Bug 828517 recommend closing
by David Cafaro
Hi All,
So apparently my FAS account is not linked to Bugzilla so I have no way to edit bugs to add myself to the Whiteboard or to change status of tickets.
I took a look at Bug 828517
https://bugzilla.redhat.com/show_bug.cgi?id=828517
And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos.
I recommend closing, but will need someone else to take care of it until I get access figured out.
Cheers,
David
9 years, 8 months
software leaking version (clamav / spamass)
by Reindl Harald
both "clamav-milter" and "spamass-milter" leaking their
version into mail-headers - that should IMHO be patched
out to not present possible security flaws if there
is a important update pending
the header itself is fine to verify that a message was
scanned and could be easily stripped with postfix
header_checks if the admin wants to do so
but the version leak is a bad idea as for any server software
X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
9 years, 8 months
Libgcrypt 1.5.3 vulnerable to ELGAMAL Side-channel Attack
by Tristan Santore
Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a
ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
9 years, 8 months
Eucalyptus vulnerabilities
by Eric Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I've been talking with Garrett (gholms) about the important vulnerability affecting eucalyptus. Turns out eucalyptus is crazy complex to package and the purpose for packaging euca has passed. He's going to orphan the packages and we'll likely be able to discontinue it in Fedora. This will affect three vulnerabilites (1 Important, 2 Mediums).
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJT2uILAAoJEB/kgVGp2CYvJe4L/jQ+xYz3kOPRlIyUxsmloCF5
KKDmWUM1Cp8M52xOqKJdoO5CPJDEuWIwdkFcjQmvSRzr+e7My5WCHuDo3heRuKKe
yRv2NBxC9Ci3EigI45yADa16BRRFewkrfD6Rp4BFEqG/XMsrO+V8+oZqi3PRdORE
ZCN9BlpGKbAaD5yLGUdB+5lHfVbECyZKVOje/Mib/I1kcGFnkJMquBa3did+6hT9
YnkyBl/4Quc3uVHFSOALVmYfzJS6AbYrsvo1yERb+AuWGxkvPZato9CR+U3JExDr
XoBl/zVUvrKDU3PdPwhWLmzFEvMBMpwBvSn7TcQOeYbXKIDG80sWWg+pgswaCuDy
91ci1klX+iqj/+xyHf1jXCGr8ystIDvSc3EccGyRW2jNIA3xTEiAW+VS1T2FW8v/
yD3V3zyEM03zy5UNSKBO9vtyr2e4T6PPLc+BknyeAgS1tYiyUEfwCLjfMi48BwcL
a01QKMXnDu++GDYzwYhw6/uYME7pcBcRxruZI66uzA==
=J+nf
-----END PGP SIGNATURE-----
9 years, 9 months
Priorities
by Eric Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I've already started seeing some successes in closing some security bugs. I'd like to try to prioritize our efforts a bit. On the Security Team wiki page I provided links to security bugs based on their urgency (Critical -> Important -> Moderate -> Low). We should also prioritize our efforts within those categories as oldest to newest. I'm hoping that the older vulnerabilities have already been closed and the tickets just left open. If not we should definitely get them fixed.
By the way, the links on the wiki look at all vulnerabilities in Fedora and EPEL (bugs tagged with Keywords: SecurityTracking). I think I'll modify the query to not show bugs that already have an fst_owner so people only see what's not taken. Thoughts?
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJT276JAAoJEB/kgVGp2CYvE4oL/iFiJMq52iN7OF6l7SvPX4ha
X4WCKIaUtQB7KV4oguBJi2/IYS+CIwFuBIh15PynrFVXOC0G6EGpAUx97Axoav+q
T4vNwOsFpxzdsnhjITZsdNtD3uBXbZYAOwCS3wsPhM+FNkCEJW+885WC2ebGBYAV
AP17E1xPSqY3W1mSg2Mz6wMmvZwQJQK7ml1zKse/E6pYTqvCHY6a+C9uk/M9+/Sx
rR3BEBBc+aU4E1KBv+XjUYAUpWp7dP4WBqeRPSZQKiWAcvFM0NIBrdhxeaoGs2N0
sXenqROO7tSY/HP4ckkL+FeaDu19QcAGC1d9+9lNM/tpJPx7KfDFArkoT7SLKMbG
R3MxS60fs+OykJboVCayqwHu9DOU17lJJGMLO4JRPhwOeLlrw3mE6KdPzJnvuLpD
UWeh6z0YKrdKqsTzQfFvJn4i+B70C+v/QNcW+58yvd/W1LD1GA0HFYd5Ff8tGtXh
Aas7yDWSqvjzSqQpPvSXBcL9uQ+JsnYdPK9vszzbPg==
=czqJ
-----END PGP SIGNATURE-----
9 years, 9 months
Why it's important to work with upstream
by Eric Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I contacted an upstream project last night regarding two CVEs that date back to 2009. There is limited information regarding the vulnerabilities on the web so I wasn't sure in what version the CVEs were fixed. Turns out upstream had never been notified. An hour's worth of work later and he's fixed the two vulnerabilities.
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJT27rVAAoJEB/kgVGp2CYvXwYL/27KOuDgorGSFaNUlyMmwBFB
LyXU7Y3h1EcpDig8rsmP/5Ru4Mx/AifGBg42viNEj3eRHX8kehHJ+A5j9jA46W7s
7lPdDCu0H+hUPVhnJsWVhIFt1Y8tO/aZVE+HMWmMBdzjwZ8UzQV9Uskp5XUtFgon
7sZBqPab6OuM/2BkqHMBC6atUgZx+zUlHVyEWHkZznuhIsd0Fn2pAOo1WyWfq942
UrVYERgWN21evrdgUO4vok8Zx88i/3EW+BdK0IlXwqnqrnNLuMqhC5IXZtLTajiv
X3siWjk49Ab03KjgKMgrqr7+Cxp+AWus8gLdryUNdumrjJkFOUBhuXh5T8wCu2r6
UHPywSveilGlarMTHhwJ0AZ3jh7pCC+QCxj11Bbb2VjkRvafB4D/MF7Mki4Rjo9A
xXjqOidwgWiOAXb+z/iixqK1J+0dK5O5NFgYLkLIA9omZPR1nJpQTR7bQHEWmsvw
4Ip5M2COv7XCSu+be34efhVNzZzhDfQKZX6DWQFTnw==
=TxTj
-----END PGP SIGNATURE-----
9 years, 9 months