Gentoo Archives: gentoo-security

From: Tobias Weisserth <tobias@×××××××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] We need regular pending GLSA newsletters on gentoo-announce!
Date: Fri, 26 Mar 2004 15:30:08
Message-Id: 1080314943.2424.16.camel@coruscant.weisserth.net
In Reply to: Re: [gentoo-security] courier-imap by Kurt Lieber
1 Hi Kurt,
2
3 Am Fr, den 26.03.2004 schrieb Kurt Lieber um 13:24:
4 ...
5 > This would only be done in the most extreme cases, of which this is not
6 > one.
7
8 This courier-imap issue along with my mc issue and the pending
9 vulnerabilities I found on bugtraq and reported to bugs.gentoo.org make
10 it necessary to issue some kind of pending GLSA. To issue a GLSA when a
11 patch or fix is available is not enough. If bugs or flaws are already
12 reported to bugs.gentoo.org AFTER they have already been reported to FD,
13 bugtraq and the like then there's simply too much time between the
14 bugfix and the bugs disclosure, time in which people use exploitable
15 software possibly without knowing so. There should be some pending GLSA
16 once a week on a regular basis that lists all known vulnerabilities in
17 Gentoo packages even if they are not solved yet. It isn't acceptable
18 that users have to browse Bugzilla and do this themselves since
19 obviously Bugzilla doesn't even contain all vulnerabilities. I reported
20 at least three vulnerabilities I found on bugtraq alone in the last few
21 days. There are still two more I am looking into.
22
23 Just to remind you, this is part of the problem I have been complaining
24 about last week. There are LOTS of packages that have known
25 vulnerabilities in Portage that Gentoo users have no way of knowing
26 about by using Gentoo resources. We have to change this.
27
28 I will be keeping track of at least bugtraq to report new
29 vulnerabilities to bugs.gentoo.org but there are more resources we have
30 to look out for. Unfortunately the noise on FD has become unbearable so
31 browsing through bugtraq and FD is quite time consuming. I'll try to
32 issue unofficial pending newsletters on a weekly basis on this list and
33 post the bugs I find to bugs.gentoo.org. Any help with this is welcome.
34 If you see a bug for example in another distribution and you wonder if
35 Gentoo is affected too, don't hesitate and look up the issue in
36 bugs.gentoo.org and if it's not there then make a new entry and drop a
37 mail to this list or my email address.
38
39 I'll try to compile such a pending GLSA for this list every Saturday and
40 post it too the forums as well. Any suggestions are welcome of course.
41
42 kind regards,
43 Tobias W.
44
45 --
46 ***************************************************
47 ____ _____
48 | _ \| ____| Tobias Weisserth
49 | | | | _| tobias@weisserth.[de|com|net|org]
50 _| |_| | |___ http://www.weisserth.org
51 (_)____/|_____|
52
53 Encrypted mail is welcome.
54 Key and fingerprint: http://imprint.weisserth.org
55
56 ***************************************************

Attachments

File name MIME type
signature.asc application/pgp-signature