Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Roundup 26 #24161

Closed
3 tasks
grahamc opened this issue Mar 21, 2017 · 3 comments
Closed
3 tasks

Vulnerability Roundup 26 #24161

grahamc opened this issue Mar 21, 2017 · 3 comments

Comments

@grahamc
Copy link
Member

grahamc commented Mar 21, 2017

Letter from Graham

Hey, it isn't Wednesday

True. We haven't done a roundup in about 15 days, and it has been
almost a month since we had a good one. I'm wanting to make 2 roundups
per week until we catch up. The tools to make this roundup just
finished, so I posted it immediately! :)

Why did LWN stop?

Our old process depended upon LWN.net's security vulnerability
database
. Late last month, they
decided there weren't enough users, and stopped updating it. This was
a big blow to the process, and force us to stop and find another way.

What about the other data LWN provides?

The data they provide is collected from individual distribution's
announcements. They used to very carefully curate and aggregate the
announcements into a single feed. That is what we were using. Their
new format, while better for their readers, isn't as useful for us.

What are we doing now?

I have taken my collection of mail from the oss-security mailing list
and have tagged them with their impacted package, and have created
tools to automatically create issues based on the threads. From here
we will triage each thread, make patches, and close issues as we go.

What's next?

This isn't a long-term plan. We need to get going again so as to not
fall too far behind. Please leave feedback about how things could be
made easier, or suggestions on how else to run things.

What do other distro's do?

I spoke with the Arch security team. They have fairly similar process,
except individuals subscribe to mailing lists and RSS feeds, and
manually open issues.

From there, issues get collected in to a "Group" of similar reports,
the problems are resolved, and then the Group is turned in to an
Advisory.

I'd like to come up with a similar system, but as I said in "What's
Next", we need to get started with something, now :)

Thank you

Thank you, everyone, who has participated in the roundups thus far. It
was a real blow to have LWN go away, but I think we'll carry on and
continue doing great work.

As I said above, please provide feedback on how this process feels,
or if you have ideas on making it better.

I've started #nixos-security on Freenode, if you would like to come
discuss it.

-- Graham


Here are all the vulnerabilities from the oss-security mailing list
since our last roundup.

cc: @LnL7 @7c6f434c @fpletz @globin @NeQuissimus @wizeman @FRidh @vcunat @peterhoeg @ndowens @dezgeg @nh2 @khumba.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @NixOS/security-notifications, @joepie91,
@phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7

If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/grahamc/security/blob/master/nixvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. On each thread is a link to an issue specific to that thread.
  3. This issue is created by https://github.com/grahamc/security, which
    will be merged back upstream shortly.

Instructions:

  1. Pick a linked GitHub issue which is still open (look below this
    text...)
  2. Fix the issue
  3. Come back to this issue, and repeat :)

Upon Completion ...

@grahamc grahamc changed the title placeholder Vulnerability Roundup 26 Mar 21, 2017
This was referenced Mar 21, 2017
@7c6f434c
Copy link
Member

shadow has the same CVE-2017-2616 as util-linux, no release yet
shadow-maint/shadow@08fd4b6

@fpletz
Copy link
Member

fpletz commented Sep 18, 2017

Only the audiofile issues and the gdk-pixbuf issue remain.

@fpletz
Copy link
Member

fpletz commented Sep 18, 2017

The remaining issues are also covered by the following roundup #24319 so we can close this.

@fpletz fpletz closed this as completed Sep 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants