1 |
Hi Kurt, |
2 |
|
3 |
Am Fr, den 26.03.2004 schrieb Kurt Lieber um 13:24: |
4 |
... |
5 |
> This would only be done in the most extreme cases, of which this is not |
6 |
> one. |
7 |
|
8 |
This courier-imap issue along with my mc issue and the pending |
9 |
vulnerabilities I found on bugtraq and reported to bugs.gentoo.org make |
10 |
it necessary to issue some kind of pending GLSA. To issue a GLSA when a |
11 |
patch or fix is available is not enough. If bugs or flaws are already |
12 |
reported to bugs.gentoo.org AFTER they have already been reported to FD, |
13 |
bugtraq and the like then there's simply too much time between the |
14 |
bugfix and the bugs disclosure, time in which people use exploitable |
15 |
software possibly without knowing so. There should be some pending GLSA |
16 |
once a week on a regular basis that lists all known vulnerabilities in |
17 |
Gentoo packages even if they are not solved yet. It isn't acceptable |
18 |
that users have to browse Bugzilla and do this themselves since |
19 |
obviously Bugzilla doesn't even contain all vulnerabilities. I reported |
20 |
at least three vulnerabilities I found on bugtraq alone in the last few |
21 |
days. There are still two more I am looking into. |
22 |
|
23 |
Just to remind you, this is part of the problem I have been complaining |
24 |
about last week. There are LOTS of packages that have known |
25 |
vulnerabilities in Portage that Gentoo users have no way of knowing |
26 |
about by using Gentoo resources. We have to change this. |
27 |
|
28 |
I will be keeping track of at least bugtraq to report new |
29 |
vulnerabilities to bugs.gentoo.org but there are more resources we have |
30 |
to look out for. Unfortunately the noise on FD has become unbearable so |
31 |
browsing through bugtraq and FD is quite time consuming. I'll try to |
32 |
issue unofficial pending newsletters on a weekly basis on this list and |
33 |
post the bugs I find to bugs.gentoo.org. Any help with this is welcome. |
34 |
If you see a bug for example in another distribution and you wonder if |
35 |
Gentoo is affected too, don't hesitate and look up the issue in |
36 |
bugs.gentoo.org and if it's not there then make a new entry and drop a |
37 |
mail to this list or my email address. |
38 |
|
39 |
I'll try to compile such a pending GLSA for this list every Saturday and |
40 |
post it too the forums as well. Any suggestions are welcome of course. |
41 |
|
42 |
kind regards, |
43 |
Tobias W. |
44 |
|
45 |
-- |
46 |
*************************************************** |
47 |
____ _____ |
48 |
| _ \| ____| Tobias Weisserth |
49 |
| | | | _| tobias@weisserth.[de|com|net|org] |
50 |
_| |_| | |___ http://www.weisserth.org |
51 |
(_)____/|_____| |
52 |
|
53 |
Encrypted mail is welcome. |
54 |
Key and fingerprint: http://imprint.weisserth.org |
55 |
|
56 |
*************************************************** |