August 2014 - security-team [ARCHIVED]

[Fedocal] Reminder meeting : Weekly Security Team meeting

by Eric Christensen

Dear all, You are kindly invited to the meeting: Weekly Security Team meeting on 2014-08-13 from 15:00:00 to 16:00:00 US/Eastern At fedora-meeting-1(a)irc.freenode.net The meeting will be about: Weekly meeting of the Security Team. More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar//meeting/734/

9 years, 8 months

3
4
0 / 0

Bug 828517 recommend closing

by David Cafaro

Hi All, So apparently my FAS account is not linked to Bugzilla so I have no way to edit bugs to add myself to the Whiteboard or to change status of tickets. I took a look at Bug 828517 https://bugzilla.redhat.com/show_bug.cgi?id=828517 And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos. I recommend closing, but will need someone else to take care of it until I get access figured out. Cheers, David

9 years, 8 months

3
8
0 / 0

software leaking version (clamav / spamass)

by Reindl Harald

both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so but the version leak is a bad idea as for any server software X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net

9 years, 8 months

2
6
0 / 0

Libgcrypt 1.5.3 vulnerable to ELGAMAL Side-channel Attack

by Tristan Santore

Dear All, Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack. https://bugzilla.redhat.com/show_bug.cgi?id=1128130 I added the bugzilla as tracker bug and to add transparency to Fedora. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore(a)internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore(a)fedoraproject.org

9 years, 8 months

2
4
0 / 0

(no subject)

by Sususmu Ogawa

susumu,ogawa

9 years, 8 months

1
0
0 / 0

[Fedocal] Reminder meeting : Weekly Security Team meeting

by Eric Christensen

Dear all, You are kindly invited to the meeting: Weekly Security Team meeting on 2014-08-06 from 15:00:00 to 16:00:00 US/Eastern At fedora-meeting-1(a)irc.freenode.net The meeting will be about: Weekly meeting of the Security Team. More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar//meeting/734/

9 years, 8 months

3
2
0 / 0

Regarding BZ 884831

by Niranjan

Greetings, My Name is Niranjan, I am QE Engineer with Red Hat Certificate Services team, I would like to try and see if i can be of any help to the team. I would like to work on the below bugs: https://bugzilla.redhat.com/show_bug.cgi?id=884831 https://bugzilla.redhat.com/show_bug.cgi?id=869570 Regards, Niranjan

9 years, 9 months

3
5
0 / 0

Eucalyptus vulnerabilities

by Eric Christensen

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I've been talking with Garrett (gholms) about the important vulnerability affecting eucalyptus. Turns out eucalyptus is crazy complex to package and the purpose for packaging euca has passed. He's going to orphan the packages and we'll likely be able to discontinue it in Fedora. This will affect three vulnerabilites (1 Important, 2 Mediums). - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks(a)fedoraproject.org - sparks(a)redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJT2uILAAoJEB/kgVGp2CYvJe4L/jQ+xYz3kOPRlIyUxsmloCF5 KKDmWUM1Cp8M52xOqKJdoO5CPJDEuWIwdkFcjQmvSRzr+e7My5WCHuDo3heRuKKe yRv2NBxC9Ci3EigI45yADa16BRRFewkrfD6Rp4BFEqG/XMsrO+V8+oZqi3PRdORE ZCN9BlpGKbAaD5yLGUdB+5lHfVbECyZKVOje/Mib/I1kcGFnkJMquBa3did+6hT9 YnkyBl/4Quc3uVHFSOALVmYfzJS6AbYrsvo1yERb+AuWGxkvPZato9CR+U3JExDr XoBl/zVUvrKDU3PdPwhWLmzFEvMBMpwBvSn7TcQOeYbXKIDG80sWWg+pgswaCuDy 91ci1klX+iqj/+xyHf1jXCGr8ystIDvSc3EccGyRW2jNIA3xTEiAW+VS1T2FW8v/ yD3V3zyEM03zy5UNSKBO9vtyr2e4T6PPLc+BknyeAgS1tYiyUEfwCLjfMi48BwcL a01QKMXnDu++GDYzwYhw6/uYME7pcBcRxruZI66uzA== =J+nf -----END PGP SIGNATURE-----

9 years, 9 months

3
3
0 / 0

Priorities

by Eric Christensen

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I've already started seeing some successes in closing some security bugs. I'd like to try to prioritize our efforts a bit. On the Security Team wiki page I provided links to security bugs based on their urgency (Critical -> Important -> Moderate -> Low). We should also prioritize our efforts within those categories as oldest to newest. I'm hoping that the older vulnerabilities have already been closed and the tickets just left open. If not we should definitely get them fixed. By the way, the links on the wiki look at all vulnerabilities in Fedora and EPEL (bugs tagged with Keywords: SecurityTracking). I think I'll modify the query to not show bugs that already have an fst_owner so people only see what's not taken. Thoughts? - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks(a)fedoraproject.org - sparks(a)redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJT276JAAoJEB/kgVGp2CYvE4oL/iFiJMq52iN7OF6l7SvPX4ha X4WCKIaUtQB7KV4oguBJi2/IYS+CIwFuBIh15PynrFVXOC0G6EGpAUx97Axoav+q T4vNwOsFpxzdsnhjITZsdNtD3uBXbZYAOwCS3wsPhM+FNkCEJW+885WC2ebGBYAV AP17E1xPSqY3W1mSg2Mz6wMmvZwQJQK7ml1zKse/E6pYTqvCHY6a+C9uk/M9+/Sx rR3BEBBc+aU4E1KBv+XjUYAUpWp7dP4WBqeRPSZQKiWAcvFM0NIBrdhxeaoGs2N0 sXenqROO7tSY/HP4ckkL+FeaDu19QcAGC1d9+9lNM/tpJPx7KfDFArkoT7SLKMbG R3MxS60fs+OykJboVCayqwHu9DOU17lJJGMLO4JRPhwOeLlrw3mE6KdPzJnvuLpD UWeh6z0YKrdKqsTzQfFvJn4i+B70C+v/QNcW+58yvd/W1LD1GA0HFYd5Ff8tGtXh Aas7yDWSqvjzSqQpPvSXBcL9uQ+JsnYdPK9vszzbPg== =czqJ -----END PGP SIGNATURE-----

9 years, 9 months

4
4
0 / 0

Why it's important to work with upstream

by Eric Christensen

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I contacted an upstream project last night regarding two CVEs that date back to 2009. There is limited information regarding the vulnerabilities on the web so I wasn't sure in what version the CVEs were fixed. Turns out upstream had never been notified. An hour's worth of work later and he's fixed the two vulnerabilities. - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks(a)fedoraproject.org - sparks(a)redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJT27rVAAoJEB/kgVGp2CYvXwYL/27KOuDgorGSFaNUlyMmwBFB LyXU7Y3h1EcpDig8rsmP/5Ru4Mx/AifGBg42viNEj3eRHX8kehHJ+A5j9jA46W7s 7lPdDCu0H+hUPVhnJsWVhIFt1Y8tO/aZVE+HMWmMBdzjwZ8UzQV9Uskp5XUtFgon 7sZBqPab6OuM/2BkqHMBC6atUgZx+zUlHVyEWHkZznuhIsd0Fn2pAOo1WyWfq942 UrVYERgWN21evrdgUO4vok8Zx88i/3EW+BdK0IlXwqnqrnNLuMqhC5IXZtLTajiv X3siWjk49Ab03KjgKMgrqr7+Cxp+AWus8gLdryUNdumrjJkFOUBhuXh5T8wCu2r6 UHPywSveilGlarMTHhwJ0AZ3jh7pCC+QCxj11Bbb2VjkRvafB4D/MF7Mki4Rjo9A xXjqOidwgWiOAXb+z/iixqK1J+0dK5O5NFgYLkLIA9omZPR1nJpQTR7bQHEWmsvw 4Ip5M2COv7XCSu+be34efhVNzZzhDfQKZX6DWQFTnw== =TxTj -----END PGP SIGNATURE-----

9 years, 9 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team [ARCHIVED] August 2014