Vulnerability Roundup 26 #24161
Labels
1.severity: security
Issues which raise a security issue, or PRs that fix one
Comments
This was referenced Mar 21, 2017
Closed
Closed
|
|
grahamc
added
the
1.severity: security
|
Only the audiofile issues and the gdk-pixbuf issue remain. |
|
The remaining issues are also covered by the following roundup #24319 so we can close this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Letter from Graham
Hey, it isn't Wednesday
True. We haven't done a roundup in about 15 days, and it has been
almost a month since we had a good one. I'm wanting to make 2 roundups
per week until we catch up. The tools to make this roundup just
finished, so I posted it immediately! :)
Why did LWN stop?
Our old process depended upon LWN.net's security vulnerability
database. Late last month, they
decided there weren't enough users, and stopped updating it. This was
a big blow to the process, and force us to stop and find another way.
What about the other data LWN provides?
The data they provide is collected from individual distribution's
announcements. They used to very carefully curate and aggregate the
announcements into a single feed. That is what we were using. Their
new format, while better for their readers, isn't as useful for us.
What are we doing now?
I have taken my collection of mail from the oss-security mailing list
and have tagged them with their impacted package, and have created
tools to automatically create issues based on the threads. From here
we will triage each thread, make patches, and close issues as we go.
What's next?
This isn't a long-term plan. We need to get going again so as to not
fall too far behind. Please leave feedback about how things could be
made easier, or suggestions on how else to run things.
What do other distro's do?
I spoke with the Arch security team. They have fairly similar process,
except individuals subscribe to mailing lists and RSS feeds, and
manually open issues.
From there, issues get collected in to a "Group" of similar reports,
the problems are resolved, and then the Group is turned in to an
Advisory.
I'd like to come up with a similar system, but as I said in "What's
Next", we need to get started with something, now :)
Thank you
Thank you, everyone, who has participated in the roundups thus far. It
was a real blow to have LWN go away, but I think we'll carry on and
continue doing great work.
As I said above, please provide feedback on how this process feels,
or if you have ideas on making it better.
I've started
#nixos-securityon Freenode, if you would like to comediscuss it.
-- Graham
Here are all the vulnerabilities from the oss-security mailing list
since our last roundup.
cc: @LnL7 @7c6f434c @fpletz @globin @NeQuissimus @wizeman @FRidh @vcunat @peterhoeg @ndowens @dezgeg @nh2 @khumba.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
Permanent CC's: @NixOS/security-notifications, @joepie91,
@phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/grahamc/security/blob/master/nixvulns/src/bin/instructions.md.
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
will be merged back upstream shortly.
Instructions:
text...)
Upon Completion ...
The text was updated successfully, but these errors were encountered: