New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Roundup 26 #24161

Closed
grahamc opened this Issue Mar 21, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@grahamc
Member

grahamc commented Mar 21, 2017

Letter from Graham

Hey, it isn't Wednesday

True. We haven't done a roundup in about 15 days, and it has been
almost a month since we had a good one. I'm wanting to make 2 roundups
per week until we catch up. The tools to make this roundup just
finished, so I posted it immediately! :)

Why did LWN stop?

Our old process depended upon LWN.net's security vulnerability
database
. Late last month, they
decided there weren't enough users, and stopped updating it. This was
a big blow to the process, and force us to stop and find another way.

What about the other data LWN provides?

The data they provide is collected from individual distribution's
announcements. They used to very carefully curate and aggregate the
announcements into a single feed. That is what we were using. Their
new format, while better for their readers, isn't as useful for us.

What are we doing now?

I have taken my collection of mail from the oss-security mailing list
and have tagged them with their impacted package, and have created
tools to automatically create issues based on the threads. From here
we will triage each thread, make patches, and close issues as we go.

What's next?

This isn't a long-term plan. We need to get going again so as to not
fall too far behind. Please leave feedback about how things could be
made easier, or suggestions on how else to run things.

What do other distro's do?

I spoke with the Arch security team. They have fairly similar process,
except individuals subscribe to mailing lists and RSS feeds, and
manually open issues.

From there, issues get collected in to a "Group" of similar reports,
the problems are resolved, and then the Group is turned in to an
Advisory.

I'd like to come up with a similar system, but as I said in "What's
Next", we need to get started with something, now :)

Thank you

Thank you, everyone, who has participated in the roundups thus far. It
was a real blow to have LWN go away, but I think we'll carry on and
continue doing great work.

As I said above, please provide feedback on how this process feels,
or if you have ideas on making it better.

I've started #nixos-security on Freenode, if you would like to come
discuss it.

-- Graham


Here are all the vulnerabilities from the oss-security mailing list
since our last roundup.

cc: @LnL7 @7c6f434c @fpletz @globin @NeQuissimus @wizeman @FRidh @vcunat @peterhoeg @ndowens @dezgeg @nh2 @khumba.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @NixOS/security-notifications, @joepie91,
@phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7

If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/grahamc/security/blob/master/nixvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. On each thread is a link to an issue specific to that thread.
  3. This issue is created by https://github.com/grahamc/security, which
    will be merged back upstream shortly.

Instructions:

  1. Pick a linked GitHub issue which is still open (look below this
    text...)
  2. Fix the issue
  3. Come back to this issue, and repeat :)

Upon Completion ...

@grahamc grahamc changed the title from placeholder to Vulnerability Roundup 26 Mar 21, 2017

@grahamc grahamc added the Security label Mar 21, 2017

This was referenced Mar 21, 2017

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Mar 21, 2017

Member

shadow has the same CVE-2017-2616 as util-linux, no release yet
shadow-maint/shadow@08fd4b6

Member

7c6f434c commented Mar 21, 2017

shadow has the same CVE-2017-2616 as util-linux, no release yet
shadow-maint/shadow@08fd4b6

@grahamc grahamc referenced this issue Mar 25, 2017

Closed

Vulnerability Roundup 27 #24319

0 of 3 tasks complete

@fpletz fpletz removed the Security label Sep 18, 2017

@fpletz

This comment has been minimized.

Show comment
Hide comment
@fpletz

fpletz Sep 18, 2017

Member

Only the audiofile issues and the gdk-pixbuf issue remain.

Member

fpletz commented Sep 18, 2017

Only the audiofile issues and the gdk-pixbuf issue remain.

@fpletz

This comment has been minimized.

Show comment
Hide comment
@fpletz

fpletz Sep 18, 2017

Member

The remaining issues are also covered by the following roundup #24319 so we can close this.

Member

fpletz commented Sep 18, 2017

The remaining issues are also covered by the following roundup #24319 so we can close this.

@fpletz fpletz closed this Sep 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment