraq yesterday and today that will be in bugzilla tomorrow. The |
101 |
situation at the moment seems to be that there are simply not enough |
102 |
"scouts" who note bugs and make them appear in bugzilla. You can't |
103 |
expect users to just rely on GLSAs, especially when there are unfixed |
104 |
bugs in bugzilla that are up to two years old. |
105 |
|
106 |
Thank you for your suggestions. |
107 |
|
108 |
kind regards, |
109 |
Tobias Weisserth |
110 |
|
111 |
|
112 |
|
113 |
|
114 |
-- |
115 |
*************************************************** |
116 |
____ _____ |
117 |
| _ \| ____| Tobias Weisserth |
118 |
| | | | _| tobias@weisserth.[de|com|net|org] |
119 |
_| |_| | |___ http://www.weisserth.org |
120 |
(_)____/|_____| |
121 |
|
122 |
Encrypted mail is welcome. |
123 |
Key and fingerprint: http://imprint.weisserth.org |
124 |
|
125 |
*************************************************** |